meshagent | 9de4cdfbc6ea911a5c46feeaf8ec5cebef99ff9e3fe0789798d9eb8103560817

Analysis

max time kernel
30s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20241007-fr
resource tags

arch:x64arch:x86image:win10v2004-20241007-frlocale:fr-fros:windows10-2004-x64systemwindows
submitted
03/12/2024, 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trmm-techniquepc-marseille-server-amd64.exe
Size

5.0MB
MD5

d688de20751030ba2fb80c7c081ee6ce
SHA1

348a9a7efd476efb7f5c0ca6810692662a5df959
SHA256

9de4cdfbc6ea911a5c46feeaf8ec5cebef99ff9e3fe0789798d9eb8103560817
SHA512

21ea43be0a24ccb2e4d760e0433de22f20019acf70a4431e0e98ca1161ba436f156da26c8e9bef768cad75cd5ce9c0c015366c4d0865313c2b5cb98ad4942b74
SSDEEP

49152:N0dV40e2i1Urb/TcvO90d7HjmAFd4A64nsfJCFgH1bmpbz+p8ZmbXiPZkcR+iy5h:ue2i1LGEnZswkcc9E/+ev2

Score

10^/10

meshagent tacticalrmm backdoor discovery evasion execution persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

TacticalRMM

http://mesh.technique-pc.fr:443/agent.ashx

Attributes

mesh_id
0x16E0F1CB5B4BA4DDFE30A17FF5FD1BE16DBDA9308E4F71A0F420ABA9C690ACB868F7524DB40934EC2462590125D8F61F
server_id
58CCE4E2C0143714844002334586A082CB580F81BEA2CAB66BAEB5B08D334DF97FCB43422526EC765508EC51B0D098E5
wss
wss://mesh.technique-pc.fr:443/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b48-28.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	meshagent.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 8 IoCs

pid	Process
2808	tacticalagent-v2.8.0-windows-amd64.exe
2812	tacticalagent-v2.8.0-windows-amd64.tmp
2648	tacticalrmm.exe
4888	tacticalrmm.exe
4540	meshagent.exe
2104	MeshAgent.exe
3160	MeshAgent.exe
3360	tacticalrmm.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ole32.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\7B2FE4D52D6401C07824D634E1C0D1F1D10B72BF	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\303BC6E288390BB9396BE71EC8FEC012C988729A	MeshAgent.exe
File opened for modification	C:\Windows\System32\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\symbols\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\7B2FE4D52D6401C07824D634E1C0D1F1D10B72BF	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\combase.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\3BBC8084AB2F54F91C9E5F6CFB5B4C4C237E3D96	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntasn1.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\303BC6E288390BB9396BE71EC8FEC012C988729A	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\System32\symbols\dll\bcryptprimitives.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ole32.pdb	MeshAgent.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\TacticalAgent\is-81B3Q.tmp	tacticalagent-v2.8.0-windows-amd64.tmp
File opened for modification	C:\Program Files\TacticalAgent\unins000.dat	tacticalagent-v2.8.0-windows-amd64.tmp
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\meshagent.exe	tacticalrmm.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	meshagent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\TacticalAgent\unins000.dat	tacticalagent-v2.8.0-windows-amd64.tmp
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\TacticalAgent\is-6M1FM.tmp	tacticalagent-v2.8.0-windows-amd64.tmp

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2692	sc.exe
4784	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3416	powershell.exe
1064	powershell.exe
4960	powershell.exe
4904	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tacticalagent-v2.8.0-windows-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tacticalagent-v2.8.0-windows-amd64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3336	cmd.exe
5112	PING.EXE
2624	cmd.exe
4464	PING.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
1804	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MeshAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	trmm-techniquepc-marseille-server-amd64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	trmm-techniquepc-marseille-server-amd64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	trmm-techniquepc-marseille-server-amd64.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4464	PING.EXE
5112	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2648	tacticalrmm.exe
4888	tacticalrmm.exe
3416	powershell.exe
3416	powershell.exe
1064	powershell.exe
1064	powershell.exe
4960	powershell.exe
4960	powershell.exe
4904	powershell.exe
4904	powershell.exe
4888	tacticalrmm.exe
4888	tacticalrmm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	2648	tacticalrmm.exe
Token: SeDebugPrivilege	4888	tacticalrmm.exe
Token: SeAssignPrimaryTokenPrivilege	5000	wmic.exe
Token: SeIncreaseQuotaPrivilege	5000	wmic.exe
Token: SeSecurityPrivilege	5000	wmic.exe
Token: SeTakeOwnershipPrivilege	5000	wmic.exe
Token: SeLoadDriverPrivilege	5000	wmic.exe
Token: SeSystemtimePrivilege	5000	wmic.exe
Token: SeBackupPrivilege	5000	wmic.exe
Token: SeRestorePrivilege	5000	wmic.exe
Token: SeShutdownPrivilege	5000	wmic.exe
Token: SeSystemEnvironmentPrivilege	5000	wmic.exe
Token: SeUndockPrivilege	5000	wmic.exe
Token: SeManageVolumePrivilege	5000	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	5000	wmic.exe
Token: SeIncreaseQuotaPrivilege	5000	wmic.exe
Token: SeSecurityPrivilege	5000	wmic.exe
Token: SeTakeOwnershipPrivilege	5000	wmic.exe
Token: SeLoadDriverPrivilege	5000	wmic.exe
Token: SeSystemtimePrivilege	5000	wmic.exe
Token: SeBackupPrivilege	5000	wmic.exe
Token: SeRestorePrivilege	5000	wmic.exe
Token: SeShutdownPrivilege	5000	wmic.exe
Token: SeSystemEnvironmentPrivilege	5000	wmic.exe
Token: SeUndockPrivilege	5000	wmic.exe
Token: SeManageVolumePrivilege	5000	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	4680	wmic.exe
Token: SeIncreaseQuotaPrivilege	4680	wmic.exe
Token: SeSecurityPrivilege	4680	wmic.exe
Token: SeTakeOwnershipPrivilege	4680	wmic.exe
Token: SeLoadDriverPrivilege	4680	wmic.exe
Token: SeSystemtimePrivilege	4680	wmic.exe
Token: SeBackupPrivilege	4680	wmic.exe
Token: SeRestorePrivilege	4680	wmic.exe
Token: SeShutdownPrivilege	4680	wmic.exe
Token: SeSystemEnvironmentPrivilege	4680	wmic.exe
Token: SeUndockPrivilege	4680	wmic.exe
Token: SeManageVolumePrivilege	4680	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	4680	wmic.exe
Token: SeIncreaseQuotaPrivilege	4680	wmic.exe
Token: SeSecurityPrivilege	4680	wmic.exe
Token: SeTakeOwnershipPrivilege	4680	wmic.exe
Token: SeLoadDriverPrivilege	4680	wmic.exe
Token: SeSystemtimePrivilege	4680	wmic.exe
Token: SeBackupPrivilege	4680	wmic.exe
Token: SeRestorePrivilege	4680	wmic.exe
Token: SeShutdownPrivilege	4680	wmic.exe
Token: SeSystemEnvironmentPrivilege	4680	wmic.exe
Token: SeUndockPrivilege	4680	wmic.exe
Token: SeManageVolumePrivilege	4680	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	4368	wmic.exe
Token: SeIncreaseQuotaPrivilege	4368	wmic.exe
Token: SeSecurityPrivilege	4368	wmic.exe
Token: SeTakeOwnershipPrivilege	4368	wmic.exe
Token: SeLoadDriverPrivilege	4368	wmic.exe
Token: SeSystemtimePrivilege	4368	wmic.exe
Token: SeBackupPrivilege	4368	wmic.exe
Token: SeRestorePrivilege	4368	wmic.exe
Token: SeShutdownPrivilege	4368	wmic.exe
Token: SeSystemEnvironmentPrivilege	4368	wmic.exe
Token: SeUndockPrivilege	4368	wmic.exe
Token: SeManageVolumePrivilege	4368	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	4368	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2812	tacticalagent-v2.8.0-windows-amd64.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 2808	3964	trmm-techniquepc-marseille-server-amd64.exe	83
PID 3964 wrote to memory of 2808	3964	trmm-techniquepc-marseille-server-amd64.exe	83
PID 3964 wrote to memory of 2808	3964	trmm-techniquepc-marseille-server-amd64.exe	83
PID 2808 wrote to memory of 2812	2808	tacticalagent-v2.8.0-windows-amd64.exe	84
PID 2808 wrote to memory of 2812	2808	tacticalagent-v2.8.0-windows-amd64.exe	84
PID 2808 wrote to memory of 2812	2808	tacticalagent-v2.8.0-windows-amd64.exe	84
PID 2812 wrote to memory of 2624	2812	tacticalagent-v2.8.0-windows-amd64.tmp	85
PID 2812 wrote to memory of 2624	2812	tacticalagent-v2.8.0-windows-amd64.tmp	85
PID 2812 wrote to memory of 2624	2812	tacticalagent-v2.8.0-windows-amd64.tmp	85
PID 2624 wrote to memory of 4464	2624	cmd.exe	87
PID 2624 wrote to memory of 4464	2624	cmd.exe	87
PID 2624 wrote to memory of 4464	2624	cmd.exe	87
PID 2624 wrote to memory of 2740	2624	cmd.exe	88
PID 2624 wrote to memory of 2740	2624	cmd.exe	88
PID 2624 wrote to memory of 2740	2624	cmd.exe	88
PID 2740 wrote to memory of 4412	2740	net.exe	89
PID 2740 wrote to memory of 4412	2740	net.exe	89
PID 2740 wrote to memory of 4412	2740	net.exe	89
PID 2812 wrote to memory of 4296	2812	tacticalagent-v2.8.0-windows-amd64.tmp	90
PID 2812 wrote to memory of 4296	2812	tacticalagent-v2.8.0-windows-amd64.tmp	90
PID 2812 wrote to memory of 4296	2812	tacticalagent-v2.8.0-windows-amd64.tmp	90
PID 4296 wrote to memory of 5032	4296	cmd.exe	92
PID 4296 wrote to memory of 5032	4296	cmd.exe	92
PID 4296 wrote to memory of 5032	4296	cmd.exe	92
PID 5032 wrote to memory of 3472	5032	net.exe	93
PID 5032 wrote to memory of 3472	5032	net.exe	93
PID 5032 wrote to memory of 3472	5032	net.exe	93
PID 2812 wrote to memory of 3336	2812	tacticalagent-v2.8.0-windows-amd64.tmp	94
PID 2812 wrote to memory of 3336	2812	tacticalagent-v2.8.0-windows-amd64.tmp	94
PID 2812 wrote to memory of 3336	2812	tacticalagent-v2.8.0-windows-amd64.tmp	94
PID 3336 wrote to memory of 5112	3336	cmd.exe	96
PID 3336 wrote to memory of 5112	3336	cmd.exe	96
PID 3336 wrote to memory of 5112	3336	cmd.exe	96
PID 3336 wrote to memory of 1408	3336	cmd.exe	97
PID 3336 wrote to memory of 1408	3336	cmd.exe	97
PID 3336 wrote to memory of 1408	3336	cmd.exe	97
PID 1408 wrote to memory of 3140	1408	net.exe	98
PID 1408 wrote to memory of 3140	1408	net.exe	98
PID 1408 wrote to memory of 3140	1408	net.exe	98
PID 2812 wrote to memory of 1080	2812	tacticalagent-v2.8.0-windows-amd64.tmp	99
PID 2812 wrote to memory of 1080	2812	tacticalagent-v2.8.0-windows-amd64.tmp	99
PID 2812 wrote to memory of 1080	2812	tacticalagent-v2.8.0-windows-amd64.tmp	99
PID 1080 wrote to memory of 1804	1080	cmd.exe	101
PID 1080 wrote to memory of 1804	1080	cmd.exe	101
PID 1080 wrote to memory of 1804	1080	cmd.exe	101
PID 2812 wrote to memory of 3836	2812	tacticalagent-v2.8.0-windows-amd64.tmp	103
PID 2812 wrote to memory of 3836	2812	tacticalagent-v2.8.0-windows-amd64.tmp	103
PID 2812 wrote to memory of 3836	2812	tacticalagent-v2.8.0-windows-amd64.tmp	103
PID 3836 wrote to memory of 2692	3836	cmd.exe	105
PID 3836 wrote to memory of 2692	3836	cmd.exe	105
PID 3836 wrote to memory of 2692	3836	cmd.exe	105
PID 2812 wrote to memory of 4856	2812	tacticalagent-v2.8.0-windows-amd64.tmp	106
PID 2812 wrote to memory of 4856	2812	tacticalagent-v2.8.0-windows-amd64.tmp	106
PID 2812 wrote to memory of 4856	2812	tacticalagent-v2.8.0-windows-amd64.tmp	106
PID 4856 wrote to memory of 4784	4856	cmd.exe	108
PID 4856 wrote to memory of 4784	4856	cmd.exe	108
PID 4856 wrote to memory of 4784	4856	cmd.exe	108
PID 2812 wrote to memory of 1216	2812	tacticalagent-v2.8.0-windows-amd64.tmp	109
PID 2812 wrote to memory of 1216	2812	tacticalagent-v2.8.0-windows-amd64.tmp	109
PID 2812 wrote to memory of 1216	2812	tacticalagent-v2.8.0-windows-amd64.tmp	109
PID 1216 wrote to memory of 2648	1216	cmd.exe	111
PID 1216 wrote to memory of 2648	1216	cmd.exe	111
PID 2812 wrote to memory of 2728	2812	tacticalagent-v2.8.0-windows-amd64.tmp	112
PID 2812 wrote to memory of 2728	2812	tacticalagent-v2.8.0-windows-amd64.tmp	112

C:\Users\Admin\AppData\Local\Temp\trmm-techniquepc-marseille-server-amd64.exe
"C:\Users\Admin\AppData\Local\Temp\trmm-techniquepc-marseille-server-amd64.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3964
- C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
  C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXES
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\is-I3A11.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-I3A11.tmp\tacticalagent-v2.8.0-windows-amd64.tmp" /SL5="$E010C,3660179,825344,C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe" /VERYSILENT /SUPPRESSMSGBOXES
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4464
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrpc
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrpc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net stop tacticalagent
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4296
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalagent
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5032
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalagent
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:3336
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5112
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrmm
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1408
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrmm
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3140
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /F /IM tacticalrmm.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1080
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM tacticalrmm.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalagent
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3836
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalagent
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2692
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalrpc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalrpc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4784
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c tacticalrmm.exe -m installsvc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1216
    - - C:\Program Files\TacticalAgent\tacticalrmm.exe
        
        tacticalrmm.exe -m installsvc
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net start tacticalrmm
      4⤵
      System Location Discovery: System Language Discovery
      PID:2728
    - - C:\Windows\SysWOW64\net.exe
        
        net start tacticalrmm
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start tacticalrmm
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.technique-pc.fr --client-id 1 --site-id 1 --agent-type server --auth 4597e77afbed888fa9d63e97397f09a591a459c8997484675786c84083f7f04e
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4888
- - C:\Program Files\TacticalAgent\meshagent.exe
    "C:\Program Files\TacticalAgent\meshagent.exe" -fullinstall
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4540
- - C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
    3⤵
    - Executes dropped EXE
    PID:3160

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2104
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4680
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:3404
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:3504
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:1428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4904
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  PID:888
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:3868
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  PID:3388
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:3660

C:\Program Files\TacticalAgent\tacticalrmm.exe
"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc
1⤵
- Executes dropped EXE
PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.db.tmp

Filesize
153KB

MD5
4e5b1a61ab334aa64f672b6734f1f62d

SHA1
bc413a7fb1510857f639ece7cdb1e89f230f5dfc

SHA256
c98521e060414ea8a7e00c353da3de625a85b22e8c132998709f04836e9c138b

SHA512
79b3a56bb7ece1597cca7a6f7bc64f82a056e717a7f55ce09f87191a9a96f3f99c687aeef410d8a4ebafd0ced6ac523a0af53e51146090d4724304aa5f44aa31

Download Submit
C:\Program Files\TacticalAgent\meshagent.exe

Filesize
3.3MB

MD5
cd927d7b1239092bd3def1c83692be03

SHA1
65dcd1332338464347c99e5cb5658cf84b0330e5

SHA256
dab3a014fed11cac83e4ab92c3e82be20ca8b12becaa5ee4409e73fdc0ae76e7

SHA512
b53dcbfde2d0614c00b2e7253c938e7c4ff3703024534cd1a0cbfa43aa2e848fbbc328ab3bc6f40ba3060fc9170cbf57e33cb3677d61327e291789bd9e756f71

Download Submit
C:\Program Files\TacticalAgent\tacticalrmm.exe

Filesize
3.6MB

MD5
250df3a793c8ba4c155fa4c6045bdcd0

SHA1
4049fd764bb5b2db09751652ebb384b070ed54e4

SHA256
20d46cb97105f952ad306f1e545a71117978718f7d67cce45a426f9a3ca726a8

SHA512
a0ad46db83a237ed13f95598fd4aa788abea8080c60036b983dd0066b4d756361f38de08aa4423aa326114e1cf0e30914d1071571437754598d4fa653f8e81cf

Download Submit
C:\Program Files\TacticalAgent\tacticalrmm.exe

Filesize
9.2MB

MD5
bb383b7c3d5e4acb1001ab099b5b0f3c

SHA1
cb0c85f84a454aa4b1aab02bfba47c4355c2311e

SHA256
a6d3159c858aa3704f35d69b27829618ad0d1bae894c848a5233100c17464f95

SHA512
157dda96d1cacea55a6be27b9d432225b47d7334e664e577cef82a14c7eb1be1b8b84423b3905a4c1caecb5394be264d9b5c3e32109a4893e51a9d406ce740be

Download Submit
C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe

Filesize
4.3MB

MD5
2f046950e65922336cd83bf0dbc9de33

SHA1
ddc64a8b21c8146c93c0b19c1eeb0ef784b980c6

SHA256
412e1f600251b21911c582e69381f677e663231f5e1d10786d88a026e00ea811

SHA512
a11cbf8b8b692d2d5a0e3af5a97f91a3d1f3e7aa39966eb7d62b3244b3913f2fdc21823d5c94de0d98e579f801709df44433af91567356361d5d9699a93b2cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I3A11.tmp\tacticalagent-v2.8.0-windows-amd64.tmp

Filesize
3.0MB

MD5
a639312111d278fee4f70299c134d620

SHA1
6144ca6e18a5444cdb9b633a6efee67aff931115

SHA256
4b0be5167a31a77e28e3f0a7c83c9d289845075b51e70691236603b1083649df

SHA512
f47f01d072ff9ed42f5b36600ddfc344a6a4b967c1b671ffc0e76531e360bfd55a1a9950305ad33f7460f3f5dd8953e317b108cd434f2db02987fa018d57437c

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_gzoil421.mok.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
06d16fea6ab505097d16fcaa32949d47

SHA1
0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

SHA256
54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

SHA512
03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
94eaa510e77fa7f7cda2c021154365e1

SHA1
d1f0761d4201658ba12d427f0c5bae9131e12725

SHA256
d78ba051fe6068938be6f937614d33a7981a666227daa84c5dd5a2c8574660f9

SHA512
0138c6d0bda836948119b8b54fa84e49b3c659f6e76454c82d830fbd6fc386be7d113b4ff9c71c090b82fdb0b562e9c3cb175f55fc4e5b250cdd2eb1d53bd0a1

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
641f0f4af3992107adf4240f7edb7e93

SHA1
4fc860139f9a15e5cc61f67e04fe70086e77f146

SHA256
18ebd850665da22f2f5a0be926a249549ed72bbb4ade91b9fb1765ecd8b1386b

SHA512
92e6739bd55aa90c101e573591fbfad359bdda03c3a4a46d32d00c4b11f0813af5c1f78cfd2d5ffb0263a0397b5cdb11cf81b701435e6895d20a0d261be81ea9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2c0bdf06d302688498d4e7f9cd669ab5

SHA1
18186323d93499e03f737f137b4ad795eb7f470b

SHA256
86cd6b95819282eee4bd6c900b27ebeddf453a90a9f6147978e9137479f36bd6

SHA512
f8f02ab1cb6906975695369183d00d7f25ec4c54c40aba5ac0a1f42312c5eff5a6774a8e84c3357415555405f7e9754deebe8335dd1fdcf693137ab044cc18fe

Download Submit
memory/1064-106-0x0000015FCCBA0000-0x0000015FCCBBA000-memory.dmp

Filesize
104KB

Download
memory/1064-105-0x0000015FCCA00000-0x0000015FCCA0A000-memory.dmp

Filesize
40KB

Download
memory/1064-109-0x0000015FCCA50000-0x0000015FCCA5A000-memory.dmp

Filesize
40KB

Download
memory/1064-108-0x0000015FCCA40000-0x0000015FCCA46000-memory.dmp

Filesize
24KB

Download
memory/1064-107-0x0000015FCCA10000-0x0000015FCCA18000-memory.dmp

Filesize
32KB

Download
memory/1064-101-0x0000015FCC9E0000-0x0000015FCC9FC000-memory.dmp

Filesize
112KB

Download
memory/1064-102-0x0000015FCCAE0000-0x0000015FCCB95000-memory.dmp

Filesize
724KB

Download
memory/1064-103-0x0000015FCA510000-0x0000015FCA51A000-memory.dmp

Filesize
40KB

Download
memory/1064-104-0x0000015FCCA20000-0x0000015FCCA3C000-memory.dmp

Filesize
112KB

Download
memory/2808-24-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2808-3-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2808-6-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2812-23-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2812-10-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3416-68-0x000002A86D190000-0x000002A86D206000-memory.dmp

Filesize
472KB

Download
memory/3416-57-0x000002A86CC00000-0x000002A86CC22000-memory.dmp

Filesize
136KB

Download
memory/3416-67-0x000002A86D0C0000-0x000002A86D104000-memory.dmp

Filesize
272KB

Download
memory/4904-153-0x000002374A930000-0x000002374A9E5000-memory.dmp

Filesize
724KB

Download
memory/4904-154-0x000002374A9F0000-0x000002374AA1A000-memory.dmp

Filesize
168KB

Download
memory/4904-155-0x000002374A9F0000-0x000002374AA14000-memory.dmp

Filesize
144KB

Download