2903657263c3670e4d0ce60bac9a90c63400e365e8e0349b536473bbfcbd51ed

Analysis

max time kernel
1s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 01:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8526b8f067b859b6664b8b45f0d1dd17940515b5f7a6e85eef5013fe6c678afa.exe
Size

3.8MB
MD5

91f48db9e99e6c6244d1b9fe09457cff
SHA1

5b7875bed9ebeda5c062ff27b551f80fbff860a3
SHA256

8526b8f067b859b6664b8b45f0d1dd17940515b5f7a6e85eef5013fe6c678afa
SHA512

42a897869b1e669f6e773f478e94dee79ba00fb9a10a07a8a290d6e38b739e28bddb0e9d718efe059df0ce87069d0082dd669e9f2b976d31cad0ba0d7b1b4c0b
SSDEEP

98304:XS3aG0qGL02DkJqOwhl7/CgqiN17zqyHHX:BNL02gJ+l7/Cf+7zVHX

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	8526b8f067b859b6664b8b45f0d1dd17940515b5f7a6e85eef5013fe6c678afa.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Stagsi\SupStub.bat	8526b8f067b859b6664b8b45f0d1dd17940515b5f7a6e85eef5013fe6c678afa.exe
File created	C:\Program Files (x86)\Stagsi\Supper.exe	8526b8f067b859b6664b8b45f0d1dd17940515b5f7a6e85eef5013fe6c678afa.exe
File created	C:\Program Files (x86)\Stagsi\InitialSup.exe	8526b8f067b859b6664b8b45f0d1dd17940515b5f7a6e85eef5013fe6c678afa.exe
File created	C:\Program Files (x86)\Stagsi\InitialSup.json	8526b8f067b859b6664b8b45f0d1dd17940515b5f7a6e85eef5013fe6c678afa.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4444	sc.exe
1972	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
5084	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2412	8526b8f067b859b6664b8b45f0d1dd17940515b5f7a6e85eef5013fe6c678afa.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2412	8526b8f067b859b6664b8b45f0d1dd17940515b5f7a6e85eef5013fe6c678afa.exe

C:\Users\Admin\AppData\Local\Temp\8526b8f067b859b6664b8b45f0d1dd17940515b5f7a6e85eef5013fe6c678afa.exe
"C:\Users\Admin\AppData\Local\Temp\8526b8f067b859b6664b8b45f0d1dd17940515b5f7a6e85eef5013fe6c678afa.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Stagsi\SupStub.bat" /install /archive "C:\Users\Admin\AppData\Local\Temp\8526b8f067b859b6664b8b45f0d1dd17940515b5f7a6e85eef5013fe6c678afa.exe" /offset 520716,2829606 /fresh"
  2⤵
  PID:1204
- - C:\Windows\SysWOW64\sc.exe
    sc stop Sup_Stagsi
    3⤵
    - Launches sc.exe
    PID:4444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im Sup.exe
    3⤵
    - Kills process with taskkill
    PID:5084
- - C:\Windows\SysWOW64\sc.exe
    sc delete Sup_Stagsi
    3⤵
    - Launches sc.exe
    PID:1972
- - C:\Program Files (x86)\Stagsi\Sup.exe
    Sup /install /archive "C:\Users\Admin\AppData\Local\Temp\8526b8f067b859b6664b8b45f0d1dd17940515b5f7a6e85eef5013fe6c678afa.exe" /offset 520716,2829606 /fresh
    3⤵
    PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Stagsi\_update\post\run.bat""
      4⤵
      PID:1984
    - - C:\Windows\SysWOW64\find.exe
        
        find "/fresh"
        5⤵
        
        PID:5096
    - - C:\Program Files (x86)\Stagsi\Sup.exe
        
        Sup /uninstall:add /archive Uninstall.zip /uninstall:remove /info "S Publisher Soletude" "S HelpLink https://go.soletude.ca/stagsi" "S URLInfoAbout https://go.soletude.ca/stagsi/support" "S Contact [email protected]" "S SettingsIdentifier Soletude\Stagsi;Soletude\Sup\Stagsi"
        5⤵
        
        PID:5012
    - - C:\Program Files (x86)\Stagsi\Sup.exe
        
        Sup /pipe - "C:\Program Files (x86)\Stagsi\_update\post\extra.bat" /1
        5⤵
        
        PID:3924
    - - C:\Program Files (x86)\Stagsi\_update\post\Supper.exe
        
        "C:\Program Files (x86)\Stagsi\_update\post\Supper" shortcut Uninstall.lnk "C:\Program Files (x86)\Stagsi\Sup.exe" /arg "/uninstall /archive Uninstall.zip"
        5⤵
        
        PID:4480
    - - C:\Program Files (x86)\Stagsi\_update\post\Supper.exe
        
        "C:\Program Files (x86)\Stagsi\_update\post\Supper" shortcut "C:\ProgramData\Microsoft\Windows\Start Menu\Stagsi.lnk" "C:\Program Files (x86)\Stagsi\Stagsi.exe" /desc "Stagsi - Soletude's Tagging System Interface"
        5⤵
        
        PID:4456
    - - C:\Program Files (x86)\Stagsi\_update\post\Supper.exe
        
        "C:\Program Files (x86)\Stagsi\_update\post\Supper" shortcut "C:\Users\Public\Desktop\Stagsi.lnk" "C:\Program Files (x86)\Stagsi\Stagsi.exe" /desc "Stagsi - Soletude's Tagging System Interface"
        5⤵
        
        PID:5084
    - - C:\Program Files (x86)\Stagsi\_update\post\Supper.exe
        
        "C:\Program Files (x86)\Stagsi\_update\post\Supper" genid Sup.json id=
        5⤵
        
        PID:1616
    - - C:\Program Files (x86)\Stagsi\Sup.exe
        
        Sup /service:add /service:remove
        5⤵
        
        PID:1888
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\MetadataExtractor.dll"
        5⤵
        
        PID:4924
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 0 -NGENProcess 214 -Pipe 220 -Comment "NGen Worker Process"
        6⤵
        
        PID:2976
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 0 -NGENProcess 2e8 -Pipe 21c -Comment "NGen Worker Process"
        6⤵
        
        PID:5360
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 0 -NGENProcess 2e8 -Pipe 2bc -Comment "NGen Worker Process"
        6⤵
        
        PID:5632
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 2cc -Comment "NGen Worker Process"
        6⤵
        
        PID:5616
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 31c -Pipe 2d4 -Comment "NGen Worker Process"
        6⤵
        
        PID:6084
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 2a4 -Comment "NGen Worker Process"
        6⤵
        
        PID:6020
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 2e0 -Comment "NGen Worker Process"
        6⤵
        
        PID:4680
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 2bc -Pipe 2d0 -Comment "NGen Worker Process"
        6⤵
        
        PID:4848
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\Soletude.Common.dll"
        5⤵
        
        PID:5592
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 0 -NGENProcess 20c -Pipe 214 -Comment "NGen Worker Process"
        6⤵
        
        PID:5652
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 2cc -Pipe 2bc -Comment "NGen Worker Process"
        6⤵
        
        PID:5360
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\Soletude.Components.dll"
        5⤵
        
        PID:5852
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 2c8 -Pipe 2d8 -Comment "NGen Worker Process"
        6⤵
        
        PID:5384
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 0 -NGENProcess 210 -Pipe 218 -Comment "NGen Worker Process"
        6⤵
        
        PID:6064
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 0 -NGENProcess 2a4 -Pipe 314 -Comment "NGen Worker Process"
        6⤵
        
        PID:5520
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 0 -NGENProcess 2a4 -Pipe 2dc -Comment "NGen Worker Process"
        6⤵
        
        PID:5500
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 0 -NGENProcess 2fc -Pipe 2d0 -Comment "NGen Worker Process"
        6⤵
        
        PID:6020
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 0 -NGENProcess 2a0 -Pipe 210 -Comment "NGen Worker Process"
        6⤵
        
        PID:5792
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 0 -NGENProcess 208 -Pipe 31c -Comment "NGen Worker Process"
        6⤵
        
        PID:5964
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 330 -Pipe 2fc -Comment "NGen Worker Process"
        6⤵
        
        PID:5620
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 0 -NGENProcess 308 -Pipe 2c8 -Comment "NGen Worker Process"
        6⤵
        
        PID:5444
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 0 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
        6⤵
        
        PID:6128
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 30c -Pipe 308 -Comment "NGen Worker Process"
        6⤵
        
        PID:4932
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 0 -NGENProcess 310 -Pipe 31c -Comment "NGen Worker Process"
        6⤵
        
        PID:5572
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 2d4 -Pipe 318 -Comment "NGen Worker Process"
        6⤵
        
        PID:5784
    - - C:\Program Files (x86)\Stagsi\Sup.exe
        
        Sup /pipe - "C:\Program Files (x86)\Stagsi\Stagsi.exe"
        5⤵
        
        PID:4776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Sup /install /archive "C:\Users\Admin\AppData\Local\Temp\8526b8f067b859b6664b8b45f0d1dd17940515b5f7a6e85eef5013fe6c678afa.exe" /offset 520716,2829606 /fresh "
        5⤵
        
        PID:4420
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\Soletude.Components.FileAssociations.dll"
        5⤵
        
        PID:6068
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 2d0 -Pipe 2bc -Comment "NGen Worker Process"
        6⤵
        
        PID:5468
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\Soletude.Stags.Library.dll"
        5⤵
        
        PID:4536
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 2b4 -Pipe 2d8 -Comment "NGen Worker Process"
        6⤵
        
        PID:5772
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 0 -NGENProcess 228 -Pipe 23c -Comment "NGen Worker Process"
        6⤵
        
        PID:2828
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 0 -NGENProcess 2dc -Pipe 2b4 -Comment "NGen Worker Process"
        6⤵
        
        PID:5780
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 30c -Pipe 22c -Comment "NGen Worker Process"
        6⤵
        
        PID:3036
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 0 -NGENProcess 2f4 -Pipe 310 -Comment "NGen Worker Process"
        6⤵
        
        PID:6044
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 0 -NGENProcess 338 -Pipe 328 -Comment "NGen Worker Process"
        6⤵
        
        PID:5496
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 0 -NGENProcess 354 -Pipe 35c -Comment "NGen Worker Process"
        6⤵
        
        PID:5108
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 0 -NGENProcess 33c -Pipe 350 -Comment "NGen Worker Process"
        6⤵
        
        PID:6032
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 0 -NGENProcess 34c -Pipe 32c -Comment "NGen Worker Process"
        6⤵
        
        PID:5884
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 0 -NGENProcess 340 -Pipe 308 -Comment "NGen Worker Process"
        6⤵
        
        PID:5588
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 0 -NGENProcess 340 -Pipe 338 -Comment "NGen Worker Process"
        6⤵
        
        PID:5660
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 318 -Pipe 2cc -Comment "NGen Worker Process"
        6⤵
        
        PID:3016
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 0 -NGENProcess 34c -Pipe 364 -Comment "NGen Worker Process"
        6⤵
        
        PID:3348
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 0 -NGENProcess 324 -Pipe 2cc -Comment "NGen Worker Process"
        6⤵
        
        PID:5728
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 0 -NGENProcess 2dc -Pipe 33c -Comment "NGen Worker Process"
        6⤵
        
        PID:5396
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 314 -Pipe 324 -Comment "NGen Worker Process"
        6⤵
        
        PID:4420
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 370 -Pipe 2dc -Comment "NGen Worker Process"
        6⤵
        
        PID:5628
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 0 -NGENProcess 34c -Pipe 334 -Comment "NGen Worker Process"
        6⤵
        
        PID:6088
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 0 -NGENProcess 31c -Pipe 358 -Comment "NGen Worker Process"
        6⤵
        
        PID:464
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 0 -NGENProcess 30c -Pipe 2d4 -Comment "NGen Worker Process"
        6⤵
        
        PID:6024
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 0 -NGENProcess 2f8 -Pipe 370 -Comment "NGen Worker Process"
        6⤵
        
        PID:4876
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 0 -NGENProcess 228 -Pipe 2c4 -Comment "NGen Worker Process"
        6⤵
        
        PID:5424
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 0 -NGENProcess 2b8 -Pipe 320 -Comment "NGen Worker Process"
        6⤵
        
        PID:5964
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 0 -NGENProcess 218 -Pipe 2f0 -Comment "NGen Worker Process"
        6⤵
        
        PID:5736
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 0 -NGENProcess 330 -Pipe 31c -Comment "NGen Worker Process"
        6⤵
        
        PID:5996
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\Soletude.Stagsi.Plugins.dll"
        5⤵
        
        PID:5636
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 0 -NGENProcess 208 -Pipe 214 -Comment "NGen Worker Process"
        6⤵
        
        PID:5144
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 0 -NGENProcess 210 -Pipe 2a0 -Comment "NGen Worker Process"
        6⤵
        
        PID:6044
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\System.Data.SQLite.dll"
        5⤵
        
        PID:5748
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\XmpCore.dll"
        5⤵
        
        PID:5396
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 0 -NGENProcess 208 -Pipe 218 -Comment "NGen Worker Process"
        6⤵
        
        PID:5612
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 0 -NGENProcess 208 -Pipe 2b8 -Comment "NGen Worker Process"
        6⤵
        
        PID:5356
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 2b4 -Pipe 208 -Comment "NGen Worker Process"
        6⤵
        
        PID:6060
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 0 -NGENProcess 294 -Pipe 2b0 -Comment "NGen Worker Process"
        6⤵
        
        PID:6072
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 0 -NGENProcess 2c0 -Pipe 2a0 -Comment "NGen Worker Process"
        6⤵
        
        PID:5968
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 2c4 -Pipe 2bc -Comment "NGen Worker Process"
        6⤵
        
        PID:2892
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 2a4 -Pipe 29c -Comment "NGen Worker Process"
        6⤵
        
        PID:5432
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\en\Stagsi.resources.dll"
        5⤵
        
        PID:5576
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 0 -NGENProcess 208 -Pipe 2c8 -Comment "NGen Worker Process"
        6⤵
        
        PID:1516
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\Plugins\psd2pixels.dll"
        5⤵
        
        PID:4700
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 0 -NGENProcess 208 -Pipe 214 -Comment "NGen Worker Process"
        6⤵
        
        PID:964
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 0 -NGENProcess 208 -Pipe 2c0 -Comment "NGen Worker Process"
        6⤵
        
        PID:5928
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\Plugins\PsdPlugin.dll"
        5⤵
        
        PID:5884
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 0 -NGENProcess 210 -Pipe 21c -Comment "NGen Worker Process"
        6⤵
        
        PID:3304
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 0 -NGENProcess 230 -Pipe 2a0 -Comment "NGen Worker Process"
        6⤵
        
        PID:5188
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\Plugins\TxtPlugin.dll"
        5⤵
        
        PID:4316
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 0 -NGENProcess 2c4 -Pipe 2d4 -Comment "NGen Worker Process"
        6⤵
        
        PID:5880
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\Plugins\WpfPlugin.dll"
        5⤵
        
        PID:4540
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 0 -NGENProcess 2b4 -Pipe 218 -Comment "NGen Worker Process"
        6⤵
        
        PID:2100
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\Plugins\XamlTune.dll"
        5⤵
        
        PID:2096
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 0 -NGENProcess 2c0 -Pipe 2ac -Comment "NGen Worker Process"
        6⤵
        
        PID:5624
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\en\Soletude.Stags.Library.resources.dll"
        5⤵
        
        PID:5676
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\Plugins\XamlTunePlugin.dll"
        5⤵
        
        PID:4700
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 0 -NGENProcess 204 -Pipe 214 -Comment "NGen Worker Process"
        6⤵
        
        PID:1888
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 0 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
        6⤵
        
        PID:3772
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\ru\Soletude.Stags.Library.resources.dll"
        5⤵
        
        PID:2040
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 0 -NGENProcess 210 -Pipe 21c -Comment "NGen Worker Process"
        6⤵
        
        PID:5768
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent a8 -InterruptEvent 0 -NGENProcess 2a8 -Pipe 218 -Comment "NGen Worker Process"
        6⤵
        
        PID:5916
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\x64\SQLite.Interop.dll"
        5⤵
        
        PID:2632
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\x86\SQLite.Interop.dll"
        5⤵
        
        PID:1836
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319"\ngen install "C:\Program Files (x86)\Stagsi\ru\Stagsi.resources.dll"
        5⤵
        
        PID:3220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Stagsi\_update\pre\run.bat""
      4⤵
      PID:408

C:\Program Files (x86)\Stagsi\Sup.exe
"C:\Program Files (x86)\Stagsi\Sup.exe" /service
1⤵
PID:3464
- C:\Program Files (x86)\Stagsi\Stagsi.exe
  "C:\Program Files (x86)\Stagsi\Stagsi.exe"
  2⤵
  PID:5156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Stagsi\_update\post\extra.bat" /1"
  2⤵
  PID:3684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 0 -NGENProcess 208 -Pipe 214 -Comment "NGen Worker Process"
1⤵
PID:5752

C:\Program Files (x86)\Stagsi\_update\post\Supper.exe
"C:\Program Files (x86)\Stagsi\_update\post\Supper" shortcut "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Stagsi - find by hash.lnk" "C:\Program Files (x86)\Stagsi\Stagsi.exe" /arg /hash
1⤵
PID:4672

C:\Program Files (x86)\Stagsi\_update\post\Supper.exe
"C:\Program Files (x86)\Stagsi\_update\post\Supper" shortcut "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Stagsi - import.lnk" "C:\Program Files (x86)\Stagsi\Stagsi.exe" /arg /import
1⤵
PID:4004

C:\Windows\SysWOW64\find.exe
find "/fresh"
1⤵
PID:816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Sup /install /archive "C:\Users\Admin\AppData\Local\Temp\8526b8f067b859b6664b8b45f0d1dd17940515b5f7a6e85eef5013fe6c678afa.exe" /offset 520716,2829606 /fresh "
1⤵
PID:4816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 0 -NGENProcess 21c -Pipe 228 -Comment "NGen Worker Process"
1⤵
PID:5252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 0 -NGENProcess 208 -Pipe 214 -Comment "NGen Worker Process"
1⤵
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 0 -NGENProcess 20c -Pipe 218 -Comment "NGen Worker Process"
1⤵
PID:5812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 0 -NGENProcess 210 -Pipe 21c -Comment "NGen Worker Process"
1⤵
PID:3444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 0 -NGENProcess 2a4 -Pipe 2b4 -Comment "NGen Worker Process"
1⤵
PID:5828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 0 -NGENProcess 208 -Pipe 214 -Comment "NGen Worker Process"
1⤵
PID:5976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 0 -NGENProcess 208 -Pipe 214 -Comment "NGen Worker Process"
1⤵
PID:5404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 0 -NGENProcess 208 -Pipe 214 -Comment "NGen Worker Process"
1⤵
PID:5276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 0 -NGENProcess 20c -Pipe 218 -Comment "NGen Worker Process"
1⤵
PID:6128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 0 -NGENProcess 210 -Pipe 21c -Comment "NGen Worker Process"
1⤵
PID:3344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 0 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
1⤵
PID:5812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log

Filesize
148KB

MD5
b46303842c2798b31ffcd708b794a2dc

SHA1
e46f1c788abcdf8efe86f5d7b313e2a00f5c14d8

SHA256
2add533ba992b0433a9efd313348e26b0c6f493da534e3e7ceec724914b6976a

SHA512
58dbe54e218aa20e3f2600f45573d56aa542e878c95d0253314fae5fb42afa200abe0b6d664c5ad642598142c75e605b2d5adf7f3e4e548dba6f3b10ed0d6b1a

Download Submit
memory/1888-106-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/1888-99-0x00000000064E0000-0x0000000006502000-memory.dmp

Filesize
136KB

Download
memory/1888-94-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/1888-92-0x0000000000870000-0x000000000090C000-memory.dmp

Filesize
624KB

Download
memory/1888-93-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/2088-8-0x0000000005BE0000-0x0000000005C1C000-memory.dmp

Filesize
240KB

Download
memory/2088-31-0x0000000006E70000-0x0000000006E7C000-memory.dmp

Filesize
48KB

Download
memory/2088-22-0x0000000006F20000-0x0000000006F3C000-memory.dmp

Filesize
112KB

Download
memory/2088-21-0x0000000006E50000-0x0000000006E58000-memory.dmp

Filesize
32KB

Download
memory/2088-33-0x0000000007010000-0x000000000705C000-memory.dmp

Filesize
304KB

Download
memory/2088-35-0x0000000006EB0000-0x0000000006ED1000-memory.dmp

Filesize
132KB

Download
memory/2088-34-0x00000000070A0000-0x00000000070DC000-memory.dmp

Filesize
240KB

Download
memory/2088-40-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/2088-39-0x0000000007070000-0x000000000707A000-memory.dmp

Filesize
40KB

Download
memory/2088-7-0x0000000005AB0000-0x0000000005AC2000-memory.dmp

Filesize
72KB

Download
memory/2088-6-0x0000000005A40000-0x0000000005A60000-memory.dmp

Filesize
128KB

Download
memory/2088-5-0x0000000005B30000-0x0000000005B40000-memory.dmp

Filesize
64KB

Download
memory/2088-3-0x00000000060F0000-0x0000000006694000-memory.dmp

Filesize
5.6MB

Download
memory/2088-4-0x0000000005B40000-0x0000000005BD2000-memory.dmp

Filesize
584KB

Download
memory/2088-1-0x0000000000FC0000-0x000000000105C000-memory.dmp

Filesize
624KB

Download
memory/2088-155-0x0000000005B30000-0x0000000005B40000-memory.dmp

Filesize
64KB

Download
memory/2088-153-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/2088-2-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/2976-199-0x00000000059F0000-0x0000000005AA2000-memory.dmp

Filesize
712KB

Download
memory/2976-198-0x00000000058E0000-0x0000000005930000-memory.dmp

Filesize
320KB

Download
memory/2976-201-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/2976-196-0x00000000057D0000-0x00000000057F6000-memory.dmp

Filesize
152KB

Download
memory/2976-200-0x0000000005930000-0x0000000005952000-memory.dmp

Filesize
136KB

Download
memory/2976-191-0x0000000005810000-0x0000000005884000-memory.dmp

Filesize
464KB

Download
memory/2976-197-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/3464-151-0x0000000005A90000-0x0000000005B9A000-memory.dmp

Filesize
1.0MB

Download
memory/3464-143-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/3464-234-0x00000000041E0000-0x00000000041F0000-memory.dmp

Filesize
64KB

Download
memory/3464-211-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/3924-130-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/3924-175-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/3924-139-0x00000000068E0000-0x0000000006EF8000-memory.dmp

Filesize
6.1MB

Download
memory/3924-131-0x00000000010D0000-0x00000000010E0000-memory.dmp

Filesize
64KB

Download
memory/3924-154-0x000000007F4D0000-0x000000007F4E0000-memory.dmp

Filesize
64KB

Download
memory/4680-307-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/4680-213-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/4680-261-0x00000000628D0000-0x0000000062B5E000-memory.dmp

Filesize
2.6MB

Download
memory/4776-178-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/4776-202-0x000000007FDC0000-0x000000007FDD0000-memory.dmp

Filesize
64KB

Download
memory/4776-179-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/4848-209-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/4848-228-0x0000000010000000-0x0000000010158000-memory.dmp

Filesize
1.3MB

Download
memory/4848-259-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/5012-125-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/5012-118-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/5012-119-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/5156-306-0x0000000005F70000-0x0000000005F78000-memory.dmp

Filesize
32KB

Download
memory/5156-300-0x0000000005F80000-0x0000000005FDC000-memory.dmp

Filesize
368KB

Download
memory/5156-258-0x0000000005AF0000-0x0000000005B56000-memory.dmp

Filesize
408KB

Download
memory/5156-253-0x0000000005010000-0x0000000005364000-memory.dmp

Filesize
3.3MB

Download
memory/5156-221-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/5156-311-0x0000000006260000-0x0000000006285000-memory.dmp

Filesize
148KB

Download
memory/5156-296-0x0000000005F00000-0x0000000005F16000-memory.dmp

Filesize
88KB

Download
memory/5156-243-0x0000000004EF0000-0x0000000004EF8000-memory.dmp

Filesize
32KB

Download
memory/5156-223-0x0000000000070000-0x0000000000136000-memory.dmp

Filesize
792KB

Download
memory/5156-249-0x0000000004F20000-0x0000000004F40000-memory.dmp

Filesize
128KB

Download
memory/5156-227-0x0000000004A50000-0x0000000004B12000-memory.dmp

Filesize
776KB

Download
memory/5156-232-0x0000000004860000-0x0000000004868000-memory.dmp

Filesize
32KB

Download
memory/5360-263-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/5360-423-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/5360-308-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/5360-269-0x0000000064D10000-0x0000000064DE8000-memory.dmp

Filesize
864KB

Download
memory/5616-310-0x0000000072970000-0x0000000073120000-memory.dmp

Filesize
7.7MB

Download
memory/5616-314-0x0000000061F60000-0x0000000061FA7000-memory.dmp

Filesize
284KB

Download
memory/5632-334-0x0000000010000000-0x0000000010069000-memory.dmp

Filesize
420KB

Download
memory/6020-384-0x0000000053270000-0x000000005333C000-memory.dmp

Filesize
816KB

Download
memory/6084-380-0x0000000005D00000-0x0000000005D20000-memory.dmp

Filesize
128KB

Download