glupteba | 8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913

Analysis

max time kernel
138s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6078bbecc15a333c6171debc4488498.exe
Size

389KB
MD5

d6078bbecc15a333c6171debc4488498
SHA1

ca57a639ec0fc1a6489b69278478c5845a4c046b
SHA256

8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913
SHA512

912f67baa141bb846a12568c94d5dfbd6d6cdefe0a036a9249accd83e9ee460bc8863758c8bd5cdac7a0af3f481194b57ef414378ebb400967579ba6d736469e
SSDEEP

6144:vLFJaFBq+TaKqqrlBLSIOHGt8i3/gmjX/RBdRP2gjycIeVMO+ZyeR:vOlldCGt//gmjXjdR+KjFVMPZN

Score

10^/10

glupteba privateloader zgrat discovery dropper evasion execution loader rat spyware stealer themida trojan

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/memory/4520-332-0x000002735F9E0000-0x0000027363214000-memory.dmp	family_zgrat_v1
behavioral2/memory/4520-337-0x000002737D9A0000-0x000002737D9C4000-memory.dmp	family_zgrat_v1
behavioral2/memory/4520-333-0x000002737DBF0000-0x000002737DCFA000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 5 IoCs

resource	yara_rule
behavioral2/memory/2240-279-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/244-280-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/3936-282-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/1224-281-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/1224-298-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	ub3dpREG7Tcuj2uRy2diwUGo.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d6078bbecc15a333c6171debc4488498.exe

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	d6078bbecc15a333c6171debc4488498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe = "0"	d6078bbecc15a333c6171debc4488498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	ub3dpREG7Tcuj2uRy2diwUGo.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ub3dpREG7Tcuj2uRy2diwUGo.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
864	powershell.exe
4408	powershell.exe
2924	powershell.exe
1428	powershell.exe
3864	powershell.exe
2992	powershell.exe
1120	powershell.exe
228	powershell.exe
3652	powershell.exe
2896	powershell.exe
640	powershell.exe
3436	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
612	netsh.exe
3100	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ub3dpREG7Tcuj2uRy2diwUGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ub3dpREG7Tcuj2uRy2diwUGo.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	d6078bbecc15a333c6171debc4488498.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	zEPbmh410knZcspyfGDS7ORv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	u2g4.1.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XSL75Dp8X5GvcCSscAgMff6t.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hCJWlBKjXo5Oob92l9foUS1J.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tLX6e4KApytTPZefSa8PPI7v.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qqbWpY8aUPcYDuPjF1g7pqRG.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ga59klDFaLgG33dY8jiOzth2.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2X5ZHEh06YcWQbzIqdRD9re3.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xch3oM5lwdWLIvzlicgaJnAa.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\50SLWprzYHmxenwhmKGlIhTj.bat	jsc.exe

Executes dropped EXE 13 IoCs

pid	Process
3172	zEPbmh410knZcspyfGDS7ORv.exe
2240	2oyXsl7pvbVirJgqH7QUtCPr.exe
244	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
1224	9vbvS6oLRF12GScdDI45jaXw.exe
3936	ccoo5BlZcHqJPIQURYx78bxz.exe
1140	ub3dpREG7Tcuj2uRy2diwUGo.exe
4240	hFyK7KqQVxnK605yowtvP7UA.exe
392	u2g4.0.exe
3012	u2g4.1.exe
5044	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
788	2oyXsl7pvbVirJgqH7QUtCPr.exe
1820	ccoo5BlZcHqJPIQURYx78bxz.exe
2352	9vbvS6oLRF12GScdDI45jaXw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0007000000023415-108.dat	themida
behavioral2/memory/1140-115-0x0000000140000000-0x000000014097B000-memory.dmp	themida
behavioral2/memory/1140-137-0x0000000140000000-0x000000014097B000-memory.dmp	themida

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	d6078bbecc15a333c6171debc4488498.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	d6078bbecc15a333c6171debc4488498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe = "0"	d6078bbecc15a333c6171debc4488498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	ub3dpREG7Tcuj2uRy2diwUGo.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d6078bbecc15a333c6171debc4488498.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ub3dpREG7Tcuj2uRy2diwUGo.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d6078bbecc15a333c6171debc4488498.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	pastebin.com
28	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
62	ipinfo.io
63	ipinfo.io
58	api.myip.com
59	api.myip.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	ub3dpREG7Tcuj2uRy2diwUGo.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	ub3dpREG7Tcuj2uRy2diwUGo.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	ub3dpREG7Tcuj2uRy2diwUGo.exe
File opened for modification	C:\Windows\System32\GroupPolicy	ub3dpREG7Tcuj2uRy2diwUGo.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1140	ub3dpREG7Tcuj2uRy2diwUGo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 716 set thread context of 4332	716	d6078bbecc15a333c6171debc4488498.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2676	4240	WerFault.exe	112
3996	392	WerFault.exe	122

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hFyK7KqQVxnK605yowtvP7UA.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hFyK7KqQVxnK605yowtvP7UA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2g4.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2g4.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2g4.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hFyK7KqQVxnK605yowtvP7UA.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u2g4.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u2g4.0.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	EEyBniRdBsZC5mxxZLlQ4Fr2.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
3436	powershell.exe
3436	powershell.exe
228	powershell.exe
228	powershell.exe
2924	powershell.exe
2924	powershell.exe
228	powershell.exe
2924	powershell.exe
3652	powershell.exe
3652	powershell.exe
3652	powershell.exe
2240	2oyXsl7pvbVirJgqH7QUtCPr.exe
2240	2oyXsl7pvbVirJgqH7QUtCPr.exe
244	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
244	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
3936	ccoo5BlZcHqJPIQURYx78bxz.exe
3936	ccoo5BlZcHqJPIQURYx78bxz.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1224	9vbvS6oLRF12GScdDI45jaXw.exe
1224	9vbvS6oLRF12GScdDI45jaXw.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
392	u2g4.0.exe
392	u2g4.0.exe
3864	powershell.exe
3864	powershell.exe
3864	powershell.exe
2992	powershell.exe
2992	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	4332	jsc.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	2240	2oyXsl7pvbVirJgqH7QUtCPr.exe
Token: SeImpersonatePrivilege	2240	2oyXsl7pvbVirJgqH7QUtCPr.exe
Token: SeDebugPrivilege	244	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Token: SeImpersonatePrivilege	244	EEyBniRdBsZC5mxxZLlQ4Fr2.exe
Token: SeDebugPrivilege	3936	ccoo5BlZcHqJPIQURYx78bxz.exe
Token: SeImpersonatePrivilege	3936	ccoo5BlZcHqJPIQURYx78bxz.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	1224	9vbvS6oLRF12GScdDI45jaXw.exe
Token: SeImpersonatePrivilege	1224	9vbvS6oLRF12GScdDI45jaXw.exe
Token: SeDebugPrivilege	4520	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3012	u2g4.1.exe
3012	u2g4.1.exe
3012	u2g4.1.exe
3012	u2g4.1.exe
3012	u2g4.1.exe
3012	u2g4.1.exe
3012	u2g4.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
3012	u2g4.1.exe
3012	u2g4.1.exe
3012	u2g4.1.exe
3012	u2g4.1.exe
3012	u2g4.1.exe
3012	u2g4.1.exe
3012	u2g4.1.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 3436	716	d6078bbecc15a333c6171debc4488498.exe	93
PID 716 wrote to memory of 3436	716	d6078bbecc15a333c6171debc4488498.exe	93
PID 716 wrote to memory of 4332	716	d6078bbecc15a333c6171debc4488498.exe	95
PID 716 wrote to memory of 4332	716	d6078bbecc15a333c6171debc4488498.exe	95
PID 716 wrote to memory of 4332	716	d6078bbecc15a333c6171debc4488498.exe	95
PID 716 wrote to memory of 4332	716	d6078bbecc15a333c6171debc4488498.exe	95
PID 716 wrote to memory of 4332	716	d6078bbecc15a333c6171debc4488498.exe	95
PID 716 wrote to memory of 4332	716	d6078bbecc15a333c6171debc4488498.exe	95
PID 716 wrote to memory of 4332	716	d6078bbecc15a333c6171debc4488498.exe	95
PID 716 wrote to memory of 4332	716	d6078bbecc15a333c6171debc4488498.exe	95
PID 716 wrote to memory of 4800	716	d6078bbecc15a333c6171debc4488498.exe	96
PID 716 wrote to memory of 4800	716	d6078bbecc15a333c6171debc4488498.exe	96
PID 716 wrote to memory of 4800	716	d6078bbecc15a333c6171debc4488498.exe	96
PID 4332 wrote to memory of 3172	4332	jsc.exe	102
PID 4332 wrote to memory of 3172	4332	jsc.exe	102
PID 4332 wrote to memory of 3172	4332	jsc.exe	102
PID 4332 wrote to memory of 2240	4332	jsc.exe	103
PID 4332 wrote to memory of 2240	4332	jsc.exe	103
PID 4332 wrote to memory of 2240	4332	jsc.exe	103
PID 4332 wrote to memory of 244	4332	jsc.exe	104
PID 4332 wrote to memory of 244	4332	jsc.exe	104
PID 4332 wrote to memory of 244	4332	jsc.exe	104
PID 4332 wrote to memory of 1224	4332	jsc.exe	105
PID 4332 wrote to memory of 1224	4332	jsc.exe	105
PID 4332 wrote to memory of 1224	4332	jsc.exe	105
PID 4332 wrote to memory of 3936	4332	jsc.exe	106
PID 4332 wrote to memory of 3936	4332	jsc.exe	106
PID 4332 wrote to memory of 3936	4332	jsc.exe	106
PID 4332 wrote to memory of 1140	4332	jsc.exe	108
PID 4332 wrote to memory of 1140	4332	jsc.exe	108
PID 4332 wrote to memory of 4240	4332	jsc.exe	112
PID 4332 wrote to memory of 4240	4332	jsc.exe	112
PID 4332 wrote to memory of 4240	4332	jsc.exe	112
PID 2240 wrote to memory of 2924	2240	2oyXsl7pvbVirJgqH7QUtCPr.exe	116
PID 2240 wrote to memory of 2924	2240	2oyXsl7pvbVirJgqH7QUtCPr.exe	116
PID 2240 wrote to memory of 2924	2240	2oyXsl7pvbVirJgqH7QUtCPr.exe	116
PID 244 wrote to memory of 228	244	EEyBniRdBsZC5mxxZLlQ4Fr2.exe	117
PID 244 wrote to memory of 228	244	EEyBniRdBsZC5mxxZLlQ4Fr2.exe	117
PID 244 wrote to memory of 228	244	EEyBniRdBsZC5mxxZLlQ4Fr2.exe	117
PID 3936 wrote to memory of 3652	3936	ccoo5BlZcHqJPIQURYx78bxz.exe	120
PID 3936 wrote to memory of 3652	3936	ccoo5BlZcHqJPIQURYx78bxz.exe	120
PID 3936 wrote to memory of 3652	3936	ccoo5BlZcHqJPIQURYx78bxz.exe	120
PID 3172 wrote to memory of 392	3172	zEPbmh410knZcspyfGDS7ORv.exe	122
PID 3172 wrote to memory of 392	3172	zEPbmh410knZcspyfGDS7ORv.exe	122
PID 3172 wrote to memory of 392	3172	zEPbmh410knZcspyfGDS7ORv.exe	122
PID 3172 wrote to memory of 3012	3172	zEPbmh410knZcspyfGDS7ORv.exe	124
PID 3172 wrote to memory of 3012	3172	zEPbmh410knZcspyfGDS7ORv.exe	124
PID 3172 wrote to memory of 3012	3172	zEPbmh410knZcspyfGDS7ORv.exe	124
PID 1224 wrote to memory of 1428	1224	9vbvS6oLRF12GScdDI45jaXw.exe	130
PID 1224 wrote to memory of 1428	1224	9vbvS6oLRF12GScdDI45jaXw.exe	130
PID 1224 wrote to memory of 1428	1224	9vbvS6oLRF12GScdDI45jaXw.exe	130
PID 3012 wrote to memory of 4520	3012	u2g4.1.exe	133
PID 3012 wrote to memory of 4520	3012	u2g4.1.exe	133
PID 5044 wrote to memory of 3864	5044	EEyBniRdBsZC5mxxZLlQ4Fr2.exe	138
PID 5044 wrote to memory of 3864	5044	EEyBniRdBsZC5mxxZLlQ4Fr2.exe	138
PID 5044 wrote to memory of 3864	5044	EEyBniRdBsZC5mxxZLlQ4Fr2.exe	138
PID 788 wrote to memory of 2992	788	2oyXsl7pvbVirJgqH7QUtCPr.exe	140
PID 788 wrote to memory of 2992	788	2oyXsl7pvbVirJgqH7QUtCPr.exe	140
PID 788 wrote to memory of 2992	788	2oyXsl7pvbVirJgqH7QUtCPr.exe	140

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d6078bbecc15a333c6171debc4488498.exe

C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe
"C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe"
1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe
    "C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:392
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 2008
        5⤵
        Program crash
        
        PID:3996
  - - C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
- - C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe
    "C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2924
  - - C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe
      "C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:788
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:3732
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:3100
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:864
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2896
- - C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe
    "C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:244
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:228
  - - C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe
      "C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe"
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:5044
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3864
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1532
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:612
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1120
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4408
- - C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe
    "C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1428
  - - C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe
      "C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe"
      4⤵
      Executes dropped EXE
      PID:2352
- - C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe
    "C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3652
  - - C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe
      "C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe"
      4⤵
      Executes dropped EXE
      PID:1820
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:640
- - C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe
    "C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe"
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1140
- - C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe
    "C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:4240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 356
      4⤵
      Program crash
      PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  PID:4800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4240 -ip 4240
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 392 -ip 392
1⤵
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a6ea7bfcd3aac150c0caef765cb52281

SHA1
037dc22c46a0eb0b9ad4c74088129e387cffe96b

SHA256
f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9

SHA512
c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
46a4f71e5629582262e5f05e655db5c9

SHA1
4879a9089582e792416a3acec38873ac7051b6da

SHA256
673d9ce3dc01edcae12b4086ae15d6bfe0387248fc2dc02ce8faff4c20a666d6

SHA512
70a54fe357627c1342dcee851e37cebe3c8af94c858391a22db212da66801ba0b4627c7edc0a9d3bed66bd16440afe0adb0a0f3e9b426bd0e7bd16719f50c6fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
c68f749c595bf5c0ad71f7604c7b0cdb

SHA1
18dd0f6de70826f5c49c82792bb8ac9b28fb6f32

SHA256
60751e4bed7352036d20ecc7938098fec4775822de4033211b2aa452cadd5a43

SHA512
fd2880d78e8b905310d2ba8075ba791fd31b0443221664a760d95a5ef8b83f0b75f06091e535313ce3f306bb9ac4bfd2d676ccda5530e0d15164b3df7a2bdd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kjmbdxdt.onr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
a4db32123183147315cead49e5dc7e50

SHA1
82ec33edbfe8991f3bff76015f18122cbb2a8dbe

SHA256
01f95fb835e593bb0ba455e11495b38879b0cf5425357386986aa8351373995e

SHA512
4106a2551ed5268867110e6ecc2b32f7ca21ea5463c7954fc2ffcdfd915702f310534975c77dcf7c5d09817d07fb1c8ac7cf1db9ec82968df9051b8d09383e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
0e4cb70ab5a08154c9b41f1d2a9f47ed

SHA1
3dabc6decfd17b43882a309f0282406319dfae14

SHA256
7fd93184220879869ac10380d0d0bd8892586491cae5c94957651e9dde0e3d0a

SHA512
3f77f89d65acf37081dcf1c8c31f0c65851456233bbfe613aa35feccfa36179b4375686f25ad27804e5ec78e9a062e9b48e7cbc6c9c3c7df25bcf8ae96c82684

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe

Filesize
206KB

MD5
a33065159222d4c22e581ea419285701

SHA1
6297d390c9d8c3b8c3340d8d38d46c1bbf32d354

SHA256
ddf2f47cbc0db66b326be096b46854a6ab59a2504688077bba0bbb42c4470ae2

SHA512
2860dab79524b7db3f0b7771b8d402905a8096653d1c83e49e3827bb7cd739104848b691be16fbd898b81bfd4fcdd827fc4c8f72da6e91d565f02e59f5725f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe

Filesize
4.1MB

MD5
34e8369309638e9468c65df8d546e9ec

SHA1
f6296bdb66b9f188a9093d0f2e3edaf3dfd5ed9f

SHA256
bc09d4cc90b0e7b582c6ed7010277377aff00042d7469cb2e9f11f775cef4605

SHA512
b792981f6e855fcab23dbb078f5aa2398c6c4175b4b151a656174b756de936bc388d2fa2c8432a9b9120256e5db9ebbfca38a12d60bc085f744988ef1a726c48

Download Submit
C:\Users\Admin\Pictures\Ck5ne28mgyQKG6rKTaldVLnh.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe

Filesize
4.1MB

MD5
b4edadf4b8fc4c176cef6830ab7d3177

SHA1
6f93a98295f5b4a514870db5c50d000f3d644264

SHA256
241ec7b24544cef6c5762622c25c91621f0dd20c9154dcf20c83932d2c3496e5

SHA512
dc727e1cbe252fdfbc866ac4dad3d256038535b32d437d8d17e537c8723b1b8f51da6e0de4a7ac53295cf091fcf93591907f1bd2487618c542bc96e8616232dc

Download Submit
C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe

Filesize
211KB

MD5
6b605b6ca55b36b604074259dc4900cd

SHA1
34c783dd19894549b7c5acc4510e273833ed7e87

SHA256
e87f2fecb67fc73a90a1970615f0001bd762af53782ca23f4ab7f99e8c5164d0

SHA512
ed9ae702d705d7129da7f424fbd0f42b74938041dd30f7d3c6f0b976cb1e42afe14029306c21b35f32293f9354902119b491e2acc4abed2a2a3dd668d82d4f3c

Download Submit
C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe

Filesize
2.8MB

MD5
d41fd1ea6e0ca0032be2174317f60fd8

SHA1
60f001b9d201259aa333e9b202e4ab5648d16bf3

SHA256
3c56d175e67df7e1664bbedd95abee57cf93a7aceaf80374ede4ce1fc4a30990

SHA512
a4ce799f1ce9157d053dcb1694dcb127d98e994eb55cecb484ace1c192cf80a1fbfb7b8de94851a49e915cafebc568f70ce07b912e5901387ed90639c692c16e

Download Submit
C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe

Filesize
384KB

MD5
8ff1083b2490429a4ea0ecf8f5542c8c

SHA1
70ebf9b87666aab4db253e98e845ea440602a4cc

SHA256
e43535ac108378521826695ae572ea24b4cde1a78b0016d3b5ebe82ff5934535

SHA512
c2f4d386f0b46ed9ed0716e3df086afb3ed360ea3afb74cb3dc0369311088332ae037269575722d5f60a12be9a242f505d32440ed294ad5170ec315c588b3c5c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
62413e2f215769b4ac2949e5199f26ab

SHA1
a9a2fce39fae107a0024433c180b60e6626e0f17

SHA256
be425c1030f2a70de4f59b8481e292110a73e7326640b0a69bc47e86a75e3983

SHA512
4ecbe548db9fd63bde2771ec6b72ec3d8455e661763666611921764590eb5d02c910cac98df1554600620178f235302e438cbcdf01bf6bcf8b7e4088fc3ce6f5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b3f201f681dcef7b67772facc4f4c55b

SHA1
ec5bfebd3123c092c2f6b3572c094518e9766bae

SHA256
f63f89c74b2bfb5b779b60767894ea904e2fc1c73d624807f5929d793e042710

SHA512
b9b395fb56a50815063b2b68f655ec695e8f148ba8abd188668ba723ba5ccb81f505d87b4b29cd30aca39bdf971bc5e34a6ddef1ce1acf97a8f2a05c05ed65d5

Download Submit
memory/228-205-0x0000000007A70000-0x0000000007B13000-memory.dmp

Filesize
652KB

Download
memory/228-204-0x0000000007A50000-0x0000000007A6E000-memory.dmp

Filesize
120KB

Download
memory/228-143-0x00000000053E0000-0x0000000005402000-memory.dmp

Filesize
136KB

Download
memory/228-144-0x0000000005580000-0x00000000055E6000-memory.dmp

Filesize
408KB

Download
memory/228-145-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/228-164-0x0000000005EE0000-0x0000000006234000-memory.dmp

Filesize
3.3MB

Download
memory/228-166-0x00000000064B0000-0x00000000064CE000-memory.dmp

Filesize
120KB

Download
memory/228-167-0x0000000006A90000-0x0000000006ADC000-memory.dmp

Filesize
304KB

Download
memory/228-249-0x0000000007C10000-0x0000000007C18000-memory.dmp

Filesize
32KB

Download
memory/228-179-0x0000000007680000-0x00000000076C4000-memory.dmp

Filesize
272KB

Download
memory/228-189-0x00000000077D0000-0x0000000007846000-memory.dmp

Filesize
472KB

Download
memory/228-190-0x0000000007ED0000-0x000000000854A000-memory.dmp

Filesize
6.5MB

Download
memory/228-191-0x0000000007870000-0x000000000788A000-memory.dmp

Filesize
104KB

Download
memory/228-193-0x0000000070380000-0x00000000703CC000-memory.dmp

Filesize
304KB

Download
memory/228-194-0x000000006FFF0000-0x0000000070344000-memory.dmp

Filesize
3.3MB

Download
memory/228-192-0x0000000007A10000-0x0000000007A42000-memory.dmp

Filesize
200KB

Download
memory/228-248-0x0000000007CD0000-0x0000000007CEA000-memory.dmp

Filesize
104KB

Download
memory/228-247-0x0000000007BE0000-0x0000000007BF4000-memory.dmp

Filesize
80KB

Download
memory/228-246-0x0000000007BD0000-0x0000000007BDE000-memory.dmp

Filesize
56KB

Download
memory/228-142-0x00000000056D0000-0x0000000005CF8000-memory.dmp

Filesize
6.2MB

Download
memory/244-280-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/392-412-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/716-21-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp

Filesize
10.8MB

Download
memory/716-0-0x00007FFCC05B3000-0x00007FFCC05B5000-memory.dmp

Filesize
8KB

Download
memory/716-1-0x000001F0A75A0000-0x000001F0A75AA000-memory.dmp

Filesize
40KB

Download
memory/716-2-0x000001F0C19C0000-0x000001F0C1A1E000-memory.dmp

Filesize
376KB

Download
memory/716-3-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp

Filesize
10.8MB

Download
memory/864-567-0x000000006FED0000-0x000000006FF1C000-memory.dmp

Filesize
304KB

Download
memory/864-568-0x0000000070070000-0x00000000703C4000-memory.dmp

Filesize
3.3MB

Download
memory/1120-555-0x0000000070070000-0x00000000703C4000-memory.dmp

Filesize
3.3MB

Download
memory/1120-554-0x000000006FED0000-0x000000006FF1C000-memory.dmp

Filesize
304KB

Download
memory/1120-578-0x0000000006740000-0x0000000006754000-memory.dmp

Filesize
80KB

Download
memory/1120-543-0x0000000006EC0000-0x0000000006F0C000-memory.dmp

Filesize
304KB

Download
memory/1120-537-0x0000000006250000-0x00000000065A4000-memory.dmp

Filesize
3.3MB

Download
memory/1120-566-0x0000000006700000-0x0000000006711000-memory.dmp

Filesize
68KB

Download
memory/1120-565-0x0000000007B90000-0x0000000007C33000-memory.dmp

Filesize
652KB

Download
memory/1140-115-0x0000000140000000-0x000000014097B000-memory.dmp

Filesize
9.5MB

Download
memory/1140-137-0x0000000140000000-0x000000014097B000-memory.dmp

Filesize
9.5MB

Download
memory/1224-298-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/1224-281-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/1428-285-0x000000006FEA0000-0x00000000701F4000-memory.dmp

Filesize
3.3MB

Download
memory/1428-284-0x0000000070380000-0x00000000703CC000-memory.dmp

Filesize
304KB

Download
memory/1428-276-0x00000000057D0000-0x0000000005B24000-memory.dmp

Filesize
3.3MB

Download
memory/2240-279-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/2896-611-0x0000000070070000-0x00000000703C4000-memory.dmp

Filesize
3.3MB

Download
memory/2896-610-0x000000006FED0000-0x000000006FF1C000-memory.dmp

Filesize
304KB

Download
memory/2924-217-0x00000000074D0000-0x00000000074DA000-memory.dmp

Filesize
40KB

Download
memory/2924-207-0x000000006FFF0000-0x0000000070344000-memory.dmp

Filesize
3.3MB

Download
memory/2924-218-0x0000000007590000-0x0000000007626000-memory.dmp

Filesize
600KB

Download
memory/2924-219-0x00000000074F0000-0x0000000007501000-memory.dmp

Filesize
68KB

Download
memory/2924-141-0x0000000002790000-0x00000000027C6000-memory.dmp

Filesize
216KB

Download
memory/2924-206-0x0000000070380000-0x00000000703CC000-memory.dmp

Filesize
304KB

Download
memory/2992-515-0x000000006F8E0000-0x000000006F92C000-memory.dmp

Filesize
304KB

Download
memory/2992-516-0x000000006F930000-0x000000006FC84000-memory.dmp

Filesize
3.3MB

Download
memory/3012-330-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/3172-278-0x0000000000400000-0x0000000002B1E000-memory.dmp

Filesize
39.1MB

Download
memory/3436-15-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp

Filesize
10.8MB

Download
memory/3436-20-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp

Filesize
10.8MB

Download
memory/3436-17-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp

Filesize
10.8MB

Download
memory/3436-16-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp

Filesize
10.8MB

Download
memory/3436-5-0x000001F4B48D0000-0x000001F4B48F2000-memory.dmp

Filesize
136KB

Download
memory/3652-234-0x0000000070380000-0x00000000703CC000-memory.dmp

Filesize
304KB

Download
memory/3652-235-0x000000006FFF0000-0x0000000070344000-memory.dmp

Filesize
3.3MB

Download
memory/3864-411-0x0000000006320000-0x000000000636C000-memory.dmp

Filesize
304KB

Download
memory/3864-475-0x00000000072A0000-0x00000000072B1000-memory.dmp

Filesize
68KB

Download
memory/3864-452-0x000000006F930000-0x000000006FC84000-memory.dmp

Filesize
3.3MB

Download
memory/3864-462-0x0000000006DC0000-0x0000000006E63000-memory.dmp

Filesize
652KB

Download
memory/3864-451-0x000000006F8E0000-0x000000006F92C000-memory.dmp

Filesize
304KB

Download
memory/3864-495-0x00000000072F0000-0x0000000007304000-memory.dmp

Filesize
80KB

Download
memory/3864-410-0x0000000005950000-0x0000000005CA4000-memory.dmp

Filesize
3.3MB

Download
memory/3936-282-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/4240-369-0x0000000000400000-0x0000000002AF2000-memory.dmp

Filesize
38.9MB

Download
memory/4332-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4520-347-0x000002737DF10000-0x000002737E210000-memory.dmp

Filesize
3.0MB

Download
memory/4520-361-0x000002737E230000-0x000002737E24E000-memory.dmp

Filesize
120KB

Download
memory/4520-359-0x0000027303300000-0x000002730330C000-memory.dmp

Filesize
48KB

Download
memory/4520-356-0x0000027303B50000-0x0000027304078000-memory.dmp

Filesize
5.2MB

Download
memory/4520-353-0x0000027303580000-0x000002730358A000-memory.dmp

Filesize
40KB

Download
memory/4520-354-0x00000273035A0000-0x0000027303602000-memory.dmp

Filesize
392KB

Download
memory/4520-355-0x0000027303600000-0x0000027303622000-memory.dmp

Filesize
136KB

Download
memory/4520-350-0x000002737FE50000-0x000002737FE88000-memory.dmp

Filesize
224KB

Download
memory/4520-351-0x000002737FB70000-0x000002737FB7E000-memory.dmp

Filesize
56KB

Download
memory/4520-352-0x000002737FB80000-0x000002737FB88000-memory.dmp

Filesize
32KB

Download
memory/4520-332-0x000002735F9E0000-0x0000027363214000-memory.dmp

Filesize
56.2MB

Download
memory/4520-360-0x000002737FF10000-0x000002737FF86000-memory.dmp

Filesize
472KB

Download
memory/4520-342-0x000002737DEC0000-0x000002737DF10000-memory.dmp

Filesize
320KB

Download
memory/4520-341-0x000002737DE40000-0x000002737DE6A000-memory.dmp

Filesize
168KB

Download
memory/4520-343-0x0000027365040000-0x000002736504A000-memory.dmp

Filesize
40KB

Download
memory/4520-340-0x000002737DB10000-0x000002737DBC2000-memory.dmp

Filesize
712KB

Download
memory/4520-339-0x0000027365030000-0x000002736503A000-memory.dmp

Filesize
40KB

Download
memory/4520-333-0x000002737DBF0000-0x000002737DCFA000-memory.dmp

Filesize
1.0MB

Download
memory/4520-334-0x0000027363640000-0x0000027363650000-memory.dmp

Filesize
64KB

Download
memory/4520-335-0x0000027365060000-0x000002736506C000-memory.dmp

Filesize
48KB

Download
memory/4520-337-0x000002737D9A0000-0x000002737D9C4000-memory.dmp

Filesize
144KB

Download
memory/4520-368-0x0000027363660000-0x00000273636FA000-memory.dmp

Filesize
616KB

Download
memory/4520-336-0x0000027365050000-0x0000027365064000-memory.dmp

Filesize
80KB

Download
memory/4520-349-0x000002737FB60000-0x000002737FB68000-memory.dmp

Filesize
32KB

Download