phorphiex | e5bbb80e14cc81f6dcc7263461f6650f1fb23cbdbcdacc4d42406621c6f97123

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://77.91.77.92/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Attributes

mutex
55a4er5wo
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36

Extracted

Family

redline

Botnet

30072024

185.215.113.67:40960

Extracted

Family

stealc

Botnet

QLL

http://85.28.47.70

Attributes

url_path
/744f169d372be841.php

Extracted

Family

stealc

Botnet

valenciga

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

xworm

91.92.249.37:9049

Mutex

aMtkXNimPlkESDx9

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000700000001e555-1396.dat	family_xworm
behavioral3/memory/6988-1410-0x00000000001B0000-0x00000000001C6000-memory.dmp	family_xworm

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysmysldrv.exe

Phorphiex payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000800000002343b-13.dat	family_phorphiex
behavioral3/files/0x0007000000023446-84.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 2 IoCs

resource	yara_rule
behavioral3/memory/3420-180-0x0000000000850000-0x000000000094A000-memory.dmp	family_purelog_stealer
behavioral3/files/0x000c000000023460-179.dat	family_purelog_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/files/0x0011000000023442-24.dat	family_redline
behavioral3/memory/2096-25-0x0000000000060000-0x00000000000B2000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

description	pid	Process	procid_target
PID 4404 created 3388	4404	nxmr.exe	56
PID 4404 created 3388	4404	nxmr.exe	56
PID 3420 created 3388	3420	66c3721bc46fe_Ernrnmkio.exe	56
PID 5864 created 3388	5864	wupgrdsv.exe	56
PID 5864 created 3388	5864	wupgrdsv.exe	56
PID 8200 created 3388	8200	mraqq.exe	56

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3228	powershell.exe
7540	powershell.exe
7824	powershell.exe
5792	powershell.exe
6136	powershell.exe

Contacts a large (1325) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	sysmysldrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	first.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\first.exe	first.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\first.exe	first.exe

Executes dropped EXE 24 IoCs

pid	Process
4744	twztl.exe
2096	30072024.exe
3780	tdrpload.exe
5072	aaa.exe
2212	sysmablsvr.exe
4308	newtpp.exe
3164	sysmablsvr.exe
3872	sysmysldrv.exe
4288	81776306.exe
4744	301557736.exe
2580	pp.exe
4080	4434.exe
3420	66c3721bc46fe_Ernrnmkio.exe
5260	a.exe
3764	peinf.exe
4404	nxmr.exe
5296	66c3721bc46fe_Ernrnmkio.exe
5864	wupgrdsv.exe
6280	stealc_valenciga.exe
6988	first.exe
6876	tpeinf.exe
6864	150351734.exe
8200	mraqq.exe
8876	mraqq.exe

Loads dropped DLL 2 IoCs

pid	Process
6280	stealc_valenciga.exe
6280	stealc_valenciga.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmablsvr.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe"	twztl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysmablsvr.exe"	tdrpload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmysldrv.exe"	newtpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afasdfga = "C:\\Users\\Admin\\AppData\\Roaming\\afasdfga.exe"	66c3721bc46fe_Ernrnmkio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\first = "C:\\Users\\Admin\\AppData\\Roaming\\first.exe"	first.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
973	raw.githubusercontent.com
974	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1008	ip-api.com

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4080 set thread context of 3764	4080	4434.exe	124
PID 3420 set thread context of 5296	3420	66c3721bc46fe_Ernrnmkio.exe	137
PID 5864 set thread context of 772	5864	wupgrdsv.exe	141
PID 8200 set thread context of 8876	8200	mraqq.exe	161

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Test Task17.job	66c3721bc46fe_Ernrnmkio.exe
File created	C:\Windows\sysmablsvr.exe	twztl.exe
File opened for modification	C:\Windows\sysmablsvr.exe	twztl.exe
File created	C:\Windows\sysmablsvr.exe	tdrpload.exe
File created	C:\Windows\sysmysldrv.exe	newtpp.exe
File opened for modification	C:\Windows\sysmysldrv.exe	newtpp.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4904	sc.exe
4592	sc.exe
1300	sc.exe
440	sc.exe
4404	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysmablsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66c3721bc46fe_Ernrnmkio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4434.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tdrpload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mraqq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mraqq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysmablsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newtpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysmysldrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66c3721bc46fe_Ernrnmkio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_valenciga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	twztl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81776306.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peinf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30072024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	301557736.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tpeinf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	150351734.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_valenciga.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_valenciga.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	30072024.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	30072024.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
6988	first.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3228	powershell.exe
3228	powershell.exe
3228	powershell.exe
4404	nxmr.exe
4404	nxmr.exe
6136	powershell.exe
6136	powershell.exe
6136	powershell.exe
4404	nxmr.exe
4404	nxmr.exe
3420	66c3721bc46fe_Ernrnmkio.exe
3420	66c3721bc46fe_Ernrnmkio.exe
5864	wupgrdsv.exe
5864	wupgrdsv.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5864	wupgrdsv.exe
5864	wupgrdsv.exe
6280	stealc_valenciga.exe
6280	stealc_valenciga.exe
6280	stealc_valenciga.exe
6280	stealc_valenciga.exe
7824	powershell.exe
7824	powershell.exe
7824	powershell.exe
8200	mraqq.exe
8200	mraqq.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
3872	sysmysldrv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3864	4363463463464363463463463.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	3420	66c3721bc46fe_Ernrnmkio.exe
Token: SeDebugPrivilege	6136	powershell.exe
Token: SeIncreaseQuotaPrivilege	6136	powershell.exe
Token: SeSecurityPrivilege	6136	powershell.exe
Token: SeTakeOwnershipPrivilege	6136	powershell.exe
Token: SeLoadDriverPrivilege	6136	powershell.exe
Token: SeSystemProfilePrivilege	6136	powershell.exe
Token: SeSystemtimePrivilege	6136	powershell.exe
Token: SeProfSingleProcessPrivilege	6136	powershell.exe
Token: SeIncBasePriorityPrivilege	6136	powershell.exe
Token: SeCreatePagefilePrivilege	6136	powershell.exe
Token: SeBackupPrivilege	6136	powershell.exe
Token: SeRestorePrivilege	6136	powershell.exe
Token: SeShutdownPrivilege	6136	powershell.exe
Token: SeDebugPrivilege	6136	powershell.exe
Token: SeSystemEnvironmentPrivilege	6136	powershell.exe
Token: SeRemoteShutdownPrivilege	6136	powershell.exe
Token: SeUndockPrivilege	6136	powershell.exe
Token: SeManageVolumePrivilege	6136	powershell.exe
Token: 33	6136	powershell.exe
Token: 34	6136	powershell.exe
Token: 35	6136	powershell.exe
Token: 36	6136	powershell.exe
Token: SeIncreaseQuotaPrivilege	6136	powershell.exe
Token: SeSecurityPrivilege	6136	powershell.exe
Token: SeTakeOwnershipPrivilege	6136	powershell.exe
Token: SeLoadDriverPrivilege	6136	powershell.exe
Token: SeSystemProfilePrivilege	6136	powershell.exe
Token: SeSystemtimePrivilege	6136	powershell.exe
Token: SeProfSingleProcessPrivilege	6136	powershell.exe
Token: SeIncBasePriorityPrivilege	6136	powershell.exe
Token: SeCreatePagefilePrivilege	6136	powershell.exe
Token: SeBackupPrivilege	6136	powershell.exe
Token: SeRestorePrivilege	6136	powershell.exe
Token: SeShutdownPrivilege	6136	powershell.exe
Token: SeDebugPrivilege	6136	powershell.exe
Token: SeSystemEnvironmentPrivilege	6136	powershell.exe
Token: SeRemoteShutdownPrivilege	6136	powershell.exe
Token: SeUndockPrivilege	6136	powershell.exe
Token: SeManageVolumePrivilege	6136	powershell.exe
Token: 33	6136	powershell.exe
Token: 34	6136	powershell.exe
Token: 35	6136	powershell.exe
Token: 36	6136	powershell.exe
Token: SeIncreaseQuotaPrivilege	6136	powershell.exe
Token: SeSecurityPrivilege	6136	powershell.exe
Token: SeTakeOwnershipPrivilege	6136	powershell.exe
Token: SeLoadDriverPrivilege	6136	powershell.exe
Token: SeSystemProfilePrivilege	6136	powershell.exe
Token: SeSystemtimePrivilege	6136	powershell.exe
Token: SeProfSingleProcessPrivilege	6136	powershell.exe
Token: SeIncBasePriorityPrivilege	6136	powershell.exe
Token: SeCreatePagefilePrivilege	6136	powershell.exe
Token: SeBackupPrivilege	6136	powershell.exe
Token: SeRestorePrivilege	6136	powershell.exe
Token: SeShutdownPrivilege	6136	powershell.exe
Token: SeDebugPrivilege	6136	powershell.exe
Token: SeSystemEnvironmentPrivilege	6136	powershell.exe
Token: SeRemoteShutdownPrivilege	6136	powershell.exe
Token: SeUndockPrivilege	6136	powershell.exe
Token: SeManageVolumePrivilege	6136	powershell.exe
Token: 33	6136	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 4744	3864	4363463463464363463463463.exe	119
PID 3864 wrote to memory of 4744	3864	4363463463464363463463463.exe	119
PID 3864 wrote to memory of 4744	3864	4363463463464363463463463.exe	119
PID 3864 wrote to memory of 2096	3864	4363463463464363463463463.exe	97
PID 3864 wrote to memory of 2096	3864	4363463463464363463463463.exe	97
PID 3864 wrote to memory of 2096	3864	4363463463464363463463463.exe	97
PID 3864 wrote to memory of 3780	3864	4363463463464363463463463.exe	98
PID 3864 wrote to memory of 3780	3864	4363463463464363463463463.exe	98
PID 3864 wrote to memory of 3780	3864	4363463463464363463463463.exe	98
PID 3864 wrote to memory of 5072	3864	4363463463464363463463463.exe	99
PID 3864 wrote to memory of 5072	3864	4363463463464363463463463.exe	99
PID 3864 wrote to memory of 5072	3864	4363463463464363463463463.exe	99
PID 4744 wrote to memory of 2212	4744	twztl.exe	101
PID 4744 wrote to memory of 2212	4744	twztl.exe	101
PID 4744 wrote to memory of 2212	4744	twztl.exe	101
PID 3864 wrote to memory of 4308	3864	4363463463464363463463463.exe	102
PID 3864 wrote to memory of 4308	3864	4363463463464363463463463.exe	102
PID 3864 wrote to memory of 4308	3864	4363463463464363463463463.exe	102
PID 3780 wrote to memory of 3164	3780	tdrpload.exe	103
PID 3780 wrote to memory of 3164	3780	tdrpload.exe	103
PID 3780 wrote to memory of 3164	3780	tdrpload.exe	103
PID 4308 wrote to memory of 3872	4308	newtpp.exe	104
PID 4308 wrote to memory of 3872	4308	newtpp.exe	104
PID 4308 wrote to memory of 3872	4308	newtpp.exe	104
PID 3872 wrote to memory of 428	3872	sysmysldrv.exe	105
PID 3872 wrote to memory of 428	3872	sysmysldrv.exe	105
PID 3872 wrote to memory of 428	3872	sysmysldrv.exe	105
PID 3872 wrote to memory of 1872	3872	sysmysldrv.exe	107
PID 3872 wrote to memory of 1872	3872	sysmysldrv.exe	107
PID 3872 wrote to memory of 1872	3872	sysmysldrv.exe	107
PID 428 wrote to memory of 3228	428	cmd.exe	109
PID 428 wrote to memory of 3228	428	cmd.exe	109
PID 428 wrote to memory of 3228	428	cmd.exe	109
PID 1872 wrote to memory of 1300	1872	cmd.exe	110
PID 1872 wrote to memory of 1300	1872	cmd.exe	110
PID 1872 wrote to memory of 1300	1872	cmd.exe	110
PID 1872 wrote to memory of 440	1872	cmd.exe	111
PID 1872 wrote to memory of 440	1872	cmd.exe	111
PID 1872 wrote to memory of 440	1872	cmd.exe	111
PID 1872 wrote to memory of 4592	1872	cmd.exe	112
PID 1872 wrote to memory of 4592	1872	cmd.exe	112
PID 1872 wrote to memory of 4592	1872	cmd.exe	112
PID 1872 wrote to memory of 4904	1872	cmd.exe	113
PID 1872 wrote to memory of 4904	1872	cmd.exe	113
PID 1872 wrote to memory of 4904	1872	cmd.exe	113
PID 1872 wrote to memory of 4404	1872	cmd.exe	128
PID 1872 wrote to memory of 4404	1872	cmd.exe	128
PID 1872 wrote to memory of 4404	1872	cmd.exe	128
PID 3164 wrote to memory of 4288	3164	sysmablsvr.exe	118
PID 3164 wrote to memory of 4288	3164	sysmablsvr.exe	118
PID 3164 wrote to memory of 4288	3164	sysmablsvr.exe	118
PID 3872 wrote to memory of 4744	3872	sysmysldrv.exe	119
PID 3872 wrote to memory of 4744	3872	sysmysldrv.exe	119
PID 3872 wrote to memory of 4744	3872	sysmysldrv.exe	119
PID 3864 wrote to memory of 2580	3864	4363463463464363463463463.exe	120
PID 3864 wrote to memory of 2580	3864	4363463463464363463463463.exe	120
PID 3864 wrote to memory of 2580	3864	4363463463464363463463463.exe	120
PID 3864 wrote to memory of 4080	3864	4363463463464363463463463.exe	121
PID 3864 wrote to memory of 4080	3864	4363463463464363463463463.exe	121
PID 3864 wrote to memory of 4080	3864	4363463463464363463463463.exe	121
PID 4080 wrote to memory of 3456	4080	4434.exe	123
PID 4080 wrote to memory of 3456	4080	4434.exe	123
PID 4080 wrote to memory of 3456	4080	4434.exe	123
PID 4080 wrote to memory of 3764	4080	4434.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3388
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\sysmablsvr.exe
      C:\Windows\sysmablsvr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2212
- - C:\Users\Admin\AppData\Local\Temp\Files\30072024.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\30072024.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:2096
- - C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3780
  - - C:\Users\Admin\sysmablsvr.exe
      C:\Users\Admin\sysmablsvr.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3164
    - - C:\Users\Admin\AppData\Local\Temp\81776306.exe
        
        C:\Users\Admin\AppData\Local\Temp\81776306.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4288
- - C:\Users\Admin\AppData\Local\Temp\Files\aaa.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\aaa.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5072
- - C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\sysmysldrv.exe
      C:\Windows\sysmysldrv.exe
      4⤵
      Modifies security service
      Windows security bypass
      Checks computer location settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: SetClipboardViewer
      Suspicious use of WriteProcessMemory
      PID:3872
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:428
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3228
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1872
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1300
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:440
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4592
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4904
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4404
    - - C:\Users\Admin\AppData\Local\Temp\301557736.exe
        
        C:\Users\Admin\AppData\Local\Temp\301557736.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4744
- - C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2580
- - C:\Users\Admin\AppData\Local\Temp\Files\4434.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\4434.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3456
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3764
- - C:\Users\Admin\AppData\Local\Temp\Files\66c3721bc46fe_Ernrnmkio.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\66c3721bc46fe_Ernrnmkio.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3420
- - C:\Users\Admin\AppData\Local\Temp\Files\a.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\a.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5260
- - C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3764
- - C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4404
- - C:\Users\Admin\AppData\Local\Temp\Files\stealc_valenciga.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\stealc_valenciga.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:6280
- - C:\Users\Admin\AppData\Local\Temp\Files\first.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\first.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    PID:6988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'first.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\first.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:7824
- - C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6876
  - - C:\Users\Admin\AppData\Local\Temp\150351734.exe
      C:\Users\Admin\AppData\Local\Temp\150351734.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6136
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
  2⤵
  PID:5552
- C:\Users\Admin\AppData\Local\Temp\Files\66c3721bc46fe_Ernrnmkio.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\66c3721bc46fe_Ernrnmkio.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5792
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  PID:772
- C:\ProgramData\qkwv\mraqq.exe
  "C:\ProgramData\qkwv\mraqq.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:8876

C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5864

C:\ProgramData\qkwv\mraqq.exe
C:\ProgramData\qkwv\mraqq.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:8200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fee026663fcb662152188784794028ee

SHA1
3c02a26a9cb16648fad85c6477b68ced3cb0cb45

SHA256
dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b

SHA512
7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OD2FK6XO\1[1]

Filesize
19KB

MD5
e9be5fcdbb65af72e3cc268a846608cc

SHA1
c3654860cec82d28852375bc7ad192e26b0ea240

SHA256
69d5bbd72a7c5ebb74b727849ec63898cb8672a1211bcc1750d7affdcbfc5759

SHA512
fbedc4634ab30192482878cee3d62b38d1c6a98be4ff2ef17b60238761b58fe4f0ad302beb9e35af57f3cc64b45df988c30ab9126bae4c81b66fdc2ec8399e03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
65a19fbd74a80be650cc029a19a4de0d

SHA1
9cdfe74c7420ab5854fc48d2824e03a9c961b4bc

SHA256
3be4c3660e7569668a8d9e64009083502869f747e4b32aecafb312a762de3add

SHA512
51c0e6e80c2e037b47a43059cc9e5300db181d035b1dd5d4119333f3e76be753f6e4e7c5e4f92d2a0ae69745eb799c30b78b46e78c90e3ce77891455f3dd382c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d95b08252ed624f6d91b46523f110f29

SHA1
17577997bc1fb5d3fbe59be84013165534415dc3

SHA256
342ce7c39bf9992d31d4b61ef138b2b084c96c74736ed00bb19aae49be16ca02

SHA512
0c4288176d56f4ee6d8f08f568fba07ad859f50a395c39d2afd3baf55d3d29ca065a1ce305d1bd790477c35977c0ffa230543e805622f80a77bcee71b24eb257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc35bf2367ee5c6feb084ab39f5c26eb

SHA1
cd9742c05391a92780a81fe836797a5909c7f9c1

SHA256
7ad08f1c2e7df4102eb3a6d213f4a0c245300c275fd53e463655a8ab9fa3ec64

SHA512
0b6662ea93907902c9f5db98bed4e9d322a69e7b8df921f6b8bd8026fdbfa556b0afe29013e3ecc8982a6339c48b4fe371ba587f02c39de72cb3840ed0e6747b

Download Submit
C:\Users\Admin\AppData\Local\Temp\301557736.exe

Filesize
19KB

MD5
dce86bff5ca04db752b19245e111a636

SHA1
f1e3a56d5be946483b5eac047540a37d6af60f03

SHA256
1467e4763d7a4b66d33c01714e7ed6192c8518688a72f91bf37a51ef35095a6d

SHA512
448bd6926688f32afef0d759dcdbe10915736e51f0b4b3059d402e58d677b4ed915460809a91680bd2eb640fc830dfaeda02484157a94f1d8ce2447e3a795ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\30072024.exe

Filesize
304KB

MD5
aedfb26f18fdd54279e8d1b82b84559a

SHA1
161a427ef200282daf092543b3eda9b8cd689514

SHA256
ba7517fbc65542871d06e7d4b7a017d5c165f55dda2b741e2ba52a6303d21b57

SHA512
30c5836584b3d74e9a0719e0559f2b83900210ee574ae780d793cdc6396bd9b7cb672f401dfa15a58687ad1d769d5ef5c0b0b24de83dec3c8429a259c9a37bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\4434.exe

Filesize
413KB

MD5
607c413d4698582cc147d0f0d8ce5ef1

SHA1
c422ff50804e4d4e55d372b266b2b9aa02d3cfdd

SHA256
46a8a9d9c639503a3c8c9654c18917a9cedbed9c93babd14ef14c1e25282c0d5

SHA512
d139f1b76b2fbc68447b03a5ca21065c21786245c8f94137c039d48c74996c10c46ca0bdd7a65cd9ccdc265b5c4ca952be9c2876ced2928c65924ef709678876

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\66c3721bc46fe_Ernrnmkio.exe

Filesize
976KB

MD5
902f14b6f32cc40a82d6a0f2c41208ec

SHA1
c01e5bc3e9dbb84a5b36841045055999fc0a16cf

SHA256
81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa

SHA512
d55e184309e122ffbe3097bfb64b3e23829228cd16030dca5856bfa1725bc60c2da04bf04c8919ca658ca4b7b03e4be6e6bc9240b5816903609969213be2f97c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\aaa.exe

Filesize
19KB

MD5
1318fbc69b729539376cb6c9ac3cee4c

SHA1
753090b4ffaa151317517e8925712dd02908fe9e

SHA256
e972fb08a4dcde8d09372f78fe67ba283618288432cdb7d33015fc80613cb408

SHA512
7a72a77890aa74ea272473018a683f1b6961e5e765eb90e5be0bb397f04e58b09ab47cfb6095c2fea91f4e0d39bd65e21fee54a0eade36378878b7880bcb9d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\first.exe

Filesize
66KB

MD5
8063f5bf899b386530ad3399f0c5f2a1

SHA1
901454bb522a8076399eac5ea8c0573ff25dd8b8

SHA256
12aa47db9b5a1c6fddc382e09046d0f48fbdce4b0736b1d5cfcf6f1018fdd621

SHA512
c9e4e9e5efb7e5def5ae35047e4a6b6a80174eade2a2d64137f00e20d14e348c5852f9c1bac24d5dee4a6d43049b51517f677d504fbb9a413704eb9985f44f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe

Filesize
92KB

MD5
be9388b42333b3d4e163b0ace699897b

SHA1
4e1109772eb9cb59c557380822166fe1664403bd

SHA256
d281e0a0f1e1073f2d290a7eb1f77bed4c210dbf83a0f4f4e22073f50faa843f

SHA512
5f887f1060b898c9a88745cde7cf509fdf42947ab8e5948b46c2df659468dc245b24d089bdbec0b314c40b83934698bf4b6feb8954e32810ff8f522aab0af19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe

Filesize
5.4MB

MD5
41ab08c1955fce44bfd0c76a64d1945a

SHA1
2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

SHA256
dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

SHA512
38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe

Filesize
20KB

MD5
1382c0a4a9e0a9a2c942458652a4a0e4

SHA1
55ed8ebd6281c280c3e77763773d789a6057e743

SHA256
4cb590dfafb7653379326e840d9b904a3cf05451999c4f9eb66c6e7116b68875

SHA512
cc1ba7e779536b57409c974f16b0d8706fdf8749fb9eca36716d4e84d4f420a650b6476ac08570e684ad1e492da3bbacc15a4e5be4b94a1b708909d683da0b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stealc_valenciga.exe

Filesize
187KB

MD5
cb24cc9c184d8416a66b78d9af3c06a2

SHA1
806e4c0fc582460e8db91587b39003988b8ff9f5

SHA256
53ebff6421eac84a4337bdf9f33d409ca84b5229ac9e001cd95b6878d8bdbeb6

SHA512
3f4feb4bbe98e17c74253c0fec6b8398075aecc4807a642d999effafc10043b3bcf79b1f7d43a33917f709e78349206f0b6f1530a46b7f833e815db13aeeb33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe

Filesize
6KB

MD5
cfb7fbf1d4b077a0e74ed6e9aab650a8

SHA1
a91cfbcc9e67e8f4891dde04e7d003fc63b7d977

SHA256
d93add71a451ec7c04c99185ae669e59fb866eb38f463e9425044981ed1bcae0

SHA512
b174d0fed1c605decc4e32079a76fbb324088b710ce1a3fe427a9a30c7bdcd6ac1ad223970cdc64061705f9a268afa96463ee73536b46991981d041517b77785

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe

Filesize
88KB

MD5
ababca6d12d96e8dd2f1d7114b406fae

SHA1
dcd9798e83ec688aacb3de8911492a232cb41a32

SHA256
a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

SHA512
b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpF9B2.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3onytrd5.qvk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
3KB

MD5
8f585cfd4bcb25d0c06778ef82f37804

SHA1
3e7f6d52f672a3f17d7da0d2f141fcb44d621b0a

SHA256
9fe63f3bb2d7a142c208fe8e9978b8cc2a7de22cf5256fd60581bb461614d1be

SHA512
057a5c7985a9ccab37258b5f49a7bfe814b82e4bcddef200ab1ee19e78bc61c173821059e0b410cb3cb44c2dd55adc72300ed8b2908da596d64eb8ad36d1532a

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
232B

MD5
3cedec089e84c9985f4c6d5a5618f06d

SHA1
ca5d55fbb61474d0a6a97422f2ec9a552d4bcb31

SHA256
12ede85fd57de0afda349d4d7479ba0a27f9c176e03ee350eeb04529b82d453a

SHA512
0ded954019b13dfba33767b0e437e3c0102de621817de0cb1e3cc2be588e154423d95d788e50b574564a8c6c0d0717b087272cbd2447f0f499239d148a82a61a

Download Submit
memory/2096-28-0x0000000004A40000-0x0000000004AD2000-memory.dmp

Filesize
584KB

Download
memory/2096-59-0x0000000006870000-0x0000000006E88000-memory.dmp

Filesize
6.1MB

Download
memory/2096-63-0x00000000064D0000-0x000000000651C000-memory.dmp

Filesize
304KB

Download
memory/2096-62-0x0000000006360000-0x000000000639C000-memory.dmp

Filesize
240KB

Download
memory/2096-60-0x00000000063C0000-0x00000000064CA000-memory.dmp

Filesize
1.0MB

Download
memory/2096-61-0x0000000006300000-0x0000000006312000-memory.dmp

Filesize
72KB

Download
memory/2096-48-0x0000000006130000-0x000000000614E000-memory.dmp

Filesize
120KB

Download
memory/2096-47-0x0000000005720000-0x0000000005796000-memory.dmp

Filesize
472KB

Download
memory/2096-29-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/2096-30-0x0000000004980000-0x000000000498A000-memory.dmp

Filesize
40KB

Download
memory/2096-25-0x0000000000060000-0x00000000000B2000-memory.dmp

Filesize
328KB

Download
memory/2096-27-0x0000000004FF0000-0x0000000005594000-memory.dmp

Filesize
5.6MB

Download
memory/2096-135-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/2096-140-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/2096-26-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/3228-103-0x00000000062C0000-0x0000000006326000-memory.dmp

Filesize
408KB

Download
memory/3228-127-0x0000000007F60000-0x0000000007FF6000-memory.dmp

Filesize
600KB

Download
memory/3228-128-0x0000000007F00000-0x0000000007F11000-memory.dmp

Filesize
68KB

Download
memory/3228-129-0x0000000007F20000-0x0000000007F2E000-memory.dmp

Filesize
56KB

Download
memory/3228-130-0x0000000007F30000-0x0000000007F44000-memory.dmp

Filesize
80KB

Download
memory/3228-132-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/3228-131-0x0000000008020000-0x000000000803A000-memory.dmp

Filesize
104KB

Download
memory/3228-126-0x0000000007D50000-0x0000000007D5A000-memory.dmp

Filesize
40KB

Download
memory/3228-124-0x0000000008380000-0x00000000089FA000-memory.dmp

Filesize
6.5MB

Download
memory/3228-125-0x0000000007D00000-0x0000000007D1A000-memory.dmp

Filesize
104KB

Download
memory/3228-111-0x00000000071B0000-0x00000000071E2000-memory.dmp

Filesize
200KB

Download
memory/3228-112-0x000000006CB10000-0x000000006CB5C000-memory.dmp

Filesize
304KB

Download
memory/3228-123-0x0000000007BB0000-0x0000000007C53000-memory.dmp

Filesize
652KB

Download
memory/3228-122-0x0000000007190000-0x00000000071AE000-memory.dmp

Filesize
120KB

Download
memory/3228-95-0x0000000005410000-0x0000000005446000-memory.dmp

Filesize
216KB

Download
memory/3228-110-0x00000000069B0000-0x00000000069CE000-memory.dmp

Filesize
120KB

Download
memory/3228-96-0x0000000005C20000-0x0000000006248000-memory.dmp

Filesize
6.2MB

Download
memory/3228-105-0x00000000063A0000-0x0000000006406000-memory.dmp

Filesize
408KB

Download
memory/3228-109-0x0000000006600000-0x0000000006954000-memory.dmp

Filesize
3.3MB

Download
memory/3228-97-0x0000000005BF0000-0x0000000005C12000-memory.dmp

Filesize
136KB

Download
memory/3420-242-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-202-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-226-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-224-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-222-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-220-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-230-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-219-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-214-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-212-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-210-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-208-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-206-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-205-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-200-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-198-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-196-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-194-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-190-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-1272-0x0000000005380000-0x00000000053CC000-memory.dmp

Filesize
304KB

Download
memory/3420-1271-0x00000000053E0000-0x0000000005438000-memory.dmp

Filesize
352KB

Download
memory/3420-188-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-236-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-234-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-216-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-228-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-192-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-186-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-184-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-183-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-182-0x0000000005240000-0x000000000531C000-memory.dmp

Filesize
880KB

Download
memory/3420-180-0x0000000000850000-0x000000000094A000-memory.dmp

Filesize
1000KB

Download
memory/3420-232-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-238-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-181-0x00000000050F0000-0x00000000051CC000-memory.dmp

Filesize
880KB

Download
memory/3420-240-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3420-1299-0x0000000005510000-0x0000000005564000-memory.dmp

Filesize
336KB

Download
memory/3420-244-0x0000000005240000-0x0000000005316000-memory.dmp

Filesize
856KB

Download
memory/3764-167-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3764-168-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3864-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/3864-5-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/3864-4-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/3864-3-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/3864-2-0x0000000004C20000-0x0000000004CBC000-memory.dmp

Filesize
624KB

Download
memory/3864-1-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/6136-1292-0x000001B4C8E50000-0x000001B4C8E72000-memory.dmp

Filesize
136KB

Download
memory/6280-1332-0x0000000000080000-0x00000000002C3000-memory.dmp

Filesize
2.3MB

Download
memory/6280-1429-0x0000000000080000-0x00000000002C3000-memory.dmp

Filesize
2.3MB

Download
memory/6988-1410-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download