glupteba | 93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb

Analysis

max time kernel
109s
max time network
190s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-05-2024 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Size

405KB
MD5

4c03ddbf5fe9e55346e426b78c9a9b2c
SHA1

e8ad3b30d021822fe4c9f6d9c3645bd712224ee7
SHA256

93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb
SHA512

9abc493c5e467667890933b0663370797734fb625cc0fa80f59195606315bbf77c4f4882b20f5c4b1f999dbfb397bacd65c992ef071b21a076b056a55431e325
SSDEEP

12288:KB9cAtoKCYsciDNH2HwRM4J3jaEt1hUj2:U9cOviBH2QG45aEt1hUS

Score

10^/10

glupteba privateloader stealc zgrat discovery dropper evasion execution loader persistence rat spyware stealer themida trojan

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/memory/2496-151-0x0000019B2FDF0000-0x0000019B33624000-memory.dmp	family_zgrat_v1
behavioral2/memory/2496-153-0x0000019B4DF00000-0x0000019B4E00A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2496-157-0x0000019B353B0000-0x0000019B353D4000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 9 IoCs

resource	yara_rule
behavioral2/memory/2212-460-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/4108-523-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/2212-750-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/4108-753-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/3284-1306-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/1316-1311-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/2980-2368-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/4048-2369-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/2980-2684-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	MwNTj02YHLyPTV8QlUGDOtE4.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	SLu4szS4IddjUSaEKDT8H7PL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	SLu4szS4IddjUSaEKDT8H7PL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	SLu4szS4IddjUSaEKDT8H7PL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	SLu4szS4IddjUSaEKDT8H7PL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\SLu4szS4IddjUSaEKDT8H7PL.exe = "0"	SLu4szS4IddjUSaEKDT8H7PL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	SLu4szS4IddjUSaEKDT8H7PL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	SLu4szS4IddjUSaEKDT8H7PL.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MwNTj02YHLyPTV8QlUGDOtE4.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
196	powershell.exe
4040	powershell.exe
2016	powershell.exe
1728	powershell.exe
360	powershell.exe
3460	powershell.exe
3348	powershell.exe
4124	powershell.exe
1756	powershell.exe
4928	powershell.exe
4476	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4576	netsh.exe
4244	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MwNTj02YHLyPTV8QlUGDOtE4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MwNTj02YHLyPTV8QlUGDOtE4.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LETfMhzkRFoLWA5HwxGleg64.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\emOwq2xkiTZwA68NEXYizpGs.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FZDLMQeybS79LPT8P4VedjPx.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSZzNmuz5hXH56kJ70s7CL4T.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iKcdjT5pcglTLpKmBnq5ZgCw.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NlvVMDpV5iknsoE7EbbpIBfJ.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lXqSjesxxIwj3OiLxPIyzUtt.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nh5YmiQRjFPzBaH7a1J9PHgt.bat	CasPol.exe

Executes dropped EXE 14 IoCs

pid	Process
712	GbGBier3ZxoECIShfjlkYa8k.exe
2212	SLu4szS4IddjUSaEKDT8H7PL.exe
4108	HqtZwh9sxYaOZDzE9zcAaT3k.exe
4492	QEajdiXyqmIw5Rmk2asLd9eV.exe
3284	FeafGNPhYCTIxxpEqu493fMU.exe
1316	kiJLENO1vNCh6uTeWs0DG9Az.exe
4564	MwNTj02YHLyPTV8QlUGDOtE4.exe
4600	ujs.0.exe
4292	ujs.1.exe
2980	SLu4szS4IddjUSaEKDT8H7PL.exe
4048	HqtZwh9sxYaOZDzE9zcAaT3k.exe
1380	FeafGNPhYCTIxxpEqu493fMU.exe
860	kiJLENO1vNCh6uTeWs0DG9Az.exe
3040	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
4600	ujs.0.exe
4600	ujs.0.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000700000001ac53-117.dat	themida
behavioral2/memory/4564-118-0x0000000140000000-0x000000014097B000-memory.dmp	themida
behavioral2/memory/4564-126-0x0000000140000000-0x000000014097B000-memory.dmp	themida

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	SLu4szS4IddjUSaEKDT8H7PL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\SLu4szS4IddjUSaEKDT8H7PL.exe = "0"	SLu4szS4IddjUSaEKDT8H7PL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	SLu4szS4IddjUSaEKDT8H7PL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	SLu4szS4IddjUSaEKDT8H7PL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	SLu4szS4IddjUSaEKDT8H7PL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	SLu4szS4IddjUSaEKDT8H7PL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	SLu4szS4IddjUSaEKDT8H7PL.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	SLu4szS4IddjUSaEKDT8H7PL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MwNTj02YHLyPTV8QlUGDOtE4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
4	pastebin.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	api.myip.com
36	ipinfo.io
39	ipinfo.io

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	MwNTj02YHLyPTV8QlUGDOtE4.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	MwNTj02YHLyPTV8QlUGDOtE4.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	MwNTj02YHLyPTV8QlUGDOtE4.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	MwNTj02YHLyPTV8QlUGDOtE4.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4564	MwNTj02YHLyPTV8QlUGDOtE4.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4240 set thread context of 1640	4240	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	75

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	HqtZwh9sxYaOZDzE9zcAaT3k.exe
File opened (read-only)	\??\VBoxMiniRdrDN	SLu4szS4IddjUSaEKDT8H7PL.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	SLu4szS4IddjUSaEKDT8H7PL.exe
File created	C:\Windows\rss\csrss.exe	SLu4szS4IddjUSaEKDT8H7PL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2388	4492	WerFault.exe	83

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	QEajdiXyqmIw5Rmk2asLd9eV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ujs.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ujs.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ujs.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	QEajdiXyqmIw5Rmk2asLd9eV.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	QEajdiXyqmIw5Rmk2asLd9eV.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ujs.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ujs.0.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SLu4szS4IddjUSaEKDT8H7PL.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	HqtZwh9sxYaOZDzE9zcAaT3k.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
196	powershell.exe
196	powershell.exe
196	powershell.exe
2496	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2496	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2496	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2496	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2496	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2496	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2496	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2496	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2496	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2496	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2496	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2496	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2496	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2496	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2496	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2496	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2016	powershell.exe
2016	powershell.exe
4040	powershell.exe
4040	powershell.exe
2016	powershell.exe
4040	powershell.exe
4040	powershell.exe
2016	powershell.exe
4108	HqtZwh9sxYaOZDzE9zcAaT3k.exe
4108	HqtZwh9sxYaOZDzE9zcAaT3k.exe
2212	SLu4szS4IddjUSaEKDT8H7PL.exe
2212	SLu4szS4IddjUSaEKDT8H7PL.exe
1728	powershell.exe
1728	powershell.exe
1728	powershell.exe
1728	powershell.exe
360	powershell.exe
360	powershell.exe
360	powershell.exe
360	powershell.exe
3284	FeafGNPhYCTIxxpEqu493fMU.exe
3284	FeafGNPhYCTIxxpEqu493fMU.exe
1316	kiJLENO1vNCh6uTeWs0DG9Az.exe
1316	kiJLENO1vNCh6uTeWs0DG9Az.exe
4600	ujs.0.exe
4600	ujs.0.exe
3460	powershell.exe
3460	powershell.exe
3460	powershell.exe
4124	powershell.exe
4124	powershell.exe
4124	powershell.exe
3460	powershell.exe
4124	powershell.exe
4048	HqtZwh9sxYaOZDzE9zcAaT3k.exe
4048	HqtZwh9sxYaOZDzE9zcAaT3k.exe
4048	HqtZwh9sxYaOZDzE9zcAaT3k.exe
4048	HqtZwh9sxYaOZDzE9zcAaT3k.exe
4048	HqtZwh9sxYaOZDzE9zcAaT3k.exe
4048	HqtZwh9sxYaOZDzE9zcAaT3k.exe
4048	HqtZwh9sxYaOZDzE9zcAaT3k.exe
4048	HqtZwh9sxYaOZDzE9zcAaT3k.exe
4048	HqtZwh9sxYaOZDzE9zcAaT3k.exe
4048	HqtZwh9sxYaOZDzE9zcAaT3k.exe
2980	SLu4szS4IddjUSaEKDT8H7PL.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4240	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Token: SeDebugPrivilege	196	powershell.exe
Token: SeIncreaseQuotaPrivilege	196	powershell.exe
Token: SeSecurityPrivilege	196	powershell.exe
Token: SeTakeOwnershipPrivilege	196	powershell.exe
Token: SeLoadDriverPrivilege	196	powershell.exe
Token: SeSystemProfilePrivilege	196	powershell.exe
Token: SeSystemtimePrivilege	196	powershell.exe
Token: SeProfSingleProcessPrivilege	196	powershell.exe
Token: SeIncBasePriorityPrivilege	196	powershell.exe
Token: SeCreatePagefilePrivilege	196	powershell.exe
Token: SeBackupPrivilege	196	powershell.exe
Token: SeRestorePrivilege	196	powershell.exe
Token: SeShutdownPrivilege	196	powershell.exe
Token: SeDebugPrivilege	196	powershell.exe
Token: SeSystemEnvironmentPrivilege	196	powershell.exe
Token: SeRemoteShutdownPrivilege	196	powershell.exe
Token: SeUndockPrivilege	196	powershell.exe
Token: SeManageVolumePrivilege	196	powershell.exe
Token: 33	196	powershell.exe
Token: 34	196	powershell.exe
Token: 35	196	powershell.exe
Token: 36	196	powershell.exe
Token: SeDebugPrivilege	1640	CasPol.exe
Token: SeDebugPrivilege	2496	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	4108	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Token: SeImpersonatePrivilege	4108	HqtZwh9sxYaOZDzE9zcAaT3k.exe
Token: SeDebugPrivilege	2212	SLu4szS4IddjUSaEKDT8H7PL.exe
Token: SeImpersonatePrivilege	2212	SLu4szS4IddjUSaEKDT8H7PL.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	360	powershell.exe
Token: SeDebugPrivilege	3284	FeafGNPhYCTIxxpEqu493fMU.exe
Token: SeImpersonatePrivilege	3284	FeafGNPhYCTIxxpEqu493fMU.exe
Token: SeDebugPrivilege	1316	kiJLENO1vNCh6uTeWs0DG9Az.exe
Token: SeImpersonatePrivilege	1316	kiJLENO1vNCh6uTeWs0DG9Az.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	3348	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 196	4240	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	72
PID 4240 wrote to memory of 196	4240	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	72
PID 4240 wrote to memory of 3900	4240	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	74
PID 4240 wrote to memory of 3900	4240	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	74
PID 4240 wrote to memory of 3900	4240	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	74
PID 4240 wrote to memory of 1640	4240	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	75
PID 4240 wrote to memory of 1640	4240	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	75
PID 4240 wrote to memory of 1640	4240	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	75
PID 4240 wrote to memory of 1640	4240	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	75
PID 4240 wrote to memory of 1640	4240	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	75
PID 4240 wrote to memory of 1640	4240	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	75
PID 4240 wrote to memory of 1640	4240	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	75
PID 4240 wrote to memory of 1640	4240	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	75
PID 4240 wrote to memory of 4320	4240	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	76
PID 4240 wrote to memory of 4320	4240	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	76
PID 4240 wrote to memory of 4320	4240	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	76
PID 1640 wrote to memory of 712	1640	CasPol.exe	80
PID 1640 wrote to memory of 712	1640	CasPol.exe	80
PID 1640 wrote to memory of 712	1640	CasPol.exe	80
PID 1640 wrote to memory of 2212	1640	CasPol.exe	81
PID 1640 wrote to memory of 2212	1640	CasPol.exe	81
PID 1640 wrote to memory of 2212	1640	CasPol.exe	81
PID 1640 wrote to memory of 4108	1640	CasPol.exe	82
PID 1640 wrote to memory of 4108	1640	CasPol.exe	82
PID 1640 wrote to memory of 4108	1640	CasPol.exe	82
PID 1640 wrote to memory of 4492	1640	CasPol.exe	83
PID 1640 wrote to memory of 4492	1640	CasPol.exe	83
PID 1640 wrote to memory of 4492	1640	CasPol.exe	83
PID 1640 wrote to memory of 3284	1640	CasPol.exe	84
PID 1640 wrote to memory of 3284	1640	CasPol.exe	84
PID 1640 wrote to memory of 3284	1640	CasPol.exe	84
PID 1640 wrote to memory of 1316	1640	CasPol.exe	85
PID 1640 wrote to memory of 1316	1640	CasPol.exe	85
PID 1640 wrote to memory of 1316	1640	CasPol.exe	85
PID 1640 wrote to memory of 4564	1640	CasPol.exe	86
PID 1640 wrote to memory of 4564	1640	CasPol.exe	86
PID 712 wrote to memory of 4600	712	GbGBier3ZxoECIShfjlkYa8k.exe	89
PID 712 wrote to memory of 4600	712	GbGBier3ZxoECIShfjlkYa8k.exe	89
PID 712 wrote to memory of 4600	712	GbGBier3ZxoECIShfjlkYa8k.exe	89
PID 712 wrote to memory of 4292	712	GbGBier3ZxoECIShfjlkYa8k.exe	91
PID 712 wrote to memory of 4292	712	GbGBier3ZxoECIShfjlkYa8k.exe	91
PID 712 wrote to memory of 4292	712	GbGBier3ZxoECIShfjlkYa8k.exe	91
PID 4108 wrote to memory of 4040	4108	HqtZwh9sxYaOZDzE9zcAaT3k.exe	97
PID 4108 wrote to memory of 4040	4108	HqtZwh9sxYaOZDzE9zcAaT3k.exe	97
PID 4108 wrote to memory of 4040	4108	HqtZwh9sxYaOZDzE9zcAaT3k.exe	97
PID 2212 wrote to memory of 2016	2212	SLu4szS4IddjUSaEKDT8H7PL.exe	96
PID 2212 wrote to memory of 2016	2212	SLu4szS4IddjUSaEKDT8H7PL.exe	96
PID 2212 wrote to memory of 2016	2212	SLu4szS4IddjUSaEKDT8H7PL.exe	96
PID 3284 wrote to memory of 1728	3284	FeafGNPhYCTIxxpEqu493fMU.exe	105
PID 3284 wrote to memory of 1728	3284	FeafGNPhYCTIxxpEqu493fMU.exe	105
PID 3284 wrote to memory of 1728	3284	FeafGNPhYCTIxxpEqu493fMU.exe	105
PID 1316 wrote to memory of 360	1316	kiJLENO1vNCh6uTeWs0DG9Az.exe	107
PID 1316 wrote to memory of 360	1316	kiJLENO1vNCh6uTeWs0DG9Az.exe	107
PID 1316 wrote to memory of 360	1316	kiJLENO1vNCh6uTeWs0DG9Az.exe	107
PID 4048 wrote to memory of 3460	4048	HqtZwh9sxYaOZDzE9zcAaT3k.exe	111
PID 4048 wrote to memory of 3460	4048	HqtZwh9sxYaOZDzE9zcAaT3k.exe	111
PID 4048 wrote to memory of 3460	4048	HqtZwh9sxYaOZDzE9zcAaT3k.exe	111
PID 2980 wrote to memory of 4124	2980	SLu4szS4IddjUSaEKDT8H7PL.exe	113
PID 2980 wrote to memory of 4124	2980	SLu4szS4IddjUSaEKDT8H7PL.exe	113
PID 2980 wrote to memory of 4124	2980	SLu4szS4IddjUSaEKDT8H7PL.exe	113
PID 4048 wrote to memory of 2832	4048	HqtZwh9sxYaOZDzE9zcAaT3k.exe	115
PID 4048 wrote to memory of 2832	4048	HqtZwh9sxYaOZDzE9zcAaT3k.exe	115
PID 2832 wrote to memory of 4576	2832	cmd.exe	117
PID 2832 wrote to memory of 4576	2832	cmd.exe	117

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe

C:\Users\Admin\AppData\Local\Temp\93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
"C:\Users\Admin\AppData\Local\Temp\93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:3900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Users\Admin\Pictures\GbGBier3ZxoECIShfjlkYa8k.exe
    "C:\Users\Admin\Pictures\GbGBier3ZxoECIShfjlkYa8k.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:712
  - - C:\Users\Admin\AppData\Local\Temp\ujs.0.exe
      "C:\Users\Admin\AppData\Local\Temp\ujs.0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4600
  - - C:\Users\Admin\AppData\Local\Temp\ujs.1.exe
      "C:\Users\Admin\AppData\Local\Temp\ujs.1.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      PID:4292
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
- - C:\Users\Admin\Pictures\SLu4szS4IddjUSaEKDT8H7PL.exe
    "C:\Users\Admin\Pictures\SLu4szS4IddjUSaEKDT8H7PL.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2016
  - - C:\Users\Admin\Pictures\SLu4szS4IddjUSaEKDT8H7PL.exe
      "C:\Users\Admin\Pictures\SLu4szS4IddjUSaEKDT8H7PL.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:4300
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:4244
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        
        PID:3040
- - C:\Users\Admin\Pictures\HqtZwh9sxYaOZDzE9zcAaT3k.exe
    "C:\Users\Admin\Pictures\HqtZwh9sxYaOZDzE9zcAaT3k.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4040
  - - C:\Users\Admin\Pictures\HqtZwh9sxYaOZDzE9zcAaT3k.exe
      "C:\Users\Admin\Pictures\HqtZwh9sxYaOZDzE9zcAaT3k.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4048
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2832
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:4576
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
- - C:\Users\Admin\Pictures\QEajdiXyqmIw5Rmk2asLd9eV.exe
    "C:\Users\Admin\Pictures\QEajdiXyqmIw5Rmk2asLd9eV.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:4492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 492
      4⤵
      Program crash
      PID:2388
- - C:\Users\Admin\Pictures\FeafGNPhYCTIxxpEqu493fMU.exe
    "C:\Users\Admin\Pictures\FeafGNPhYCTIxxpEqu493fMU.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1728
  - - C:\Users\Admin\Pictures\FeafGNPhYCTIxxpEqu493fMU.exe
      "C:\Users\Admin\Pictures\FeafGNPhYCTIxxpEqu493fMU.exe"
      4⤵
      Executes dropped EXE
      PID:1380
- - C:\Users\Admin\Pictures\kiJLENO1vNCh6uTeWs0DG9Az.exe
    "C:\Users\Admin\Pictures\kiJLENO1vNCh6uTeWs0DG9Az.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:360
  - - C:\Users\Admin\Pictures\kiJLENO1vNCh6uTeWs0DG9Az.exe
      "C:\Users\Admin\Pictures\kiJLENO1vNCh6uTeWs0DG9Az.exe"
      4⤵
      Executes dropped EXE
      PID:860
- - C:\Users\Admin\Pictures\MwNTj02YHLyPTV8QlUGDOtE4.exe
    "C:\Users\Admin\Pictures\MwNTj02YHLyPTV8QlUGDOtE4.exe"
    3⤵
    - Modifies firewall policy service
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  PID:4320

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
03c289ebf8a834dbc9eace8744b4fd4d

SHA1
7ea6eb7604374df249af3e865438954b47cd9143

SHA256
efff3acae21db84daf937e9750288636a6af066837bb07ead92afc4d15c8fa46

SHA512
518078d4ca16b969c46d114c7045c93c0fca707d1c334fe6ef629bc5fa47683c4c0188b58db23ee0061018109605d814218d8d7e23799f397cb6771e9dd9bc7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b6ea940fe24b18933bf76f5aced10a1c

SHA1
be30f0e4dee263ed56163db54b0b7cf0921918ff

SHA256
e77fb749147f1851e1be6305c5bee754122c2dc9b2ad8b4dcd81a55c5b97c04f

SHA512
6621a5f4bf80ec6ceb278e14975e7b1b255ded56b36fed6fe5c1cb38f28b4d31aca0b08be947452c24d29f4a1f8056e452562c1477437577c89b893033372dc9

Download Submit
C:\Users\Admin\AppData\Local\TFGo0LZBHpKYjB6mOrKrMlRs.exe

Filesize
3.6MB

MD5
284eed1a8b6af9f60ddc64d1019163cc

SHA1
ab44d6ca9df9587719a38c398978c0b9453d0583

SHA256
b33e8b9c2ba6e4acb040e0c206b26f726a6c6848368f122fc8d0abe2d12170b2

SHA512
224b75f102c810cc8ac9f69f58aca8ccdfb88eb3cd15d02c67dd0b7db125b3b3f5110f83bdb1ba2025e0f2190f0f1b17d4c7ce3179cced3ce1271357f71471ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jkrku2yj.z5u.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujs.0.exe

Filesize
206KB

MD5
0917be53327ea132956255dcab650a82

SHA1
b60818917f645a8a9af3b530e3ae37c1f002be2f

SHA256
211c34660898480e0777c6ef6f61bf2111f6550e00b40cab859543d567dc455a

SHA512
a72acc24ba813d983bbf2ecab7929d0aab4e25637ae43e85b973a5105429bd15c061415fd855737620caaf81b456b2d6ba57f85566245efbe5f8b5db5560932a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujs.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\Pictures\FeafGNPhYCTIxxpEqu493fMU.exe

Filesize
4.1MB

MD5
0ed8d071deae90ff638cb070d0b9559d

SHA1
9b39b4703ccd78d9ca56bbf2f4c168d71a7bcfda

SHA256
691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99

SHA512
960a5a4e2b4f82bb7273cbab8bf622933c6e603cdc44b59b409c285b62c3a2c741bca7692ed77864520aa95c85a2f3fc31ddc9383caada588828d953346c2729

Download Submit
C:\Users\Admin\Pictures\GbGBier3ZxoECIShfjlkYa8k.exe

Filesize
384KB

MD5
f969256486cae8c6c357924481ec86ee

SHA1
95f91c8a6539700b4dd6077ba3a778c13bc72d4d

SHA256
d719fb243a6d2ad33a76aa78ee66f4763a36c78a2373a01de223fb5c27b722da

SHA512
106959ab072744ae5ce79cbc627040dbd32bb416407ca7d1f848ae49dbb609f900c0f34696fc5e30c5418d889b5c07b35d5a0f9b4f1be1e662621ba2c4491e16

Download Submit
C:\Users\Admin\Pictures\HqtZwh9sxYaOZDzE9zcAaT3k.exe

Filesize
4.1MB

MD5
f6156b63d313f7247432a693de39daef

SHA1
bff890bf23551db49d04af57779630bea35356a9

SHA256
f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620

SHA512
54c61e755d5661da14ebfef93b9fa61d02f59fb43edc1310cf21c0780479bc54be973836286f0d5104a946e9d511e94162d38e2a5471f0f386b7b7e396e7f759

Download Submit
C:\Users\Admin\Pictures\MwNTj02YHLyPTV8QlUGDOtE4.exe

Filesize
2.8MB

MD5
d41fd1ea6e0ca0032be2174317f60fd8

SHA1
60f001b9d201259aa333e9b202e4ab5648d16bf3

SHA256
3c56d175e67df7e1664bbedd95abee57cf93a7aceaf80374ede4ce1fc4a30990

SHA512
a4ce799f1ce9157d053dcb1694dcb127d98e994eb55cecb484ace1c192cf80a1fbfb7b8de94851a49e915cafebc568f70ce07b912e5901387ed90639c692c16e

Download Submit
C:\Users\Admin\Pictures\QEajdiXyqmIw5Rmk2asLd9eV.exe

Filesize
213KB

MD5
718455b384af2a8caa79eca4c64b7d78

SHA1
84993e856abe4c3c90a61f95f02252dfbe94b356

SHA256
1e418b3dae341f3196b5c3c23cb11eb071dbb82c77ebef9badfd74e3ddea1aac

SHA512
46f51aa5f2fa32f597bbc6e6d375d8d0b9baa2fae2ec68a76fdba63e0d831a514658aa26c137657b8ad1ec653b1f4f5c728b3a61a40f0ba3e0b67a381d02537f

Download Submit
C:\Users\Admin\Pictures\wpHsRhw7k5X2ObsDFnVnC7tj.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
b916ed3736617fca10e4e7070b439ace

SHA1
810f69b6271aeee88f5bdae27b4393633079ad17

SHA256
025d8b33452f44cef5894df193697a018929bcd901576daa420a80c4b0a572e2

SHA512
b5e7f3432027d6613690e4a3c1c23de70658b8838d3743282227c412f739b3d989a1aeb0df71ec8f9dc595db55dc4a509a060b684b978e1d41dba1b23bfadc60

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
8313a185203272e765587490b2bc0f2f

SHA1
2a8bb066a091e37e99ecdb0d3d5665872b6ce5b3

SHA256
5c5dc6b384ab2e23ffdbeb634ff34122c517f81b80badfe77ec0c9e2ff037dae

SHA512
b227067f990f947937efba1a54151aa824dbcbec27b71c73d03dbf13059a936db25b737fd96ba8d225a21001a61c99639198ec5e6b78eb2f8b325e8da02c04a0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
db0eb7c46cd60848fd6f3949b12f1a3d

SHA1
53fa00e64e72fc11190c340ba66199ff5c2d2fe9

SHA256
b6bca81e5bef4438fef48223edcedbfbf4ad8c5bdf8f8e58cd4200c6f9768d14

SHA512
11f3a9dee632f9def8bea19d8dcb0573060e1d9d8b7360e4c2c0b45e0ae4d8db9a8362a3df58c1110e899e6db6598a7b10d719e50662ad2a5483fbec4e1df31e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
b9aff3427b469da7a53e3648a5ec3821

SHA1
c873b05f9eca96817bc5b1bcb0a1e95cf7a26b54

SHA256
999a431f1535de2e18f5b1fe95700303c9f6dfcf1f5a7503dc2116298c405321

SHA512
2e583b90fcae354965499a63281fe9a113a0940a1e35237648803b8191b3a01b2a5de1e4b9b2907725d0769cc5f63014e421f24799685c853b7b0a872e848778

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/196-15-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

Filesize
9.9MB

Download
memory/196-13-0x000001B9BD820000-0x000001B9BD896000-memory.dmp

Filesize
472KB

Download
memory/196-14-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

Filesize
9.9MB

Download
memory/196-44-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

Filesize
9.9MB

Download
memory/196-55-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

Filesize
9.9MB

Download
memory/196-10-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

Filesize
9.9MB

Download
memory/196-9-0x000001B9BD670000-0x000001B9BD692000-memory.dmp

Filesize
136KB

Download
memory/360-1034-0x000000006F680000-0x000000006F9D0000-memory.dmp

Filesize
3.3MB

Download
memory/360-991-0x000000006FD20000-0x000000006FD6B000-memory.dmp

Filesize
300KB

Download
memory/712-137-0x0000000000400000-0x0000000002B1E000-memory.dmp

Filesize
39.1MB

Download
memory/1316-1311-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/1640-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-814-0x000000006FD20000-0x000000006FD6B000-memory.dmp

Filesize
300KB

Download
memory/1728-820-0x000000000A3C0000-0x000000000A465000-memory.dmp

Filesize
660KB

Download
memory/1728-815-0x000000006F680000-0x000000006F9D0000-memory.dmp

Filesize
3.3MB

Download
memory/1756-1904-0x000000006FD20000-0x000000006FD6B000-memory.dmp

Filesize
300KB

Download
memory/1756-1905-0x000000006F680000-0x000000006F9D0000-memory.dmp

Filesize
3.3MB

Download
memory/2016-192-0x0000000007990000-0x00000000079AC000-memory.dmp

Filesize
112KB

Download
memory/2016-318-0x0000000009960000-0x0000000009A05000-memory.dmp

Filesize
660KB

Download
memory/2016-186-0x0000000006C20000-0x0000000007248000-memory.dmp

Filesize
6.2MB

Download
memory/2016-185-0x00000000044E0000-0x0000000004516000-memory.dmp

Filesize
216KB

Download
memory/2016-306-0x000000006FD20000-0x000000006FD6B000-memory.dmp

Filesize
300KB

Download
memory/2016-319-0x0000000009B80000-0x0000000009C14000-memory.dmp

Filesize
592KB

Download
memory/2016-308-0x000000006F680000-0x000000006F9D0000-memory.dmp

Filesize
3.3MB

Download
memory/2016-189-0x0000000007370000-0x00000000073D6000-memory.dmp

Filesize
408KB

Download
memory/2016-291-0x0000000008B30000-0x0000000008BA6000-memory.dmp

Filesize
472KB

Download
memory/2016-230-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

Filesize
240KB

Download
memory/2016-193-0x0000000007D40000-0x0000000007D8B000-memory.dmp

Filesize
300KB

Download
memory/2016-188-0x0000000007300000-0x0000000007366000-memory.dmp

Filesize
408KB

Download
memory/2016-190-0x00000000075C0000-0x0000000007910000-memory.dmp

Filesize
3.3MB

Download
memory/2016-187-0x0000000006B40000-0x0000000006B62000-memory.dmp

Filesize
136KB

Download
memory/2212-460-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/2212-750-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/2496-172-0x0000019B535C0000-0x0000019B535CA000-memory.dmp

Filesize
40KB

Download
memory/2496-170-0x0000019B532F0000-0x0000019B53328000-memory.dmp

Filesize
224KB

Download
memory/2496-178-0x0000019B535D0000-0x0000019B535DC000-memory.dmp

Filesize
48KB

Download
memory/2496-175-0x0000019B53B90000-0x0000019B540B6000-memory.dmp

Filesize
5.1MB

Download
memory/2496-162-0x0000019B4DE70000-0x0000019B4DEC0000-memory.dmp

Filesize
320KB

Download
memory/2496-160-0x0000019B4DCD0000-0x0000019B4DCFA000-memory.dmp

Filesize
168KB

Download
memory/2496-173-0x0000019B535E0000-0x0000019B53642000-memory.dmp

Filesize
392KB

Download
memory/2496-174-0x0000019B53640000-0x0000019B53662000-memory.dmp

Filesize
136KB

Download
memory/2496-161-0x0000019B4E240000-0x0000019B4E2F2000-memory.dmp

Filesize
712KB

Download
memory/2496-171-0x0000019B52490000-0x0000019B52498000-memory.dmp

Filesize
32KB

Download
memory/2496-169-0x0000019B51D70000-0x0000019B51D78000-memory.dmp

Filesize
32KB

Download
memory/2496-179-0x0000019B53680000-0x0000019B5369E000-memory.dmp

Filesize
120KB

Download
memory/2496-154-0x0000019B33AA0000-0x0000019B33AB0000-memory.dmp

Filesize
64KB

Download
memory/2496-167-0x0000019B4E2F0000-0x0000019B4E5F0000-memory.dmp

Filesize
3.0MB

Download
memory/2496-157-0x0000019B353B0000-0x0000019B353D4000-memory.dmp

Filesize
144KB

Download
memory/2496-156-0x0000019B33AB0000-0x0000019B33AC4000-memory.dmp

Filesize
80KB

Download
memory/2496-163-0x0000019B33A50000-0x0000019B33A5A000-memory.dmp

Filesize
40KB

Download
memory/2496-155-0x0000019B33AC0000-0x0000019B33ACC000-memory.dmp

Filesize
48KB

Download
memory/2496-153-0x0000019B4DF00000-0x0000019B4E00A000-memory.dmp

Filesize
1.0MB

Download
memory/2496-151-0x0000019B2FDF0000-0x0000019B33624000-memory.dmp

Filesize
56.2MB

Download
memory/2496-159-0x0000019B33A40000-0x0000019B33A4A000-memory.dmp

Filesize
40KB

Download
memory/2980-2368-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/2980-2684-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/3284-1306-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/3348-2381-0x000000006F680000-0x000000006F9D0000-memory.dmp

Filesize
3.3MB

Download
memory/3348-2372-0x000000006FD20000-0x000000006FD6B000-memory.dmp

Filesize
300KB

Download
memory/3460-1428-0x000000006F680000-0x000000006F9D0000-memory.dmp

Filesize
3.3MB

Download
memory/3460-1433-0x0000000009830000-0x00000000098D5000-memory.dmp

Filesize
660KB

Download
memory/3460-1427-0x000000006FD20000-0x000000006FD6B000-memory.dmp

Filesize
300KB

Download
memory/4040-304-0x0000000009820000-0x0000000009853000-memory.dmp

Filesize
204KB

Download
memory/4040-307-0x000000006F680000-0x000000006F9D0000-memory.dmp

Filesize
3.3MB

Download
memory/4040-305-0x000000006FD20000-0x000000006FD6B000-memory.dmp

Filesize
300KB

Download
memory/4040-715-0x00000000099C0000-0x00000000099C8000-memory.dmp

Filesize
32KB

Download
memory/4040-309-0x0000000009800000-0x000000000981E000-memory.dmp

Filesize
120KB

Download
memory/4040-690-0x00000000099E0000-0x00000000099FA000-memory.dmp

Filesize
104KB

Download
memory/4048-2369-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/4108-753-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/4108-523-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/4124-1463-0x000000006FD20000-0x000000006FD6B000-memory.dmp

Filesize
300KB

Download
memory/4124-1505-0x000000006F680000-0x000000006F9D0000-memory.dmp

Filesize
3.3MB

Download
memory/4240-2-0x0000020945AF0000-0x0000020945AFE000-memory.dmp

Filesize
56KB

Download
memory/4240-94-0x00007FFE28E63000-0x00007FFE28E64000-memory.dmp

Filesize
4KB

Download
memory/4240-1-0x00007FFE28E63000-0x00007FFE28E64000-memory.dmp

Filesize
4KB

Download
memory/4240-0-0x0000020943F50000-0x0000020943F5E000-memory.dmp

Filesize
56KB

Download
memory/4240-4-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

Filesize
9.9MB

Download
memory/4240-3-0x0000020945CB0000-0x0000020945D0E000-memory.dmp

Filesize
376KB

Download
memory/4240-95-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

Filesize
9.9MB

Download
memory/4292-145-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/4292-139-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/4476-2465-0x000000006F680000-0x000000006F9D0000-memory.dmp

Filesize
3.3MB

Download
memory/4476-2464-0x000000006FD20000-0x000000006FD6B000-memory.dmp

Filesize
300KB

Download
memory/4492-1313-0x0000000000400000-0x0000000002AF2000-memory.dmp

Filesize
38.9MB

Download
memory/4564-118-0x0000000140000000-0x000000014097B000-memory.dmp

Filesize
9.5MB

Download
memory/4564-126-0x0000000140000000-0x000000014097B000-memory.dmp

Filesize
9.5MB

Download
memory/4600-1316-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4600-1388-0x0000000000400000-0x0000000002AF1000-memory.dmp

Filesize
38.9MB

Download
memory/4600-1342-0x0000000000400000-0x0000000002AF1000-memory.dmp

Filesize
38.9MB

Download
memory/4600-1374-0x0000000000400000-0x0000000002AF1000-memory.dmp

Filesize
38.9MB

Download
memory/4928-1982-0x000000006FD20000-0x000000006FD6B000-memory.dmp

Filesize
300KB

Download
memory/4928-1983-0x000000006F680000-0x000000006F9D0000-memory.dmp

Filesize
3.3MB

Download