zgrat | c9c660914e4d58a6e0dd460afae6e4af288c9f191ad8592dc95db5a69868fc70

max time kernel
1794s
max time network
1801s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

347KB
MD5

1cb742cb95699d994e1cc6810c6f7642
SHA1

103ea603322859742a3e51c5e517a927b9dcd40c
SHA256

c9c660914e4d58a6e0dd460afae6e4af288c9f191ad8592dc95db5a69868fc70
SHA512

79f9a70232b3470ef9386d9b3d987b5370d0562959315d8239509000a1aa9274b13cecc4c6c871cd4d258a0cd19d30574e3280edd54fb108b6ffca7d8c7e4795
SSDEEP

6144:RrwFDD0tZzmf7GxMLEYaEzE2d9JK5/J1pZKM35QM6KkfiruhbOuzB:Rg07e7seE2dK71rKu5Q6kfirIbOuF

Score

10^/10

zgrat evasion execution persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 7 IoCs

Processes:

resource	yara_rule
behavioral3/files/0x0009000000023418-8.dat	family_zgrat_v1
behavioral3/files/0x0004000000021ebc-25.dat	family_zgrat_v1
behavioral3/memory/5336-26-0x0000000000B10000-0x0000000000EB2000-memory.dmp	family_zgrat_v1
behavioral3/files/0x0008000000023390-388.dat	family_zgrat_v1
behavioral3/files/0x001b0000000229cb-391.dat	family_zgrat_v1
behavioral3/files/0x001b0000000229cb-390.dat	family_zgrat_v1
behavioral3/files/0x0008000000023390-571.dat	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\sihost.exe\", \"C:\\Windows\\Offline Web Pages\\unsecapp.exe\", \"C:\\blockcontainerWincrtdll\\wininit.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\sihost.exe\", \"C:\\Windows\\Offline Web Pages\\unsecapp.exe\", \"C:\\blockcontainerWincrtdll\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\sihost.exe\", \"C:\\Windows\\Offline Web Pages\\unsecapp.exe\", \"C:\\blockcontainerWincrtdll\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\Microsoft.NET\\RuntimeBroker.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\sihost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\sihost.exe\", \"C:\\Windows\\Offline Web Pages\\unsecapp.exe\""	Sessionperf.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	4744	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	4744	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	4744	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	4744	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	4744	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	4744	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	4744	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4744	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	4744	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	4744	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	4744	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5400	4744	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	4744	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	4744	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	4744	schtasks.exe	93

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
3736	powershell.exe
3276	powershell.exe
5420	powershell.exe
2200	powershell.exe
552	powershell.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Loader.exeChecker.exeWScript.exeSessionperf.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Sessionperf.exe

Executes dropped EXE 22 IoCs

Processes:

Checker.exeSessionperf.exewininit.exewininit.execsrss.exeRuntimeBroker.exewininit.exeunsecapp.execsrss.exeRuntimeBroker.exesihost.exewininit.execsrss.exewininit.exeRuntimeBroker.exeunsecapp.execsrss.exewininit.exesihost.exeRuntimeBroker.execsrss.exewininit.exe

pid	Process
3152	Checker.exe
5336	Sessionperf.exe
3620	wininit.exe
1452	wininit.exe
6056	csrss.exe
4692	RuntimeBroker.exe
5028	wininit.exe
1612	unsecapp.exe
5752	csrss.exe
5296	RuntimeBroker.exe
4448	sihost.exe
5428	wininit.exe
2336	csrss.exe
2424	wininit.exe
4132	RuntimeBroker.exe
2008	unsecapp.exe
1000	csrss.exe
1188	wininit.exe
720	sihost.exe
1652	RuntimeBroker.exe
4280	csrss.exe
5416	wininit.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\All Users\\sihost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\Offline Web Pages\\unsecapp.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\blockcontainerWincrtdll\\wininit.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Microsoft.NET\\RuntimeBroker.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Microsoft.NET\\RuntimeBroker.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\All Users\\sihost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\Offline Web Pages\\unsecapp.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\blockcontainerWincrtdll\\wininit.exe\""	Sessionperf.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	Process
File created	\??\c:\Windows\System32\pb7nq5.exe	csc.exe
File created	\??\c:\Windows\System32\CSC9B649C11E31744BB94D76DE84B95759.TMP	csc.exe

Drops file in Windows directory 4 IoCs

Processes:

Sessionperf.exe

description	ioc	Process
File created	C:\Windows\Offline Web Pages\unsecapp.exe	Sessionperf.exe
File created	C:\Windows\Offline Web Pages\29c1c3cc0f7685	Sessionperf.exe
File created	C:\Windows\Microsoft.NET\RuntimeBroker.exe	Sessionperf.exe
File created	C:\Windows\Microsoft.NET\9e8d7a4ca61bd9	Sessionperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
4592	schtasks.exe
2492	schtasks.exe
5400	schtasks.exe
4132	schtasks.exe
3380	schtasks.exe
2640	schtasks.exe
2748	schtasks.exe
1980	schtasks.exe
1544	schtasks.exe
3520	schtasks.exe
2372	schtasks.exe
4776	schtasks.exe
3472	schtasks.exe
2276	schtasks.exe
3420	schtasks.exe

Modifies registry class 2 IoCs

Processes:

Checker.exeSessionperf.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	Checker.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	Sessionperf.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
3048	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sessionperf.exe

pid	Process
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe
5336	Sessionperf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

wininit.exe

pid	Process
3620	wininit.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

Loader.exeSessionperf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewininit.exewininit.execsrss.exeRuntimeBroker.exewininit.exeunsecapp.execsrss.exeRuntimeBroker.exesihost.exewininit.execsrss.exewininit.exeRuntimeBroker.exeunsecapp.execsrss.exewininit.exesihost.exeRuntimeBroker.execsrss.exewininit.exe

description	pid	Process
Token: SeDebugPrivilege	2552	Loader.exe
Token: SeDebugPrivilege	5336	Sessionperf.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	5420	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	3620	wininit.exe
Token: SeDebugPrivilege	1452	wininit.exe
Token: SeDebugPrivilege	6056	csrss.exe
Token: SeDebugPrivilege	4692	RuntimeBroker.exe
Token: SeDebugPrivilege	5028	wininit.exe
Token: SeDebugPrivilege	1612	unsecapp.exe
Token: SeDebugPrivilege	5752	csrss.exe
Token: SeDebugPrivilege	5296	RuntimeBroker.exe
Token: SeDebugPrivilege	4448	sihost.exe
Token: SeDebugPrivilege	5428	wininit.exe
Token: SeDebugPrivilege	2336	csrss.exe
Token: SeDebugPrivilege	2424	wininit.exe
Token: SeDebugPrivilege	4132	RuntimeBroker.exe
Token: SeDebugPrivilege	2008	unsecapp.exe
Token: SeDebugPrivilege	1000	csrss.exe
Token: SeDebugPrivilege	1188	wininit.exe
Token: SeDebugPrivilege	720	sihost.exe
Token: SeDebugPrivilege	1652	RuntimeBroker.exe
Token: SeDebugPrivilege	4280	csrss.exe
Token: SeDebugPrivilege	5416	wininit.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wininit.exe

pid	Process
3620	wininit.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Loader.exeChecker.exeWScript.execmd.exeSessionperf.execsc.execmd.exe

description	pid	Process	procid_target
PID 2552 wrote to memory of 3152	2552	Loader.exe	87
PID 2552 wrote to memory of 3152	2552	Loader.exe	87
PID 2552 wrote to memory of 3152	2552	Loader.exe	87
PID 3152 wrote to memory of 4576	3152	Checker.exe	88
PID 3152 wrote to memory of 4576	3152	Checker.exe	88
PID 3152 wrote to memory of 4576	3152	Checker.exe	88
PID 4576 wrote to memory of 5616	4576	WScript.exe	89
PID 4576 wrote to memory of 5616	4576	WScript.exe	89
PID 4576 wrote to memory of 5616	4576	WScript.exe	89
PID 5616 wrote to memory of 3048	5616	cmd.exe	91
PID 5616 wrote to memory of 3048	5616	cmd.exe	91
PID 5616 wrote to memory of 3048	5616	cmd.exe	91
PID 5616 wrote to memory of 5336	5616	cmd.exe	92
PID 5616 wrote to memory of 5336	5616	cmd.exe	92
PID 5336 wrote to memory of 1500	5336	Sessionperf.exe	97
PID 5336 wrote to memory of 1500	5336	Sessionperf.exe	97
PID 1500 wrote to memory of 368	1500	csc.exe	99
PID 1500 wrote to memory of 368	1500	csc.exe	99
PID 5336 wrote to memory of 5420	5336	Sessionperf.exe	112
PID 5336 wrote to memory of 5420	5336	Sessionperf.exe	112
PID 5336 wrote to memory of 3276	5336	Sessionperf.exe	113
PID 5336 wrote to memory of 3276	5336	Sessionperf.exe	113
PID 5336 wrote to memory of 3736	5336	Sessionperf.exe	114
PID 5336 wrote to memory of 3736	5336	Sessionperf.exe	114
PID 5336 wrote to memory of 552	5336	Sessionperf.exe	115
PID 5336 wrote to memory of 552	5336	Sessionperf.exe	115
PID 5336 wrote to memory of 2200	5336	Sessionperf.exe	116
PID 5336 wrote to memory of 2200	5336	Sessionperf.exe	116
PID 5336 wrote to memory of 2444	5336	Sessionperf.exe	121
PID 5336 wrote to memory of 2444	5336	Sessionperf.exe	121
PID 2444 wrote to memory of 5812	2444	cmd.exe	124
PID 2444 wrote to memory of 5812	2444	cmd.exe	124
PID 2444 wrote to memory of 1924	2444	cmd.exe	125
PID 2444 wrote to memory of 1924	2444	cmd.exe	125
PID 2444 wrote to memory of 3620	2444	cmd.exe	129
PID 2444 wrote to memory of 3620	2444	cmd.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Roaming\Checker.exe
  "C:\Users\Admin\AppData\Roaming\Checker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5616
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3048
    - - C:\blockcontainerWincrtdll\Sessionperf.exe
        
        "C:\blockcontainerWincrtdll/Sessionperf.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5336
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ah35yhm1\ah35yhm1.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES517B.tmp" "c:\Windows\System32\CSC9B649C11E31744BB94D76DE84B95759.TMP"
        7⤵
        
        PID:368
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\sihost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5420
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\unsecapp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3276
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M1Wv87isGz.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1924
        
        C:\blockcontainerWincrtdll\wininit.exe
        
        "C:\blockcontainerWincrtdll\wininit.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\blockcontainerWincrtdll\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\blockcontainerWincrtdll\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640

C:\blockcontainerWincrtdll\wininit.exe
C:\blockcontainerWincrtdll\wininit.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Recovery\WindowsRE\csrss.exe
C:\Recovery\WindowsRE\csrss.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6056

C:\Windows\Microsoft.NET\RuntimeBroker.exe
C:\Windows\Microsoft.NET\RuntimeBroker.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\blockcontainerWincrtdll\wininit.exe
C:\blockcontainerWincrtdll\wininit.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\Offline Web Pages\unsecapp.exe
"C:\Windows\Offline Web Pages\unsecapp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Recovery\WindowsRE\csrss.exe
C:\Recovery\WindowsRE\csrss.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5752

C:\Windows\Microsoft.NET\RuntimeBroker.exe
C:\Windows\Microsoft.NET\RuntimeBroker.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5296

C:\Users\All Users\sihost.exe
"C:\Users\All Users\sihost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\blockcontainerWincrtdll\wininit.exe
C:\blockcontainerWincrtdll\wininit.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5428

C:\Recovery\WindowsRE\csrss.exe
C:\Recovery\WindowsRE\csrss.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\blockcontainerWincrtdll\wininit.exe
C:\blockcontainerWincrtdll\wininit.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\Microsoft.NET\RuntimeBroker.exe
C:\Windows\Microsoft.NET\RuntimeBroker.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\Offline Web Pages\unsecapp.exe
"C:\Windows\Offline Web Pages\unsecapp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Recovery\WindowsRE\csrss.exe
C:\Recovery\WindowsRE\csrss.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\blockcontainerWincrtdll\wininit.exe
C:\blockcontainerWincrtdll\wininit.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Users\All Users\sihost.exe
"C:\Users\All Users\sihost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Windows\Microsoft.NET\RuntimeBroker.exe
C:\Windows\Microsoft.NET\RuntimeBroker.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Recovery\WindowsRE\csrss.exe
C:\Recovery\WindowsRE\csrss.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\blockcontainerWincrtdll\wininit.exe
C:\blockcontainerWincrtdll\wininit.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\sihost.exe

Filesize
1.9MB

MD5
1ed6cddb272351d47a5981b0901216cc

SHA1
5cbedbc03a0e830012d14a0e59ad37e185710ceb

SHA256
e2489a918d8e8198dc8f152f91613a303a4e0a42d37fcebac21034c2955421f0

SHA512
652a62ed9864764912fb4ffd5e5dcf077fc4826ee994403f34b095100c8577d982fbc335c5f41ab7f879c54b1a60d69b60f2f469f636f08a2e7faec9eb22dee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

Filesize
847B

MD5
66a0a4aa01208ed3d53a5e131a8d030a

SHA1
ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

SHA256
f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

SHA512
626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\M1Wv87isGz.bat

Filesize
214B

MD5
9e257620440e6ac7d944e18b8f295ba7

SHA1
d420a02ee6b38d67acfb311fa00b2d2a7e9777d3

SHA256
582328f557672cedb58823052d41ff592af3208cf76c749d5f46f75ee1b44111

SHA512
1b09991b53580b329322a406366285c4817e6dec73728aa214719ee0776aeb78a571309ff8e9990976cff43e7a721a54a2574a3581673a177d98369d1278ca86

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES517B.tmp

Filesize
1KB

MD5
62990d6ffdc67652cf7295d77233c92a

SHA1
9ddd5f1f6c0f443f0c78a24ce2224330c75d1234

SHA256
a6b307e8808248f3791716b2790c26ea62442f5e49d3f23b77dcd6ebc7c9aff1

SHA512
ee8f605e177eb7e10dc77b2cae97cd6ebace95e60b71c68bedab7a63779d40ef56b3a152625ae26158fdfafa918cb6c5541d50a0c6f655ad033dbda858eb2a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_agwbkitg.bt5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Checker.exe

Filesize
3.9MB

MD5
1003b37d9d942d41a38a83670eaa285c

SHA1
a4ee7ef69fc681caf1116d59578667abb9080ad6

SHA256
d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae

SHA512
0c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a

Download Submit
C:\Users\All Users\sihost.exe

Filesize
2.1MB

MD5
6d070a13e2363c0257da357c535a58a6

SHA1
cfd062f2f4a224a6997c24aedf4408049dfdd87e

SHA256
8fef5bcda1bddf549c11f3e643b97c7950a650743c429137bb4da7790fb98161

SHA512
9d3de2b69e4d4c5cac9099bcbbc935837ceaf41d013552a0d936b895b66dea66337319f567a660617ebd938304cb5f4bb4ab06a8db61f083dd82baeb0dbe657f

Download Submit
C:\Windows\Microsoft.NET\RuntimeBroker.exe

Filesize
3.2MB

MD5
3b531fc23a2e452466c3c9275b5db6bf

SHA1
b890ce51e9ee77e77b9927abccc63a6455da22eb

SHA256
9177419509477d8e3d79997b3ed73dff1fa99f17ef885c2ec7896d918d61c5f7

SHA512
7b97193ae058428a22302cd336f2a8f58a9bb6f23e1459ec816096a3c19b5b7e6e16120192117f75b5643a8275c9dc91557a9eae765483f428e530c3ce9305a7

Download Submit
C:\Windows\Microsoft.NET\RuntimeBroker.exe

Filesize
3.1MB

MD5
eae6b0205bebb909009024c637d18a8c

SHA1
d95c80d7aaf440f17d761199cb4e62401696afd4

SHA256
030aead740b240962b3eb13c3ca56fa8f32d372acd8872f8c05f59b43c86dd17

SHA512
9046ec277442396028908dfbf8f9cc849164c2dfc97798343cf9ac02807907d45c1223d9fde5ebd779b1457b5121d6bc2ea6d4a773cda13bc67ef91c59374634

Download Submit
C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe

Filesize
228B

MD5
4f702b152f4098393712e3fe99b04fbd

SHA1
fec2f913e1fac5053127e175f1ba048c9d8dd25c

SHA256
f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2

SHA512
7c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf

Download Submit
C:\blockcontainerWincrtdll\Sessionperf.exe

Filesize
3.6MB

MD5
bf0f63bb48eb95aaec6fc6a001c974ce

SHA1
19baab2b0c129ecbd6a1aa21bada3e2e5cdd1136

SHA256
bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc

SHA512
130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c

Download Submit
C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat

Filesize
201B

MD5
159297f9e35114bf97d74622097780d8

SHA1
2aaaf993b9ecb9bae43ccd41585734512ff08355

SHA256
650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81

SHA512
a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ah35yhm1\ah35yhm1.0.cs

Filesize
361B

MD5
2ef2d8b60b8157aaf6d61bcde0887884

SHA1
0ca885c37cc1520852148d3a8202506718e3e4b3

SHA256
ed65d44210c4229613cc803ec68aa120f8bf6d7a211dea8aaf57f08f58145f75

SHA512
e77f31654b268711fac04a172fd8729d051f95069a5ed65e6e721b87aac793aafb36f6a8430f5750a6ee39c8e60d2c5f3b347051e810e9a539ed6bffc50ff3df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ah35yhm1\ah35yhm1.cmdline

Filesize
235B

MD5
08885c33ddc223fe2d7d51d4e14c3fc8

SHA1
a0288ec7c12e4eae99d1041b498f1fae25154a93

SHA256
933533d73be0eb0dbec5a64080fc501ed76e04d085c7915eacd5aabbe9b03baa

SHA512
63b298edcc989ce19773ca49956d8585d1e051345cbc989f93c00d4e8042e4ba0530ef9a91939f05a6d14281391a71c701582168adfe56e69b08cfdb61042439

Download Submit
\??\c:\Windows\System32\CSC9B649C11E31744BB94D76DE84B95759.TMP

Filesize
1KB

MD5
1698af2b79b4ffd499309c965169ae30

SHA1
e54beb6e91f1272ec2989800895d6e1d8a6332b4

SHA256
98b74452ccce9477030c647d3a662619a85f9160e1a2b35e7ad9c08021035d9e

SHA512
b52057d6526f676e61ab07f7c25d2ff4fe969e7462d037fdc757a62ac6e91ed55df485cc28c135799378c90f257aec1767b43e3bf328a0340c63e678d781a8f0

Download Submit
memory/2200-113-0x000002174CA60000-0x000002174CA82000-memory.dmp

Filesize
136KB

Download
memory/2552-12-0x00007FF996020000-0x00007FF996AE1000-memory.dmp

Filesize
10.8MB

Download
memory/2552-3-0x00007FF996020000-0x00007FF996AE1000-memory.dmp

Filesize
10.8MB

Download
memory/2552-2-0x00007FF996020000-0x00007FF996AE1000-memory.dmp

Filesize
10.8MB

Download
memory/2552-0-0x00000000005A0000-0x00000000005FE000-memory.dmp

Filesize
376KB

Download
memory/2552-1-0x00007FF996023000-0x00007FF996025000-memory.dmp

Filesize
8KB

Download
memory/3620-191-0x000000001C910000-0x000000001C9DD000-memory.dmp

Filesize
820KB

Download
memory/3620-192-0x000000001C130000-0x000000001C19B000-memory.dmp

Filesize
428KB

Download
memory/5336-41-0x000000001BD00000-0x000000001BD10000-memory.dmp

Filesize
64KB

Download
memory/5336-58-0x000000001CEC0000-0x000000001CECE000-memory.dmp

Filesize
56KB

Download
memory/5336-68-0x000000001CF60000-0x000000001CF70000-memory.dmp

Filesize
64KB

Download
memory/5336-72-0x000000001D210000-0x000000001D228000-memory.dmp

Filesize
96KB

Download
memory/5336-74-0x000000001CF80000-0x000000001CF8C000-memory.dmp

Filesize
48KB

Download
memory/5336-76-0x000000001D280000-0x000000001D2CE000-memory.dmp

Filesize
312KB

Download
memory/5336-70-0x000000001CF70000-0x000000001CF7E000-memory.dmp

Filesize
56KB

Download
memory/5336-32-0x000000001CDF0000-0x000000001CE0C000-memory.dmp

Filesize
112KB

Download
memory/5336-30-0x000000001BAC0000-0x000000001BACE000-memory.dmp

Filesize
56KB

Download
memory/5336-66-0x000000001CF50000-0x000000001CF5E000-memory.dmp

Filesize
56KB

Download
memory/5336-64-0x000000001CFB0000-0x000000001D00A000-memory.dmp

Filesize
360KB

Download
memory/5336-60-0x000000001CEF0000-0x000000001CF00000-memory.dmp

Filesize
64KB

Download
memory/5336-114-0x000000001DBB0000-0x000000001DC7D000-memory.dmp

Filesize
820KB

Download
memory/5336-115-0x000000001D3D0000-0x000000001D43B000-memory.dmp

Filesize
428KB

Download
memory/5336-62-0x000000001CF00000-0x000000001CF10000-memory.dmp

Filesize
64KB

Download
memory/5336-45-0x000000001CE40000-0x000000001CE4E000-memory.dmp

Filesize
56KB

Download
memory/5336-56-0x000000001D480000-0x000000001D9A8000-memory.dmp

Filesize
5.2MB

Download
memory/5336-55-0x000000001CF30000-0x000000001CF42000-memory.dmp

Filesize
72KB

Download
memory/5336-51-0x000000001CEB0000-0x000000001CEC0000-memory.dmp

Filesize
64KB

Download
memory/5336-53-0x000000001CF10000-0x000000001CF26000-memory.dmp

Filesize
88KB

Download
memory/5336-49-0x000000001CE50000-0x000000001CE5C000-memory.dmp

Filesize
48KB

Download
memory/5336-47-0x000000001CED0000-0x000000001CEE2000-memory.dmp

Filesize
72KB

Download
memory/5336-39-0x000000001BCF0000-0x000000001BD00000-memory.dmp

Filesize
64KB

Download
memory/5336-43-0x000000001CE30000-0x000000001CE3E000-memory.dmp

Filesize
56KB

Download
memory/5336-37-0x000000001CE10000-0x000000001CE28000-memory.dmp

Filesize
96KB

Download
memory/5336-33-0x000000001CE60000-0x000000001CEB0000-memory.dmp

Filesize
320KB

Download
memory/5336-35-0x000000001BCE0000-0x000000001BCF0000-memory.dmp

Filesize
64KB

Download
memory/5336-28-0x000000001BD10000-0x000000001BD36000-memory.dmp

Filesize
152KB

Download
memory/5336-26-0x0000000000B10000-0x0000000000EB2000-memory.dmp

Filesize
3.6MB

Download