glupteba | df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744

Analysis

max time kernel
109s
max time network
288s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-05-2024 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe
Size

521KB
MD5

c1d583657c7fe7973f820983fd1abb81
SHA1

4cfada887af87f32224fca86ed32edcac00edbec
SHA256

df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744
SHA512

2dc55bbf18ca62a8e5834d7341a646d3ea082eca7e28ad9c75f72e5813ea46cf10ab9fa98d7ab2f2830633f438aa19f2eb4af768dee4b7a130f8eec17936dd88
SSDEEP

12288:jpDxMM2vWugFMfmKL9ZVvwtgEOy9bxKdyH6WS2Fft:19MMYzftL97sgoKOSU1

Score

10^/10

glupteba privateloader stealc zgrat discovery dropper evasion execution loader persistence rat spyware stealer themida trojan upx

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/memory/4304-176-0x00000186E2FB0000-0x00000186E67E4000-memory.dmp	family_zgrat_v1
behavioral2/memory/4304-177-0x00000186E9170000-0x00000186E927A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4304-181-0x00000186E8D50000-0x00000186E8D74000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 15 IoCs

resource	yara_rule
behavioral2/memory/928-203-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/932-207-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/4084-205-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/4084-1325-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/928-1329-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/932-1332-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/3588-1336-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/6056-2637-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/6088-2848-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/5076-3432-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/5316-3433-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/5076-4070-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/5316-4295-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/840-5010-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/840-5023-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	4v86t109BX6i9v2AWh345NQS.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe

Windows security bypass 2 TTPs 8 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\D1ZHSUlc2PSGZbgIkO9cdyi1.exe = "0"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\abZ3xojSXqXpNm2sJfDrC8eU.exe = "0"	abZ3xojSXqXpNm2sJfDrC8eU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4v86t109BX6i9v2AWh345NQS.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
312	powershell.exe
3624	powershell.exe
6104	powershell.exe
1704	powershell.exe
5276	powershell.exe
1624	powershell.exe
68	powershell.exe
5856	powershell.exe
1856	powershell.exe
4516	powershell.exe
4288	powershell.exe
4748	powershell.exe
5560	powershell.exe
1296	powershell.exe
4284	powershell.exe
5944	powershell.exe
5304	powershell.exe
6060	powershell.exe
4332	powershell.exe
1824	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4600	netsh.exe
4356	netsh.exe
5460	netsh.exe
5564	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4v86t109BX6i9v2AWh345NQS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4v86t109BX6i9v2AWh345NQS.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wauGX7IP01ND1FUfWsXatp9l.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zpRNlSib6FvnnbgqCQOE56K4.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tFeq7sbPThsTMJBpaZlCRwPI.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ezGXW3ZP7o38NAKcNvfWhWDp.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KhaLt8ShVsaERNcf2GNsSfkg.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sZlMw6gVbuR8rXZQO0pRqCI4.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\byDeQ7s0ScXmyNhA4pxixFXP.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adwdv15kRp4JbyMy2WAmjKxf.bat	installutil.exe

Executes dropped EXE 14 IoCs

pid	Process
1604	s1Rpi6PadF8Drejj1cwzWcAZ.exe
928	abZ3xojSXqXpNm2sJfDrC8eU.exe
4084	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
932	FX8KDKs8rgsVsI5w54aVtzZU.exe
3588	tRg9Nt2mHoO9J6k76VmEWM6y.exe
3424	TYTFUXCX0MfmLjYxHGto976i.exe
2188	4v86t109BX6i9v2AWh345NQS.exe
512	u18k.0.exe
4520	u18k.1.exe
6056	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
6088	abZ3xojSXqXpNm2sJfDrC8eU.exe
5076	FX8KDKs8rgsVsI5w54aVtzZU.exe
5316	tRg9Nt2mHoO9J6k76VmEWM6y.exe
840	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
512	u18k.0.exe
512	u18k.0.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000700000001ac50-113.dat	themida
behavioral2/memory/2188-114-0x0000000140000000-0x000000014097B000-memory.dmp	themida
behavioral2/memory/2188-124-0x0000000140000000-0x000000014097B000-memory.dmp	themida

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000900000001ac10-5026.dat	upx
behavioral2/memory/816-5031-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\D1ZHSUlc2PSGZbgIkO9cdyi1.exe = "0"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\abZ3xojSXqXpNm2sJfDrC8eU.exe = "0"	abZ3xojSXqXpNm2sJfDrC8eU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	abZ3xojSXqXpNm2sJfDrC8eU.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4v86t109BX6i9v2AWh345NQS.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
3	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	ipinfo.io
40	ipinfo.io
36	api.myip.com
38	api.myip.com

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	4v86t109BX6i9v2AWh345NQS.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	4v86t109BX6i9v2AWh345NQS.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	4v86t109BX6i9v2AWh345NQS.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	4v86t109BX6i9v2AWh345NQS.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2188	4v86t109BX6i9v2AWh345NQS.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4920 set thread context of 1580	4920	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	77

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	abZ3xojSXqXpNm2sJfDrC8eU.exe
File opened (read-only)	\??\VBoxMiniRdrDN	D1ZHSUlc2PSGZbgIkO9cdyi1.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rss\csrss.exe	abZ3xojSXqXpNm2sJfDrC8eU.exe
File opened for modification	C:\Windows\rss	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
File created	C:\Windows\rss\csrss.exe	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
File opened for modification	C:\Windows\rss	abZ3xojSXqXpNm2sJfDrC8eU.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4700	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5136	3424	WerFault.exe	86

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	TYTFUXCX0MfmLjYxHGto976i.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	TYTFUXCX0MfmLjYxHGto976i.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	TYTFUXCX0MfmLjYxHGto976i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u18k.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u18k.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u18k.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u18k.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u18k.0.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5472	schtasks.exe
2980	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	D1ZHSUlc2PSGZbgIkO9cdyi1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
312	powershell.exe
312	powershell.exe
312	powershell.exe
4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1296	powershell.exe
1296	powershell.exe
3624	powershell.exe
3624	powershell.exe
3624	powershell.exe
1296	powershell.exe
4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3624	powershell.exe
1296	powershell.exe
4284	powershell.exe
4284	powershell.exe
4284	powershell.exe
4284	powershell.exe
6104	powershell.exe
6104	powershell.exe
6104	powershell.exe
6104	powershell.exe
928	abZ3xojSXqXpNm2sJfDrC8eU.exe
928	abZ3xojSXqXpNm2sJfDrC8eU.exe
4084	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
4084	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
932	FX8KDKs8rgsVsI5w54aVtzZU.exe
932	FX8KDKs8rgsVsI5w54aVtzZU.exe
3588	tRg9Nt2mHoO9J6k76VmEWM6y.exe
3588	tRg9Nt2mHoO9J6k76VmEWM6y.exe
512	u18k.0.exe
512	u18k.0.exe
5856	powershell.exe
5856	powershell.exe
5944	powershell.exe
5944	powershell.exe
5856	powershell.exe
5944	powershell.exe
5856	powershell.exe
5944	powershell.exe
6088	abZ3xojSXqXpNm2sJfDrC8eU.exe
6088	abZ3xojSXqXpNm2sJfDrC8eU.exe
6088	abZ3xojSXqXpNm2sJfDrC8eU.exe
6088	abZ3xojSXqXpNm2sJfDrC8eU.exe
6088	abZ3xojSXqXpNm2sJfDrC8eU.exe
6088	abZ3xojSXqXpNm2sJfDrC8eU.exe
6088	abZ3xojSXqXpNm2sJfDrC8eU.exe
6088	abZ3xojSXqXpNm2sJfDrC8eU.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	312	powershell.exe
Token: SeDebugPrivilege	1580	installutil.exe
Token: SeIncreaseQuotaPrivilege	312	powershell.exe
Token: SeSecurityPrivilege	312	powershell.exe
Token: SeTakeOwnershipPrivilege	312	powershell.exe
Token: SeLoadDriverPrivilege	312	powershell.exe
Token: SeSystemProfilePrivilege	312	powershell.exe
Token: SeSystemtimePrivilege	312	powershell.exe
Token: SeProfSingleProcessPrivilege	312	powershell.exe
Token: SeIncBasePriorityPrivilege	312	powershell.exe
Token: SeCreatePagefilePrivilege	312	powershell.exe
Token: SeBackupPrivilege	312	powershell.exe
Token: SeRestorePrivilege	312	powershell.exe
Token: SeShutdownPrivilege	312	powershell.exe
Token: SeDebugPrivilege	312	powershell.exe
Token: SeSystemEnvironmentPrivilege	312	powershell.exe
Token: SeRemoteShutdownPrivilege	312	powershell.exe
Token: SeUndockPrivilege	312	powershell.exe
Token: SeManageVolumePrivilege	312	powershell.exe
Token: 33	312	powershell.exe
Token: 34	312	powershell.exe
Token: 35	312	powershell.exe
Token: 36	312	powershell.exe
Token: SeDebugPrivilege	4304	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeDebugPrivilege	6104	powershell.exe
Token: SeDebugPrivilege	928	abZ3xojSXqXpNm2sJfDrC8eU.exe
Token: SeImpersonatePrivilege	928	abZ3xojSXqXpNm2sJfDrC8eU.exe
Token: SeDebugPrivilege	4084	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Token: SeImpersonatePrivilege	4084	D1ZHSUlc2PSGZbgIkO9cdyi1.exe
Token: SeDebugPrivilege	932	FX8KDKs8rgsVsI5w54aVtzZU.exe
Token: SeImpersonatePrivilege	932	FX8KDKs8rgsVsI5w54aVtzZU.exe
Token: SeDebugPrivilege	3588	tRg9Nt2mHoO9J6k76VmEWM6y.exe
Token: SeImpersonatePrivilege	3588	tRg9Nt2mHoO9J6k76VmEWM6y.exe
Token: SeDebugPrivilege	5856	powershell.exe
Token: SeDebugPrivilege	5944	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	5304	powershell.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4520	u18k.1.exe
4520	u18k.1.exe
4520	u18k.1.exe
4520	u18k.1.exe
4520	u18k.1.exe
4520	u18k.1.exe
4520	u18k.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
4520	u18k.1.exe
4520	u18k.1.exe
4520	u18k.1.exe
4520	u18k.1.exe
4520	u18k.1.exe
4520	u18k.1.exe
4520	u18k.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 312	4920	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	75
PID 4920 wrote to memory of 312	4920	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	75
PID 4920 wrote to memory of 1580	4920	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	77
PID 4920 wrote to memory of 1580	4920	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	77
PID 4920 wrote to memory of 1580	4920	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	77
PID 4920 wrote to memory of 1580	4920	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	77
PID 4920 wrote to memory of 1580	4920	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	77
PID 4920 wrote to memory of 1580	4920	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	77
PID 4920 wrote to memory of 1580	4920	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	77
PID 4920 wrote to memory of 1580	4920	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	77
PID 1580 wrote to memory of 1604	1580	installutil.exe	81
PID 1580 wrote to memory of 1604	1580	installutil.exe	81
PID 1580 wrote to memory of 1604	1580	installutil.exe	81
PID 1580 wrote to memory of 928	1580	installutil.exe	82
PID 1580 wrote to memory of 928	1580	installutil.exe	82
PID 1580 wrote to memory of 928	1580	installutil.exe	82
PID 1580 wrote to memory of 4084	1580	installutil.exe	83
PID 1580 wrote to memory of 4084	1580	installutil.exe	83
PID 1580 wrote to memory of 4084	1580	installutil.exe	83
PID 1580 wrote to memory of 932	1580	installutil.exe	84
PID 1580 wrote to memory of 932	1580	installutil.exe	84
PID 1580 wrote to memory of 932	1580	installutil.exe	84
PID 1580 wrote to memory of 3588	1580	installutil.exe	85
PID 1580 wrote to memory of 3588	1580	installutil.exe	85
PID 1580 wrote to memory of 3588	1580	installutil.exe	85
PID 1580 wrote to memory of 3424	1580	installutil.exe	86
PID 1580 wrote to memory of 3424	1580	installutil.exe	86
PID 1580 wrote to memory of 3424	1580	installutil.exe	86
PID 1580 wrote to memory of 2188	1580	installutil.exe	87
PID 1580 wrote to memory of 2188	1580	installutil.exe	87
PID 1604 wrote to memory of 512	1604	s1Rpi6PadF8Drejj1cwzWcAZ.exe	90
PID 1604 wrote to memory of 512	1604	s1Rpi6PadF8Drejj1cwzWcAZ.exe	90
PID 1604 wrote to memory of 512	1604	s1Rpi6PadF8Drejj1cwzWcAZ.exe	90
PID 1604 wrote to memory of 4520	1604	s1Rpi6PadF8Drejj1cwzWcAZ.exe	92
PID 1604 wrote to memory of 4520	1604	s1Rpi6PadF8Drejj1cwzWcAZ.exe	92
PID 1604 wrote to memory of 4520	1604	s1Rpi6PadF8Drejj1cwzWcAZ.exe	92
PID 4520 wrote to memory of 4304	4520	u18k.1.exe	94
PID 4520 wrote to memory of 4304	4520	u18k.1.exe	94
PID 928 wrote to memory of 3624	928	abZ3xojSXqXpNm2sJfDrC8eU.exe	96
PID 928 wrote to memory of 3624	928	abZ3xojSXqXpNm2sJfDrC8eU.exe	96
PID 928 wrote to memory of 3624	928	abZ3xojSXqXpNm2sJfDrC8eU.exe	96
PID 4084 wrote to memory of 1296	4084	D1ZHSUlc2PSGZbgIkO9cdyi1.exe	97
PID 4084 wrote to memory of 1296	4084	D1ZHSUlc2PSGZbgIkO9cdyi1.exe	97
PID 4084 wrote to memory of 1296	4084	D1ZHSUlc2PSGZbgIkO9cdyi1.exe	97
PID 932 wrote to memory of 4284	932	FX8KDKs8rgsVsI5w54aVtzZU.exe	100
PID 932 wrote to memory of 4284	932	FX8KDKs8rgsVsI5w54aVtzZU.exe	100
PID 932 wrote to memory of 4284	932	FX8KDKs8rgsVsI5w54aVtzZU.exe	100
PID 3588 wrote to memory of 6104	3588	tRg9Nt2mHoO9J6k76VmEWM6y.exe	102
PID 3588 wrote to memory of 6104	3588	tRg9Nt2mHoO9J6k76VmEWM6y.exe	102
PID 3588 wrote to memory of 6104	3588	tRg9Nt2mHoO9J6k76VmEWM6y.exe	102
PID 6056 wrote to memory of 5856	6056	D1ZHSUlc2PSGZbgIkO9cdyi1.exe	112
PID 6056 wrote to memory of 5856	6056	D1ZHSUlc2PSGZbgIkO9cdyi1.exe	112
PID 6056 wrote to memory of 5856	6056	D1ZHSUlc2PSGZbgIkO9cdyi1.exe	112
PID 6088 wrote to memory of 5944	6088	abZ3xojSXqXpNm2sJfDrC8eU.exe	114
PID 6088 wrote to memory of 5944	6088	abZ3xojSXqXpNm2sJfDrC8eU.exe	114
PID 6088 wrote to memory of 5944	6088	abZ3xojSXqXpNm2sJfDrC8eU.exe	114
PID 6088 wrote to memory of 4680	6088	abZ3xojSXqXpNm2sJfDrC8eU.exe	116
PID 6088 wrote to memory of 4680	6088	abZ3xojSXqXpNm2sJfDrC8eU.exe	116
PID 4680 wrote to memory of 4600	4680	cmd.exe	118
PID 4680 wrote to memory of 4600	4680	cmd.exe	118
PID 6056 wrote to memory of 5096	6056	D1ZHSUlc2PSGZbgIkO9cdyi1.exe	119
PID 6056 wrote to memory of 5096	6056	D1ZHSUlc2PSGZbgIkO9cdyi1.exe	119
PID 5096 wrote to memory of 4356	5096	cmd.exe	121
PID 5096 wrote to memory of 4356	5096	cmd.exe	121

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe

C:\Users\Admin\AppData\Local\Temp\df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe
"C:\Users\Admin\AppData\Local\Temp\df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Users\Admin\Pictures\s1Rpi6PadF8Drejj1cwzWcAZ.exe
    "C:\Users\Admin\Pictures\s1Rpi6PadF8Drejj1cwzWcAZ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\u18k.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u18k.0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:512
  - - C:\Users\Admin\AppData\Local\Temp\u18k.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u18k.1.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
- - C:\Users\Admin\Pictures\abZ3xojSXqXpNm2sJfDrC8eU.exe
    "C:\Users\Admin\Pictures\abZ3xojSXqXpNm2sJfDrC8eU.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3624
  - - C:\Users\Admin\Pictures\abZ3xojSXqXpNm2sJfDrC8eU.exe
      "C:\Users\Admin\Pictures\abZ3xojSXqXpNm2sJfDrC8eU.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:6088
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5944
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4680
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:4600
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
- - C:\Users\Admin\Pictures\D1ZHSUlc2PSGZbgIkO9cdyi1.exe
    "C:\Users\Admin\Pictures\D1ZHSUlc2PSGZbgIkO9cdyi1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1296
  - - C:\Users\Admin\Pictures\D1ZHSUlc2PSGZbgIkO9cdyi1.exe
      "C:\Users\Admin\Pictures\D1ZHSUlc2PSGZbgIkO9cdyi1.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:6056
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5856
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5096
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:4356
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        
        PID:840
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1824
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:5472
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:4828
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1624
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5560
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:5732
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2980
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:4700
- - C:\Users\Admin\Pictures\FX8KDKs8rgsVsI5w54aVtzZU.exe
    "C:\Users\Admin\Pictures\FX8KDKs8rgsVsI5w54aVtzZU.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4284
  - - C:\Users\Admin\Pictures\FX8KDKs8rgsVsI5w54aVtzZU.exe
      "C:\Users\Admin\Pictures\FX8KDKs8rgsVsI5w54aVtzZU.exe"
      4⤵
      Executes dropped EXE
      PID:5076
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5304
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5820
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5460
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:68
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5276
- - C:\Users\Admin\Pictures\tRg9Nt2mHoO9J6k76VmEWM6y.exe
    "C:\Users\Admin\Pictures\tRg9Nt2mHoO9J6k76VmEWM6y.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6104
  - - C:\Users\Admin\Pictures\tRg9Nt2mHoO9J6k76VmEWM6y.exe
      "C:\Users\Admin\Pictures\tRg9Nt2mHoO9J6k76VmEWM6y.exe"
      4⤵
      Executes dropped EXE
      PID:5316
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6060
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2532
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5564
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4748
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4332
- - C:\Users\Admin\Pictures\TYTFUXCX0MfmLjYxHGto976i.exe
    "C:\Users\Admin\Pictures\TYTFUXCX0MfmLjYxHGto976i.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:3424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 492
      4⤵
      Program crash
      PID:5136
- - C:\Users\Admin\Pictures\4v86t109BX6i9v2AWh345NQS.exe
    "C:\Users\Admin\Pictures\4v86t109BX6i9v2AWh345NQS.exe"
    3⤵
    - Modifies firewall policy service
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2188

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1176

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:5324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
c382e41256ab28ab513680fcef8b10ce

SHA1
5f8e2082b38e70f31989a866ffddc0d2439e41d8

SHA256
63159c89638cb6de8fb261d8f9cf942378538de464ea1d6535733a3d8253728f

SHA512
de4dff07e6bb7e4d3ad17fc52f1c02954e8dbde67a244aaad85d6609c8acd75c575843233ce59b12677377284744ecb98c77a2cb9437fa510ad9b34077fb58d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
5a7fa972c34019e04c8b27d026a81c6a

SHA1
23c7b9b2fd72b330c13ebc37205e9f9e2b1f20fd

SHA256
132f503b72e33323816d9e571225e66b92601734dfd22e32c03b2c42964ceffa

SHA512
0e7919a528184ddb96d6549c0f0578914b4330cdff0c64bd063dfba662cc5fd52c4c850ed6ffe0c4e1699fd55751ef7487079eaf278d63a50b4d149463eb0292

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lntwjqdy.biz.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\u18k.0.exe

Filesize
206KB

MD5
0917be53327ea132956255dcab650a82

SHA1
b60818917f645a8a9af3b530e3ae37c1f002be2f

SHA256
211c34660898480e0777c6ef6f61bf2111f6550e00b40cab859543d567dc455a

SHA512
a72acc24ba813d983bbf2ecab7929d0aab4e25637ae43e85b973a5105429bd15c061415fd855737620caaf81b456b2d6ba57f85566245efbe5f8b5db5560932a

Download Submit
C:\Users\Admin\AppData\Local\Temp\u18k.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\Pictures\4v86t109BX6i9v2AWh345NQS.exe

Filesize
2.8MB

MD5
d41fd1ea6e0ca0032be2174317f60fd8

SHA1
60f001b9d201259aa333e9b202e4ab5648d16bf3

SHA256
3c56d175e67df7e1664bbedd95abee57cf93a7aceaf80374ede4ce1fc4a30990

SHA512
a4ce799f1ce9157d053dcb1694dcb127d98e994eb55cecb484ace1c192cf80a1fbfb7b8de94851a49e915cafebc568f70ce07b912e5901387ed90639c692c16e

Download Submit
C:\Users\Admin\Pictures\D1ZHSUlc2PSGZbgIkO9cdyi1.exe

Filesize
4.1MB

MD5
0ed8d071deae90ff638cb070d0b9559d

SHA1
9b39b4703ccd78d9ca56bbf2f4c168d71a7bcfda

SHA256
691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99

SHA512
960a5a4e2b4f82bb7273cbab8bf622933c6e603cdc44b59b409c285b62c3a2c741bca7692ed77864520aa95c85a2f3fc31ddc9383caada588828d953346c2729

Download Submit
C:\Users\Admin\Pictures\TYTFUXCX0MfmLjYxHGto976i.exe

Filesize
213KB

MD5
718455b384af2a8caa79eca4c64b7d78

SHA1
84993e856abe4c3c90a61f95f02252dfbe94b356

SHA256
1e418b3dae341f3196b5c3c23cb11eb071dbb82c77ebef9badfd74e3ddea1aac

SHA512
46f51aa5f2fa32f597bbc6e6d375d8d0b9baa2fae2ec68a76fdba63e0d831a514658aa26c137657b8ad1ec653b1f4f5c728b3a61a40f0ba3e0b67a381d02537f

Download Submit
C:\Users\Admin\Pictures\abZ3xojSXqXpNm2sJfDrC8eU.exe

Filesize
4.1MB

MD5
f6156b63d313f7247432a693de39daef

SHA1
bff890bf23551db49d04af57779630bea35356a9

SHA256
f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620

SHA512
54c61e755d5661da14ebfef93b9fa61d02f59fb43edc1310cf21c0780479bc54be973836286f0d5104a946e9d511e94162d38e2a5471f0f386b7b7e396e7f759

Download Submit
C:\Users\Admin\Pictures\cLbbOzNtT0rbZmOTwUUgT13v.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\s1Rpi6PadF8Drejj1cwzWcAZ.exe

Filesize
384KB

MD5
f969256486cae8c6c357924481ec86ee

SHA1
95f91c8a6539700b4dd6077ba3a778c13bc72d4d

SHA256
d719fb243a6d2ad33a76aa78ee66f4763a36c78a2373a01de223fb5c27b722da

SHA512
106959ab072744ae5ce79cbc627040dbd32bb416407ca7d1f848ae49dbb609f900c0f34696fc5e30c5418d889b5c07b35d5a0f9b4f1be1e662621ba2c4491e16

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
59c655014ae6928ef4bfa426acaee3c3

SHA1
79c382cf784fd29c9d89ecf75189b62006e763f1

SHA256
0f3dc2c211a8d0de3a2a4978836fb365d002403d229ce312c0629c55af490d72

SHA512
4952db5f1a0243d8b78704c6f17baa8141c26c6bc9737e8392c59a6dcaa38f90e74247c8a634367378104b133864069d4bf83ba7346f97a1b79aa5a8fc58ba49

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
f5ffa22eec3fa50978b7e90c91936142

SHA1
699d094a39baff643e53df7c730cdeb7057091c8

SHA256
f3f7ff6e484c38240a3b01524253dc9e2576cbfa8a5fb94853df47cca46588a7

SHA512
cad8b04d3ed75dc9916bcd21578733671d445f70ad5736d1f0bc66cfec79a76b4849cf3118c6b2086e1a86eed382e8f61017d8e78187e4722619ee6ed8fda009

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
82c2e961dd088401da36584b1dbd1d12

SHA1
aa0a2baa9147bf5116a84085e4cd510054ac7f30

SHA256
a0adf9b8d7563f78a7111a2c3234c501c12cc2e5f1310a08f2f0f42bc7f45222

SHA512
c86b02d0786bd526083b3094a76453796e25906060c9a60eff901d4ebb0bf635eb07548566bee4306dd9a46534c740dccd30a63fc96082516eb92d12985bd83e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
c073f2d3c0362fdc379aec5358c9ac88

SHA1
2e183827173777f76d2b3ad494db8eb272d9e336

SHA256
7c77814284e52254246d82cb5043775c9517c4384f740e0171ccb9ede7fcea39

SHA512
de6b95415aca2c75cac6332632f29d09e40bfb0391aafa1568a50e0ae542abe489d7df30a3a5e47303632b2bc6107ac408ad8f722cb99581b512a15c9a749ea2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
9a550478474f4dd28a0666af4a11599b

SHA1
246b2a0e1cd2410c86220e4fd7a8f2c5bec50772

SHA256
4d94c5b941a1e72cc51d4244cf8a77f9e31f7d6105e6409658c7f2f862a4b675

SHA512
3f51675800c5319af45efc82866ca5740369c0a50ce3519484bea424ef4634d55b0bc9f8f0716ac387f91418248a2b14a073e7bf09edce7b8f9bf0a6cfa0adbd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
06f8529aa3905670786402638d729cf0

SHA1
45a83a46470685aa8346bb22200f9afe106bc2ad

SHA256
444a6b98b120a0fa5491e1f12ef70cd1eae4d1c1ef222eccf7ea7cf94e8a3217

SHA512
5c7e665d186a24cbc9125ac39f6196e9aa114dd98f2e7127340229f76b0e991d6e28f002923643b4b0fc4f8626daf57e2184270a2cc2fab4993336d858261b77

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
580038a5c3fc84d1d3e91902de7e0e57

SHA1
080717b5e6ccb9ddbd2ee809d315ebb2ce0d3916

SHA256
f7e3305fbe8222b2ba2e4e53924b56b08a194f920ecf8d01519e66e34d2316f8

SHA512
dc0cccdf892ec42ae193a314670b4f3143445e0d452cce0d448e24baa36dc4f3a8deb0d8b74cb31938d1eee58052aca7385f4f781813ced5f08fe76c08c8c8a9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
15eb67268e9ad6678d41b4c92a8440a6

SHA1
558e4d84f95b8af4660c8e3f3922087764d2b0a8

SHA256
5599dd06ae653933ce1d16e8774be56a6c2eb747ccd74f1832f452690a44c9e7

SHA512
ea44f64566b6785e8737105774dea152707304af6562da1abfe4725f769ac41912f5d41f6aff0cf97a4009c97c41295bb98a0ab0684fd66446aeed264a8b4c47

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
ff08d1ed2ea6ebc15189bc70aefe4861

SHA1
d8447fd0761330fa3f5343810ba3d3d31b499058

SHA256
66c200c11a4a0bc0e96f327a3d2bb5f2e60918f2363223253499463bc6dab343

SHA512
220cf2feb3ec0090597a54c9818c9b775301e5c0e7e671de2bbf9d597ba74e746f7720609cb7fc3e65a445b35632b154b3c9dfbe286679f602dff711972fe75c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
b9e5309cd0fc5a1d6c8c369bedbdb135

SHA1
ad77ae2f1290df0164928c3d28a6712816cf2a30

SHA256
0e98abc5670d62f4d4a021e013789dad906c765fb37c57eb6f425833b85c34e1

SHA512
e38157ca5f49470833449714109d13a7eddbb44949805c90dc6ffb50154acb0738f05f6f933092b54659e0c16f7f58b9a3b3575135dcf2db531da5acb867abb8

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/68-3349-0x0000000070020000-0x000000007006B000-memory.dmp

Filesize
300KB

Download
memory/68-3350-0x000000006E6F0000-0x000000006EA40000-memory.dmp

Filesize
3.3MB

Download
memory/312-13-0x00000202B67A0000-0x00000202B6816000-memory.dmp

Filesize
472KB

Download
memory/312-14-0x00007FFA39C90000-0x00007FFA3A67C000-memory.dmp

Filesize
9.9MB

Download
memory/312-9-0x00000202B65F0000-0x00000202B6612000-memory.dmp

Filesize
136KB

Download
memory/312-11-0x00007FFA39C90000-0x00007FFA3A67C000-memory.dmp

Filesize
9.9MB

Download
memory/312-27-0x00007FFA39C90000-0x00007FFA3A67C000-memory.dmp

Filesize
9.9MB

Download
memory/312-53-0x00007FFA39C90000-0x00007FFA3A67C000-memory.dmp

Filesize
9.9MB

Download
memory/512-2877-0x0000000000400000-0x0000000002AF1000-memory.dmp

Filesize
38.9MB

Download
memory/512-1409-0x0000000000400000-0x0000000002AF1000-memory.dmp

Filesize
38.9MB

Download
memory/512-1347-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/816-5031-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/840-5023-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/840-5010-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/928-203-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/928-1329-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/932-1332-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/932-207-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/1296-340-0x000000006F9B0000-0x000000006FD00000-memory.dmp

Filesize
3.3MB

Download
memory/1296-191-0x00000000051E0000-0x0000000005216000-memory.dmp

Filesize
216KB

Download
memory/1296-787-0x000000000A7C0000-0x000000000A7C8000-memory.dmp

Filesize
32KB

Download
memory/1296-339-0x000000006F870000-0x000000006F8BB000-memory.dmp

Filesize
300KB

Download
memory/1580-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1604-133-0x0000000000400000-0x0000000002B1E000-memory.dmp

Filesize
39.1MB

Download
memory/1604-138-0x0000000000400000-0x0000000002B1E000-memory.dmp

Filesize
39.1MB

Download
memory/1624-4561-0x000000006FD80000-0x000000006FDCB000-memory.dmp

Filesize
300KB

Download
memory/1624-4562-0x000000006F9B0000-0x000000006FD00000-memory.dmp

Filesize
3.3MB

Download
memory/1704-2396-0x000000006E6F0000-0x000000006EA40000-memory.dmp

Filesize
3.3MB

Download
memory/1704-2395-0x000000006F4A0000-0x000000006F4EB000-memory.dmp

Filesize
300KB

Download
memory/1824-4327-0x00000000093C0000-0x0000000009465000-memory.dmp

Filesize
660KB

Download
memory/1824-4302-0x00000000083C0000-0x000000000840B000-memory.dmp

Filesize
300KB

Download
memory/1824-4321-0x000000006FD80000-0x000000006FDCB000-memory.dmp

Filesize
300KB

Download
memory/1824-4322-0x000000006F9B0000-0x000000006FD00000-memory.dmp

Filesize
3.3MB

Download
memory/1856-1920-0x000000006E6F0000-0x000000006EA40000-memory.dmp

Filesize
3.3MB

Download
memory/1856-1919-0x000000006F4A0000-0x000000006F4EB000-memory.dmp

Filesize
300KB

Download
memory/2188-124-0x0000000140000000-0x000000014097B000-memory.dmp

Filesize
9.5MB

Download
memory/2188-114-0x0000000140000000-0x000000014097B000-memory.dmp

Filesize
9.5MB

Download
memory/3424-1339-0x0000000000400000-0x0000000002AF2000-memory.dmp

Filesize
38.9MB

Download
memory/3588-1336-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/3624-196-0x0000000006E10000-0x0000000006E76000-memory.dmp

Filesize
408KB

Download
memory/3624-204-0x0000000007720000-0x000000000773C000-memory.dmp

Filesize
112KB

Download
memory/3624-329-0x000000006F870000-0x000000006F8BB000-memory.dmp

Filesize
300KB

Download
memory/3624-778-0x0000000009CD0000-0x0000000009CEA000-memory.dmp

Filesize
104KB

Download
memory/3624-345-0x0000000009D70000-0x0000000009E04000-memory.dmp

Filesize
592KB

Download
memory/3624-282-0x0000000008D30000-0x0000000008DA6000-memory.dmp

Filesize
472KB

Download
memory/3624-332-0x000000006F9B0000-0x000000006FD00000-memory.dmp

Filesize
3.3MB

Download
memory/3624-333-0x0000000009AF0000-0x0000000009B0E000-memory.dmp

Filesize
120KB

Download
memory/3624-338-0x0000000009B50000-0x0000000009BF5000-memory.dmp

Filesize
660KB

Download
memory/3624-192-0x0000000006F40000-0x0000000007568000-memory.dmp

Filesize
6.2MB

Download
memory/3624-202-0x0000000007850000-0x0000000007BA0000-memory.dmp

Filesize
3.3MB

Download
memory/3624-195-0x0000000006CF0000-0x0000000006D56000-memory.dmp

Filesize
408KB

Download
memory/3624-328-0x0000000009B10000-0x0000000009B43000-memory.dmp

Filesize
204KB

Download
memory/3624-243-0x0000000008C70000-0x0000000008CAC000-memory.dmp

Filesize
240KB

Download
memory/3624-194-0x0000000006BD0000-0x0000000006BF2000-memory.dmp

Filesize
136KB

Download
memory/3624-206-0x00000000080A0000-0x00000000080EB000-memory.dmp

Filesize
300KB

Download
memory/4084-1325-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/4084-205-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/4284-828-0x000000006F9B0000-0x000000006FD00000-memory.dmp

Filesize
3.3MB

Download
memory/4284-827-0x000000006F870000-0x000000006F8BB000-memory.dmp

Filesize
300KB

Download
memory/4288-2627-0x000000006E6F0000-0x000000006EA40000-memory.dmp

Filesize
3.3MB

Download
memory/4288-2623-0x000000006F4A0000-0x000000006F4EB000-memory.dmp

Filesize
300KB

Download
memory/4304-193-0x00000186E6BB0000-0x00000186E6BBA000-memory.dmp

Filesize
40KB

Download
memory/4304-183-0x00000186E6BA0000-0x00000186E6BAA000-memory.dmp

Filesize
40KB

Download
memory/4304-176-0x00000186E2FB0000-0x00000186E67E4000-memory.dmp

Filesize
56.2MB

Download
memory/4304-177-0x00000186E9170000-0x00000186E927A000-memory.dmp

Filesize
1.0MB

Download
memory/4304-180-0x00000186E8CE0000-0x00000186E8CF4000-memory.dmp

Filesize
80KB

Download
memory/4304-181-0x00000186E8D50000-0x00000186E8D74000-memory.dmp

Filesize
144KB

Download
memory/4304-184-0x00000186E8DB0000-0x00000186E8DDA000-memory.dmp

Filesize
168KB

Download
memory/4304-186-0x00000186E9460000-0x00000186E94B0000-memory.dmp

Filesize
320KB

Download
memory/4304-211-0x00000186EE910000-0x00000186EE91A000-memory.dmp

Filesize
40KB

Download
memory/4304-222-0x00000186EEEE0000-0x00000186EF406000-memory.dmp

Filesize
5.1MB

Download
memory/4304-213-0x00000186EE990000-0x00000186EE9B2000-memory.dmp

Filesize
136KB

Download
memory/4304-200-0x00000186E94B0000-0x00000186E97B0000-memory.dmp

Filesize
3.0MB

Download
memory/4304-1177-0x00000186EE9D0000-0x00000186EE9EE000-memory.dmp

Filesize
120KB

Download
memory/4304-208-0x00000186ED0C0000-0x00000186ED0C8000-memory.dmp

Filesize
32KB

Download
memory/4304-212-0x00000186EE930000-0x00000186EE992000-memory.dmp

Filesize
392KB

Download
memory/4304-210-0x00000186ED7E0000-0x00000186ED7E8000-memory.dmp

Filesize
32KB

Download
memory/4304-209-0x00000186EE630000-0x00000186EE668000-memory.dmp

Filesize
224KB

Download
memory/4304-315-0x00000186EE920000-0x00000186EE92C000-memory.dmp

Filesize
48KB

Download
memory/4304-185-0x00000186E93B0000-0x00000186E9462000-memory.dmp

Filesize
712KB

Download
memory/4304-178-0x00000186E6C10000-0x00000186E6C20000-memory.dmp

Filesize
64KB

Download
memory/4304-1338-0x00000186E97B0000-0x00000186E9939000-memory.dmp

Filesize
1.5MB

Download
memory/4304-179-0x00000186E8CF0000-0x00000186E8CFC000-memory.dmp

Filesize
48KB

Download
memory/4332-4081-0x0000000008F20000-0x0000000008FC5000-memory.dmp

Filesize
660KB

Download
memory/4332-4075-0x0000000070020000-0x000000007006B000-memory.dmp

Filesize
300KB

Download
memory/4332-4076-0x000000006E6F0000-0x000000006EA40000-memory.dmp

Filesize
3.3MB

Download
memory/4516-2091-0x000000006F4A0000-0x000000006F4EB000-memory.dmp

Filesize
300KB

Download
memory/4516-2138-0x000000006E6F0000-0x000000006EA40000-memory.dmp

Filesize
3.3MB

Download
memory/4520-175-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/4520-174-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/4748-3605-0x000000006E6F0000-0x000000006EA40000-memory.dmp

Filesize
3.3MB

Download
memory/4748-3604-0x0000000070020000-0x000000007006B000-memory.dmp

Filesize
300KB

Download
memory/4920-3-0x00007FFA39C90000-0x00007FFA3A67C000-memory.dmp

Filesize
9.9MB

Download
memory/4920-122-0x00007FFA39C93000-0x00007FFA39C94000-memory.dmp

Filesize
4KB

Download
memory/4920-1-0x00007FFA39C93000-0x00007FFA39C94000-memory.dmp

Filesize
4KB

Download
memory/4920-123-0x00007FFA39C90000-0x00007FFA3A67C000-memory.dmp

Filesize
9.9MB

Download
memory/4920-2-0x000001A59A220000-0x000001A59A27E000-memory.dmp

Filesize
376KB

Download
memory/4920-0-0x000001A5FFA90000-0x000001A5FFABA000-memory.dmp

Filesize
168KB

Download
memory/5076-3432-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5076-4070-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5276-3696-0x0000000070020000-0x000000007006B000-memory.dmp

Filesize
300KB

Download
memory/5276-3697-0x000000006E6F0000-0x000000006EA40000-memory.dmp

Filesize
3.3MB

Download
memory/5304-2876-0x000000006E6F0000-0x000000006EA40000-memory.dmp

Filesize
3.3MB

Download
memory/5304-2882-0x00000000099B0000-0x0000000009A55000-memory.dmp

Filesize
660KB

Download
memory/5304-2875-0x000000006F4A0000-0x000000006F4EB000-memory.dmp

Filesize
300KB

Download
memory/5316-3433-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5316-4295-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5560-4800-0x000000006FD80000-0x000000006FDCB000-memory.dmp

Filesize
300KB

Download
memory/5856-1415-0x0000000007DB0000-0x0000000007DFB000-memory.dmp

Filesize
300KB

Download
memory/5856-1414-0x0000000007620000-0x0000000007970000-memory.dmp

Filesize
3.3MB

Download
memory/5856-1453-0x000000006F4A0000-0x000000006F4EB000-memory.dmp

Filesize
300KB

Download
memory/5856-1464-0x0000000008E00000-0x0000000008EA5000-memory.dmp

Filesize
660KB

Download
memory/5856-1455-0x000000006E6F0000-0x000000006EA40000-memory.dmp

Filesize
3.3MB

Download
memory/5944-1454-0x000000006E6F0000-0x000000006EA40000-memory.dmp

Filesize
3.3MB

Download
memory/5944-1452-0x000000006F4A0000-0x000000006F4EB000-memory.dmp

Filesize
300KB

Download
memory/6056-2637-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/6060-3099-0x0000000008670000-0x00000000086BB000-memory.dmp

Filesize
300KB

Download
memory/6060-3126-0x0000000009810000-0x00000000098B5000-memory.dmp

Filesize
660KB

Download
memory/6060-3121-0x000000006E6F0000-0x000000006EA40000-memory.dmp

Filesize
3.3MB

Download
memory/6060-3120-0x0000000070020000-0x000000007006B000-memory.dmp

Filesize
300KB

Download
memory/6088-2848-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/6104-1101-0x000000006F870000-0x000000006F8BB000-memory.dmp

Filesize
300KB

Download
memory/6104-1102-0x000000006F9B0000-0x000000006FD00000-memory.dmp

Filesize
3.3MB

Download