4078eb0da789bd9078293270aa844198df61cee77cf5a1abba384ebaea5a1900

Resubmissions

12/02/2024, 12:09

240212-pbwx1aee93 8

12/02/2024, 12:01

240212-n65b7aed95 8

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 12:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Loader.exe
Size

5.2MB
MD5

91cdbc8e1b2c630d55fd31727f035b0a
SHA1

b259d7de7507c08ac68c138a28179657820fce38
SHA256

ad7421222bcaddd68f3e875f6efa5b2a2c0ad0cfaaa41d52f789d2ece4fdbd96
SHA512

321449dbcab195d6bc55d1051b03ce1b7b83390abe9fbeaa11c5d5e43194b93db96d6f68e672d6318794f206ad2a69e3cf6c873cbfeb46ebd833e3bac1b11ca6
SSDEEP

98304:ly3GH9ciRzVvG949re0yUOOCayngG+FSY8dqVePmNhdHIpq0HhIqgW2htNEkCv5L:ly2dd3GW9q0yUOOhyS8AVePi0ZHhf2ho

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
1892	jvnibiublkun.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Loader.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4340 set thread context of 1860	4340	Loader.exe	98

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
324	sc.exe
2112	sc.exe
3760	sc.exe
4944	sc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4340	Loader.exe
216	powershell.exe
216	powershell.exe
4764	taskmgr.exe
4764	taskmgr.exe
4340	Loader.exe
4340	Loader.exe
4340	Loader.exe
4340	Loader.exe
4764	taskmgr.exe
4764	taskmgr.exe
1860	dialer.exe
1860	dialer.exe
4340	Loader.exe
4340	Loader.exe
1860	dialer.exe
1860	dialer.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
1892	jvnibiublkun.exe
4764	taskmgr.exe
4764	taskmgr.exe
4208	powershell.exe
4208	powershell.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4208	powershell.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
3720	Process not Found
3816	Process not Found
4772	Process not Found
1872	Process not Found
3756	Process not Found
3132	Process not Found
2640	Process not Found
1472	Process not Found
3340	Process not Found
1072	Process not Found
3352	Process not Found
3160	Process not Found
2952	Process not Found
2900	Process not Found
1752	Process not Found
2564	Process not Found
3692	Process not Found
5040	Process not Found
216	Process not Found
3196	Process not Found
456	Process not Found
1768	Process not Found
4188	Process not Found
4712	Process not Found
4300	Process not Found
1976	Process not Found
3800	Process not Found
1492	Process not Found
3636	Process not Found
5080	Process not Found
1032	Process not Found
4556	Process not Found
4992	Process not Found
3940	Process not Found
3880	Process not Found
5100	Process not Found
3964	Process not Found
3452	Process not Found
3492	Process not Found
776	Process not Found
668	Process not Found
4636	Process not Found
1476	Process not Found
4820	Process not Found
5056	Process not Found
4660	Process not Found
1808	Process not Found
3976	Process not Found
716	Process not Found
4952	Process not Found
3152	Process not Found
1468	Process not Found
3972	Process not Found
4768	Process not Found
1628	Process not Found
1264	Process not Found
4860	Process not Found
2088	Process not Found
3548	Process not Found
1196	Process not Found
2532	Process not Found
3176	Process not Found
2808	Process not Found
408	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4764	taskmgr.exe
Token: SeSystemProfilePrivilege	4764	taskmgr.exe
Token: SeCreateGlobalPrivilege	4764	taskmgr.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	1860	dialer.exe
Token: SeDebugPrivilege	4208	powershell.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe
4764	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 1860	4340	Loader.exe	98
PID 4340 wrote to memory of 1860	4340	Loader.exe	98
PID 4340 wrote to memory of 1860	4340	Loader.exe	98
PID 4340 wrote to memory of 1860	4340	Loader.exe	98
PID 4340 wrote to memory of 1860	4340	Loader.exe	98
PID 4340 wrote to memory of 1860	4340	Loader.exe	98
PID 4340 wrote to memory of 1860	4340	Loader.exe	98
PID 4304 wrote to memory of 1636	4304	cmd.exe	104
PID 4304 wrote to memory of 1636	4304	cmd.exe	104
PID 1860 wrote to memory of 584	1860	dialer.exe	3
PID 1860 wrote to memory of 660	1860	dialer.exe	1
PID 1860 wrote to memory of 948	1860	dialer.exe	6
PID 660 wrote to memory of 2632	660	lsass.exe	48
PID 1860 wrote to memory of 336	1860	dialer.exe	7
PID 1860 wrote to memory of 436	1860	dialer.exe	9
PID 1860 wrote to memory of 396	1860	dialer.exe	10
PID 660 wrote to memory of 2632	660	lsass.exe	48
PID 660 wrote to memory of 2632	660	lsass.exe	48
PID 660 wrote to memory of 2632	660	lsass.exe	48
PID 660 wrote to memory of 2632	660	lsass.exe	48
PID 660 wrote to memory of 2632	660	lsass.exe	48
PID 660 wrote to memory of 2632	660	lsass.exe	48
PID 1860 wrote to memory of 916	1860	dialer.exe	11
PID 660 wrote to memory of 2632	660	lsass.exe	48
PID 660 wrote to memory of 2632	660	lsass.exe	48
PID 660 wrote to memory of 2632	660	lsass.exe	48
PID 1860 wrote to memory of 1076	1860	dialer.exe	17
PID 1860 wrote to memory of 1096	1860	dialer.exe	13
PID 1860 wrote to memory of 1104	1860	dialer.exe	14
PID 1860 wrote to memory of 1112	1860	dialer.exe	16
PID 1860 wrote to memory of 1244	1860	dialer.exe	20
PID 1860 wrote to memory of 1256	1860	dialer.exe	22
PID 1860 wrote to memory of 1344	1860	dialer.exe	24
PID 1860 wrote to memory of 1396	1860	dialer.exe	25
PID 1860 wrote to memory of 1408	1860	dialer.exe	26
PID 1860 wrote to memory of 1576	1860	dialer.exe	27
PID 1860 wrote to memory of 1588	1860	dialer.exe	28
PID 1396 wrote to memory of 4276	1396	svchost.exe	293
PID 1396 wrote to memory of 4276	1396	svchost.exe	293
PID 660 wrote to memory of 2632	660	lsass.exe	48
PID 1396 wrote to memory of 824	1396	svchost.exe	121
PID 1396 wrote to memory of 824	1396	svchost.exe	121
PID 660 wrote to memory of 2632	660	lsass.exe	48
PID 660 wrote to memory of 2632	660	lsass.exe	48
PID 660 wrote to memory of 2632	660	lsass.exe	48
PID 1396 wrote to memory of 3752	1396	svchost.exe	299
PID 1396 wrote to memory of 3752	1396	svchost.exe	299
PID 660 wrote to memory of 2632	660	lsass.exe	48
PID 1396 wrote to memory of 1168	1396	svchost.exe	300
PID 1396 wrote to memory of 1168	1396	svchost.exe	300
PID 660 wrote to memory of 2632	660	lsass.exe	48
PID 660 wrote to memory of 2544	660	lsass.exe	46
PID 660 wrote to memory of 2544	660	lsass.exe	46
PID 660 wrote to memory of 2544	660	lsass.exe	46
PID 660 wrote to memory of 2544	660	lsass.exe	46
PID 660 wrote to memory of 2544	660	lsass.exe	46
PID 660 wrote to memory of 2544	660	lsass.exe	46
PID 660 wrote to memory of 2544	660	lsass.exe	46
PID 660 wrote to memory of 2544	660	lsass.exe	46
PID 660 wrote to memory of 2544	660	lsass.exe	46
PID 660 wrote to memory of 2544	660	lsass.exe	46
PID 660 wrote to memory of 2544	660	lsass.exe	46
PID 1396 wrote to memory of 4472	1396	svchost.exe	331
PID 1396 wrote to memory of 4472	1396	svchost.exe	331

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:584
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4276
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:824
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3752
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1168
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4472
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2544

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1636
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1860
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "TAHEZVWB"
  2⤵
  - Launches sc.exe
  PID:324
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "TAHEZVWB" binpath= "C:\ProgramData\qnhyucoezfmo\jvnibiublkun.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2112
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "TAHEZVWB"
  2⤵
  - Launches sc.exe
  PID:3760
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:4944

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4764

C:\ProgramData\qnhyucoezfmo\jvnibiublkun.exe
C:\ProgramData\qnhyucoezfmo\jvnibiublkun.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1892
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4208

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000124 00000088
1⤵
PID:4276

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c8 00000088
1⤵
PID:3752

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000d8 00000088
1⤵
PID:1168

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000118 00000088
1⤵
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qnhyucoezfmo\jvnibiublkun.exe

Filesize
2.6MB

MD5
168f224af2f19a9518daa6931a365891

SHA1
1363dbba5f0c42a9100bd51bdd005db3c16620bc

SHA256
1bd69c832f5b5b640f680dab57b247c295c01394ba159d0fcb43c49be8407a50

SHA512
9fe86b31cb90eae0374ed71c306cba5ef045623c25a0b93cfb3866f629a902d70ed1acba9a3f939bae97e300de59c755461c0c886d6a670cf2e7c3234815f266

Download Submit
C:\ProgramData\qnhyucoezfmo\jvnibiublkun.exe

Filesize
64KB

MD5
d34b36e29ad9b1cd673e3dc6d0185578

SHA1
2705e0427fa723c680ac340e372da8079d3c6a95

SHA256
141a91fcc9f80aa11258abd8caca9134f39d674009737790704ef6984abb191f

SHA512
0e1091e8229c92ea8338fcbc9915d26f0432c4a5203f8d0ae5900b64cfc0e82bb53fb924c26c6bf2d9d60358d33ea45365bbd887ae0fe0102731661a645be7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jnzxese5.mm5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
151KB

MD5
3f0f51c259319ca07004df353c61c599

SHA1
5c48fc4a3e0f359cb53102aa464bb4c06a1d4ccb

SHA256
fff4c1a1952de64498d3944926a4344f75529fecb762159c63f69425b9ecb074

SHA512
e6f5e80a4b028520f25f60297ea3e7d3b0abdf5cc15d8bc580f36454ba17c2fb45ea9d29eb3453c17d2808946d776bc8782bb5a2dd1c47cc1c2206298463afe2

Download Submit
memory/216-29-0x00007FFF780C0000-0x00007FFF78B81000-memory.dmp

Filesize
10.8MB

Download
memory/216-26-0x000001EE6CBE0000-0x000001EE6CBF0000-memory.dmp

Filesize
64KB

Download
memory/216-25-0x000001EE6CBE0000-0x000001EE6CBF0000-memory.dmp

Filesize
64KB

Download
memory/216-13-0x000001EE6CFF0000-0x000001EE6D012000-memory.dmp

Filesize
136KB

Download
memory/216-14-0x00007FFF780C0000-0x00007FFF78B81000-memory.dmp

Filesize
10.8MB

Download
memory/216-21-0x000001EE6CBE0000-0x000001EE6CBF0000-memory.dmp

Filesize
64KB

Download
memory/336-54-0x000001914FBC0000-0x000001914FBEB000-memory.dmp

Filesize
172KB

Download
memory/336-151-0x000001914FBC0000-0x000001914FBEB000-memory.dmp

Filesize
172KB

Download
memory/336-70-0x000001914FBC0000-0x000001914FBEB000-memory.dmp

Filesize
172KB

Download
memory/396-68-0x00007FFF58A70000-0x00007FFF58A80000-memory.dmp

Filesize
64KB

Download
memory/396-74-0x0000015152340000-0x000001515236B000-memory.dmp

Filesize
172KB

Download
memory/396-64-0x0000015152340000-0x000001515236B000-memory.dmp

Filesize
172KB

Download
memory/436-63-0x00007FFF58A70000-0x00007FFF58A80000-memory.dmp

Filesize
64KB

Download
memory/436-73-0x000001B856FB0000-0x000001B856FDB000-memory.dmp

Filesize
172KB

Download
memory/436-61-0x000001B856FB0000-0x000001B856FDB000-memory.dmp

Filesize
172KB

Download
memory/584-42-0x00000222F8400000-0x00000222F8424000-memory.dmp

Filesize
144KB

Download
memory/584-48-0x00007FFF98A8D000-0x00007FFF98A8E000-memory.dmp

Filesize
4KB

Download
memory/584-128-0x00000222F8460000-0x00000222F848B000-memory.dmp

Filesize
172KB

Download
memory/584-51-0x00007FFF98A8F000-0x00007FFF98A90000-memory.dmp

Filesize
4KB

Download
memory/584-45-0x00000222F8460000-0x00000222F848B000-memory.dmp

Filesize
172KB

Download
memory/660-56-0x0000026DC5D70000-0x0000026DC5D9B000-memory.dmp

Filesize
172KB

Download
memory/660-46-0x0000026DC5D70000-0x0000026DC5D9B000-memory.dmp

Filesize
172KB

Download
memory/660-49-0x00007FFF58A70000-0x00007FFF58A80000-memory.dmp

Filesize
64KB

Download
memory/660-62-0x00007FFF98A8F000-0x00007FFF98A90000-memory.dmp

Filesize
4KB

Download
memory/660-59-0x00007FFF98A8D000-0x00007FFF98A8E000-memory.dmp

Filesize
4KB

Download
memory/916-78-0x0000024682A00000-0x0000024682A2B000-memory.dmp

Filesize
172KB

Download
memory/916-84-0x0000024682A00000-0x0000024682A2B000-memory.dmp

Filesize
172KB

Download
memory/916-82-0x00007FFF58A70000-0x00007FFF58A80000-memory.dmp

Filesize
64KB

Download
memory/916-177-0x0000024682A00000-0x0000024682A2B000-memory.dmp

Filesize
172KB

Download
memory/948-66-0x00000204F1D20000-0x00000204F1D4B000-memory.dmp

Filesize
172KB

Download
memory/948-72-0x00007FFF98A8C000-0x00007FFF98A8D000-memory.dmp

Filesize
4KB

Download
memory/948-57-0x00007FFF58A70000-0x00007FFF58A80000-memory.dmp

Filesize
64KB

Download
memory/948-53-0x00000204F1D20000-0x00000204F1D4B000-memory.dmp

Filesize
172KB

Download
memory/1076-88-0x000002CA40B70000-0x000002CA40B9B000-memory.dmp

Filesize
172KB

Download
memory/1076-81-0x000002CA40B70000-0x000002CA40B9B000-memory.dmp

Filesize
172KB

Download
memory/1076-85-0x00007FFF58A70000-0x00007FFF58A80000-memory.dmp

Filesize
64KB

Download
memory/1076-179-0x000002CA40B70000-0x000002CA40B9B000-memory.dmp

Filesize
172KB

Download
memory/1096-102-0x000001D6A9E90000-0x000001D6A9EBB000-memory.dmp

Filesize
172KB

Download
memory/1096-93-0x00007FFF58A70000-0x00007FFF58A80000-memory.dmp

Filesize
64KB

Download
memory/1096-90-0x000001D6A9E90000-0x000001D6A9EBB000-memory.dmp

Filesize
172KB

Download
memory/1104-92-0x000002792CE30000-0x000002792CE5B000-memory.dmp

Filesize
172KB

Download
memory/1104-182-0x000002792CE30000-0x000002792CE5B000-memory.dmp

Filesize
172KB

Download
memory/1104-94-0x00007FFF58A70000-0x00007FFF58A80000-memory.dmp

Filesize
64KB

Download
memory/1112-99-0x00007FFF58A70000-0x00007FFF58A80000-memory.dmp

Filesize
64KB

Download
memory/1112-96-0x000001CCCE570000-0x000001CCCE59B000-memory.dmp

Filesize
172KB

Download
memory/1112-184-0x000001CCCE570000-0x000001CCCE59B000-memory.dmp

Filesize
172KB

Download
memory/1244-115-0x0000023AFC880000-0x0000023AFC8AB000-memory.dmp

Filesize
172KB

Download
memory/1244-253-0x0000023AFC880000-0x0000023AFC8AB000-memory.dmp

Filesize
172KB

Download
memory/1256-254-0x00000174A7A90000-0x00000174A7ABB000-memory.dmp

Filesize
172KB

Download
memory/1256-118-0x00000174A7A90000-0x00000174A7ABB000-memory.dmp

Filesize
172KB

Download
memory/1344-125-0x0000020F92330000-0x0000020F9235B000-memory.dmp

Filesize
172KB

Download
memory/1344-255-0x0000020F92330000-0x0000020F9235B000-memory.dmp

Filesize
172KB

Download
memory/1396-256-0x0000021CA6EE0000-0x0000021CA6F0B000-memory.dmp

Filesize
172KB

Download
memory/1396-132-0x0000021CA6EE0000-0x0000021CA6F0B000-memory.dmp

Filesize
172KB

Download
memory/1408-138-0x000002A034170000-0x000002A03419B000-memory.dmp

Filesize
172KB

Download
memory/1408-257-0x000002A034170000-0x000002A03419B000-memory.dmp

Filesize
172KB

Download
memory/1576-155-0x000001B4CB9B0000-0x000001B4CB9DB000-memory.dmp

Filesize
172KB

Download
memory/1588-157-0x000001DABFBD0000-0x000001DABFBFB000-memory.dmp

Filesize
172KB

Download
memory/1860-31-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1860-30-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1860-32-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1860-38-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1860-37-0x00007FFF98270000-0x00007FFF9832E000-memory.dmp

Filesize
760KB

Download
memory/1860-36-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-35-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1860-33-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4208-242-0x0000014DAF540000-0x0000014DAF55A000-memory.dmp

Filesize
104KB

Download
memory/4208-185-0x0000014DAF0B0000-0x0000014DAF0BA000-memory.dmp

Filesize
40KB

Download
memory/4208-252-0x00007FFF775A0000-0x00007FFF78061000-memory.dmp

Filesize
10.8MB

Download
memory/4208-80-0x0000014DAEEA0000-0x0000014DAEEB0000-memory.dmp

Filesize
64KB

Download
memory/4208-172-0x00007FF433AB0000-0x00007FF433AC0000-memory.dmp

Filesize
64KB

Download
memory/4208-173-0x0000014DAF2E0000-0x0000014DAF2FC000-memory.dmp

Filesize
112KB

Download
memory/4208-174-0x0000014DAF300000-0x0000014DAF3B5000-memory.dmp

Filesize
724KB

Download
memory/4208-77-0x00007FFF775A0000-0x00007FFF78061000-memory.dmp

Filesize
10.8MB

Download
memory/4208-249-0x0000014DAEEA0000-0x0000014DAEEB0000-memory.dmp

Filesize
64KB

Download
memory/4208-248-0x0000014DAF530000-0x0000014DAF53A000-memory.dmp

Filesize
40KB

Download
memory/4208-246-0x0000014DAF520000-0x0000014DAF526000-memory.dmp

Filesize
24KB

Download
memory/4208-244-0x0000014DAF0D0000-0x0000014DAF0D8000-memory.dmp

Filesize
32KB

Download
memory/4208-176-0x00007FFF775A0000-0x00007FFF78061000-memory.dmp

Filesize
10.8MB

Download
memory/4208-153-0x0000014DAEEA0000-0x0000014DAEEB0000-memory.dmp

Filesize
64KB

Download
memory/4208-194-0x0000014DAF500000-0x0000014DAF51C000-memory.dmp

Filesize
112KB

Download
memory/4208-237-0x0000014DAF0C0000-0x0000014DAF0CA000-memory.dmp

Filesize
40KB

Download
memory/4208-100-0x0000014DAEEA0000-0x0000014DAEEB0000-memory.dmp

Filesize
64KB

Download
memory/4764-9-0x000001B3196C0000-0x000001B3196C1000-memory.dmp

Filesize
4KB

Download
memory/4764-10-0x000001B3196C0000-0x000001B3196C1000-memory.dmp

Filesize
4KB

Download
memory/4764-11-0x000001B3196C0000-0x000001B3196C1000-memory.dmp

Filesize
4KB

Download
memory/4764-12-0x000001B3196C0000-0x000001B3196C1000-memory.dmp

Filesize
4KB

Download
memory/4764-0-0x000001B3196C0000-0x000001B3196C1000-memory.dmp

Filesize
4KB

Download
memory/4764-8-0x000001B3196C0000-0x000001B3196C1000-memory.dmp

Filesize
4KB

Download
memory/4764-7-0x000001B3196C0000-0x000001B3196C1000-memory.dmp

Filesize
4KB

Download
memory/4764-6-0x000001B3196C0000-0x000001B3196C1000-memory.dmp

Filesize
4KB

Download
memory/4764-2-0x000001B3196C0000-0x000001B3196C1000-memory.dmp

Filesize
4KB

Download
memory/4764-1-0x000001B3196C0000-0x000001B3196C1000-memory.dmp

Filesize
4KB

Download