zgrat | 4641f9693582852a6259a184c1a9e07d9d8d7195477e37ae95553864bb4150ab

Analysis

max time kernel
283s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4PROLoader.exe
Size

13.6MB
MD5

94fea3c3b17c977694855e4ac54c4787
SHA1

9b4ea5bfa334868a26064383be57bd1a5d651337
SHA256

4641f9693582852a6259a184c1a9e07d9d8d7195477e37ae95553864bb4150ab
SHA512

f1c8ada5d0fe80610a8a18028ac06321a35fa9a7ccbfc10ab2b25bb347938cc27af66711ae7312319f2b924213c75f77bc9cc4486c9c65dde9052fee45774183
SSDEEP

393216:fKBYUYZdsuCU6+RNthTG5cWcOifBtwISdL:1+uC6v3G5cWSOI

Score

10^/10

zgrat evasion persistence rat

Malware Config

Signatures

Detect ZGRat V1 36 IoCs

resource	yara_rule
behavioral1/memory/1148-2-0x0000029EFB230000-0x0000029EFBE94000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-3-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-4-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-6-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-8-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-10-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-12-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-14-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-16-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-18-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-20-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-22-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-24-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-26-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-28-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-30-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-32-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-34-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-36-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-38-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-40-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-42-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-44-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-46-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-48-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-50-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-52-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-54-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-56-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-58-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-60-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-62-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-64-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/1148-66-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2280-968-0x0000000005B70000-0x0000000005E0C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2984-1971-0x0000000005570000-0x0000000005608000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	C4PROLoader.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	C4PROLoader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Qszdb.exe

Executes dropped EXE 17 IoCs

pid	Process
2280	Qszdb.exe
4692	Qszdb.exe
4036	C4.exe
2984	Rdrryetwc.exe
1648	Rdrryetwc.exe
3996	fodhelper.exe
4844	fodhelper.exe
5040	fodhelper.exe
2876	fodhelper.exe
3436	fodhelper.exe
540	fodhelper.exe
2060	fodhelper.exe
4580	fodhelper.exe
3432	fodhelper.exe
912	fodhelper.exe
3700	fodhelper.exe
4460	fodhelper.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	C4PROLoader.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 1148 set thread context of 3968	1148	C4PROLoader.exe	101
PID 2280 set thread context of 4692	2280	Qszdb.exe	122
PID 2984 set thread context of 1648	2984	Rdrryetwc.exe	129
PID 3996 set thread context of 4844	3996	fodhelper.exe	132
PID 5040 set thread context of 540	5040	fodhelper.exe	139
PID 2060 set thread context of 912	2060	fodhelper.exe	153
PID 3700 set thread context of 4460	3700	fodhelper.exe	157

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3556	sc.exe
2508	sc.exe
1552	sc.exe
4676	sc.exe
4576	sc.exe
2276	sc.exe
4384	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4592	schtasks.exe
224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4824	powershell.exe
4824	powershell.exe
4824	powershell.exe
3968	C4PROLoader.exe
1580	powershell.exe
1580	powershell.exe
1580	powershell.exe
3968	C4PROLoader.exe
3968	C4PROLoader.exe
3968	C4PROLoader.exe
3968	C4PROLoader.exe
3968	C4PROLoader.exe
3968	C4PROLoader.exe
3968	C4PROLoader.exe
3968	C4PROLoader.exe
464	powershell.exe
464	powershell.exe
5040	fodhelper.exe
5040	fodhelper.exe
5040	fodhelper.exe
5040	fodhelper.exe
2060	fodhelper.exe
2060	fodhelper.exe
2060	fodhelper.exe
2060	fodhelper.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1148	C4PROLoader.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	2280	Qszdb.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2984	Rdrryetwc.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeDebugPrivilege	3996	fodhelper.exe
Token: SeDebugPrivilege	5040	fodhelper.exe
Token: SeDebugPrivilege	2060	fodhelper.exe
Token: SeDebugPrivilege	3700	fodhelper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 4824	1148	C4PROLoader.exe	99
PID 1148 wrote to memory of 4824	1148	C4PROLoader.exe	99
PID 1148 wrote to memory of 2280	1148	C4PROLoader.exe	100
PID 1148 wrote to memory of 2280	1148	C4PROLoader.exe	100
PID 1148 wrote to memory of 2280	1148	C4PROLoader.exe	100
PID 1148 wrote to memory of 3968	1148	C4PROLoader.exe	101
PID 1148 wrote to memory of 3968	1148	C4PROLoader.exe	101
PID 1148 wrote to memory of 3968	1148	C4PROLoader.exe	101
PID 1148 wrote to memory of 3968	1148	C4PROLoader.exe	101
PID 1148 wrote to memory of 3968	1148	C4PROLoader.exe	101
PID 1148 wrote to memory of 3968	1148	C4PROLoader.exe	101
PID 1148 wrote to memory of 3968	1148	C4PROLoader.exe	101
PID 1148 wrote to memory of 3968	1148	C4PROLoader.exe	101
PID 1148 wrote to memory of 3968	1148	C4PROLoader.exe	101
PID 1148 wrote to memory of 3968	1148	C4PROLoader.exe	101
PID 1148 wrote to memory of 3968	1148	C4PROLoader.exe	101
PID 3240 wrote to memory of 428	3240	cmd.exe	110
PID 3240 wrote to memory of 428	3240	cmd.exe	110
PID 2280 wrote to memory of 4692	2280	Qszdb.exe	122
PID 2280 wrote to memory of 4692	2280	Qszdb.exe	122
PID 2280 wrote to memory of 4692	2280	Qszdb.exe	122
PID 2280 wrote to memory of 4692	2280	Qszdb.exe	122
PID 2280 wrote to memory of 4692	2280	Qszdb.exe	122
PID 2280 wrote to memory of 4692	2280	Qszdb.exe	122
PID 2280 wrote to memory of 4692	2280	Qszdb.exe	122
PID 2280 wrote to memory of 4692	2280	Qszdb.exe	122
PID 4692 wrote to memory of 464	4692	Qszdb.exe	123
PID 4692 wrote to memory of 464	4692	Qszdb.exe	123
PID 4692 wrote to memory of 464	4692	Qszdb.exe	123
PID 4692 wrote to memory of 4036	4692	Qszdb.exe	126
PID 4692 wrote to memory of 4036	4692	Qszdb.exe	126
PID 4692 wrote to memory of 4036	4692	Qszdb.exe	126
PID 4692 wrote to memory of 2984	4692	Qszdb.exe	125
PID 4692 wrote to memory of 2984	4692	Qszdb.exe	125
PID 4692 wrote to memory of 2984	4692	Qszdb.exe	125
PID 2984 wrote to memory of 1648	2984	Rdrryetwc.exe	129
PID 2984 wrote to memory of 1648	2984	Rdrryetwc.exe	129
PID 2984 wrote to memory of 1648	2984	Rdrryetwc.exe	129
PID 2984 wrote to memory of 1648	2984	Rdrryetwc.exe	129
PID 2984 wrote to memory of 1648	2984	Rdrryetwc.exe	129
PID 2984 wrote to memory of 1648	2984	Rdrryetwc.exe	129
PID 2984 wrote to memory of 1648	2984	Rdrryetwc.exe	129
PID 2984 wrote to memory of 1648	2984	Rdrryetwc.exe	129
PID 1648 wrote to memory of 4592	1648	Rdrryetwc.exe	128
PID 1648 wrote to memory of 4592	1648	Rdrryetwc.exe	128
PID 1648 wrote to memory of 4592	1648	Rdrryetwc.exe	128
PID 3996 wrote to memory of 4844	3996	fodhelper.exe	132
PID 3996 wrote to memory of 4844	3996	fodhelper.exe	132
PID 3996 wrote to memory of 4844	3996	fodhelper.exe	132
PID 3996 wrote to memory of 4844	3996	fodhelper.exe	132
PID 3996 wrote to memory of 4844	3996	fodhelper.exe	132
PID 3996 wrote to memory of 4844	3996	fodhelper.exe	132
PID 3996 wrote to memory of 4844	3996	fodhelper.exe	132
PID 3996 wrote to memory of 4844	3996	fodhelper.exe	132
PID 4844 wrote to memory of 224	4844	fodhelper.exe	134
PID 4844 wrote to memory of 224	4844	fodhelper.exe	134
PID 4844 wrote to memory of 224	4844	fodhelper.exe	134
PID 5040 wrote to memory of 2876	5040	fodhelper.exe	141
PID 5040 wrote to memory of 2876	5040	fodhelper.exe	141
PID 5040 wrote to memory of 2876	5040	fodhelper.exe	141
PID 5040 wrote to memory of 3436	5040	fodhelper.exe	140
PID 5040 wrote to memory of 3436	5040	fodhelper.exe	140
PID 5040 wrote to memory of 3436	5040	fodhelper.exe	140
PID 5040 wrote to memory of 540	5040	fodhelper.exe	139

C:\Users\Admin\AppData\Local\Temp\C4PROLoader.exe
"C:\Users\Admin\AppData\Local\Temp\C4PROLoader.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAQwA0AFAAUgBPAEwAbwBhAGQAZQByAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADQAUABSAE8ATABvAGEAZABlAHIALgBlAHgAZQA7AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- C:\Users\Admin\AppData\Local\Temp\Qszdb.exe
  "C:\Users\Admin\AppData\Local\Temp\Qszdb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\Qszdb.exe
    C:\Users\Admin\AppData\Local\Temp\Qszdb.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAcABsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAdABxACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAeABhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAcQB2ACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:464
  - - C:\Users\Admin\AppData\Local\Temp\Rdrryetwc.exe
      "C:\Users\Admin\AppData\Local\Temp\Rdrryetwc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Users\Admin\AppData\Local\Temp\Rdrryetwc.exe
        
        C:\Users\Admin\AppData\Local\Temp\Rdrryetwc.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\C4.exe
      "C:\Users\Admin\AppData\Local\Temp\C4.exe"
      4⤵
      Executes dropped EXE
      PID:4036
- C:\Users\Admin\AppData\Local\Temp\C4PROLoader.exe
  C:\Users\Admin\AppData\Local\Temp\C4PROLoader.exe
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3968
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2508
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1552
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4676
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:4576
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3240
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "EdgeUpdateTaskMachinesCored"
    3⤵
    - Launches sc.exe
    PID:4384
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "EdgeUpdateTaskMachinesCored" binpath= "C:\ProgramData\Edge\EdgeUpdater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3556

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:428

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
1⤵
- Creates scheduled task(s)
PID:4592

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
    3⤵
    - Creates scheduled task(s)
    PID:224

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  PID:2876

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  PID:4580

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3700
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Qszdb.exe.log

Filesize
1KB

MD5
f7047b64aa01f9d80c7a5e177ce2485c

SHA1
bab6005f4a30f12ee36b9abf6bfdfaa5411bbff8

SHA256
807356d2424d2d04f51ebd56f926d4d5a8318bc947c76569a3b5ca2c2f279915

SHA512
a9af5ace72eb66a6156a5d8764031cdc46feefffabb6898651f91a5af7f3bcef645e63e8d01ed35f1105e824d6830f6fa97e70adda2d5b148ffaff5f54ca248f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fodhelper.exe.log

Filesize
927B

MD5
4a911455784f74e368a4c2c7876d76f4

SHA1
a1700a0849ffb4f26671eb76da2489946b821c34

SHA256
264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c

SHA512
4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4.exe

Filesize
102KB

MD5
d1dade5c9fc1d28df6509f1b760fa145

SHA1
d162e2889980af414d3d04c93ebdf8310ec7abef

SHA256
4bdccd5ecf7a78dbd047e12df6995e671a2974fe3fbf5c07c8ab3eb9e896ecd3

SHA512
f072bc6e5bbce3c57e53c01f17448d4aa259ae270e2017e1789f0ca9c084c881869b04f114358ef94d930112e2505a7052b22e31bfc6522655c8d9338b552a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4.exe

Filesize
134KB

MD5
d2fd4f9f72b02912e73413ded1f5cbe2

SHA1
835db712c28988b3542893703c17c0411ce2d3ca

SHA256
3236ece877d471e8d5b5bb34bc51c90a94a4237ce84bcf1d907dc42429703dc2

SHA512
22d03ee8f87dc868a2b9fdc392812c6d296496b5b51d57ea13b76f2e53edcbb4cd1256d6c7d9e1172af86dcf20d0522bb462702c8ceaf938a41593b8c0bb31f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4.exe

Filesize
94KB

MD5
40cf4033e407b1caa292ebb9463f950f

SHA1
584c96b43304e5460de0eaf00ce0a2a49f3c610b

SHA256
537271ef084442f7e57fabe2da0dc5caaf4d6f4f0ec394129113b588d527718e

SHA512
211191e0783ba52fb443aa6130165ae595d04fc8adeb38cd91844db835737586e8e5ec1aa0a79de81f4cf08233610f500a31a09ec5769e7ec86e264f38dd9abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qszdb.exe

Filesize
89KB

MD5
fe84ae6b1132352384945fd114d9da68

SHA1
9d56329b05af3d870b4c6fb97cfc4d4a5dc3b4a8

SHA256
dd6689da221871c0bc2be13367b1f1bcaa81184384a27763c73cdad0ae69231f

SHA512
ba924f31a43e038caac6050344ae8c69b67aaf8528ea6c82585f065ddfe5b2ee9dc80a98494e07fb38b7a3ca7e720b672fb2c29eddf4dbbe7b6e6957ea2da18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qszdb.exe

Filesize
37KB

MD5
f26ad822daac8bffed127b4fa8c1832a

SHA1
895c84fdc2f891e27514bc2fe14129eab36aeb33

SHA256
ced1785bb1387e93cf28ae18734f75a0ea9d6f32eb11641691f7ddb32960654e

SHA512
862d18b2c39716882824e5519063de6bf84ae478fba9c9e40d61f562f2e766cbbeb7ca957c538e1b33961dc0c46b4aac939ceadb07a05299a1a55de45804fc6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qszdb.exe

Filesize
61KB

MD5
8e6a5f470c1137dd3696eee8540f0567

SHA1
f094731f9bf610a7ae47c7991254ce2b825250ba

SHA256
a5502f27983189cfc964088237fca0a0ae2a8f643105ec063cb4e6529c5d65ff

SHA512
a7fdbcc70dd856d683d0a8fddbe9890d3bbb856fd47b9440f7e4510b2cf17073dc1b7290fc7681d4a57612e91dbd1f4fdb07b3574477862e398248f48c41fe3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qszdb.exe

Filesize
20KB

MD5
c8c9570e51ef128eb095f21c2293fc6d

SHA1
cf64dae8e61dff4a0a6e752728cdc9b0dea12993

SHA256
39ae10c0fbfcc36b388aed24e3d93430b4d609832341ab1d63fe5e211e2049ec

SHA512
7ab78da5a90a5a907bc6032210053ee590b0cc3d0e28b5ca3d1b7ddb26d96854fd84af408c9fbfa1ea2489bf46e66cdd26b7289bf53f32594917985f9639c978

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rdrryetwc.exe

Filesize
69KB

MD5
f2e4359797d88e9fd84432fbc452744d

SHA1
c2a24162115db28325cc52ccb288f26c050c37dc

SHA256
08f621623fb1a904953c0e7b41797338986fd93e86884c627ada3ac9b990909a

SHA512
f5bd4f064e899f1690e821b40b5c48090efc5a8900c5c1c1812252f75605be8528d3648766b736373b5f46441188446534aff4096c16eb99d625a6a9ca415d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rdrryetwc.exe

Filesize
62KB

MD5
ff9e902a782ad88c0b78f85628ba0243

SHA1
e37534875a8c59ec839c8207fb363140bd0b37a3

SHA256
023481aa1cd3d13875356fd9d61ecd4f70c5d6170eadd0f5a3df941879b5d48c

SHA512
881fd7710d66e7c02443d7ef415a357fd539ed6b9c3419cf5c9e84502ef8ec1c904cb7db068ab7619c6bf0786b682ce4df35f8f1386d070f44744e476164040b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rdrryetwc.exe

Filesize
73KB

MD5
5e47a4afe07627e6de85cc09ca5a63cb

SHA1
1cf310cab08923ea370bfc2a4e6f0c58410a842f

SHA256
da06e6c259257f00bf20c90eb00d5a07607359c8d20116a461ae81dfede71a0b

SHA512
d487347442f130f9196b303bfc6346eafb8facbe63fb5cd48eae3f57eaf72aa7802d0bfc8091e4c3f3d65b784c671f9a961614272805c805b9f93d3dfbcc9a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rdrryetwc.exe

Filesize
188KB

MD5
d22f92379aae79c63695931d2e5e2e10

SHA1
16521014b9257ef49771c7c2e80da40f73af0f0d

SHA256
ff46fdec864cf13e5808a0534b86993a2102cabc12712b6783f597ed2c809ba9

SHA512
7de2bf3b236f6c78f424c6e2ecf12476e43d9d0c769621cbfce6980f5839a790d02879643963b13eadfd4eeef4290701db19f8f716fa72a4d5341fe07b7d5215

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zrcvhyr4.nx5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
203KB

MD5
552760d0e13a9dd3faada909ff71ae0e

SHA1
995be2169b0fcf6a4ab25a3a0a12e87bbacbfc8a

SHA256
15f0f390b967ac1f57f110f2666f75419c52d55f7f3edb6d850972a4d2cb533c

SHA512
fd329b3b20badc2588c9bab464446d30aec3ce80ae8481220f1e6ec5629cc61cae9da86488b2cec270863d11948c934b0efa5813e045cece8d5c6b35339d0b7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
142KB

MD5
4802f9cedecc6a3b26dbf4bb39a9258e

SHA1
b70ce4d2b59d4a21ade0884ba887ac08da6d4b54

SHA256
5b354341ea6b6d47a65eb7691324aae200c4ae7f26113ad140b1a1c631d23845

SHA512
e37863085dbefe519ff004fe93769ad7dabc6fad674736e6f6348033a618b5c36ffbc005b559300c39feda957353a785abc96abd25dae7ac3c0c0688b66a764c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
13KB

MD5
2ce3809af43aac2b4aa55b0e058999d3

SHA1
183d6ca7b04e0c356fdf28f99ec219741ff19152

SHA256
667e227e90570b67c387a5a6b52f00cef9c81b52ef6a02b3bfdac6f3fc0b6b82

SHA512
869fc06348a8689492614e67ca6070961378ef5a758e9b0ff6a5feda87f42fdedfe4931e9da7a7a86799afe93ab89e63161f44562490aea93a1452b5840a63be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
633KB

MD5
ac573a3505428582a6f27d08daabd794

SHA1
b6a80bab1168fe148ef3d455534c1cad3af44f00

SHA256
acd4681bd06c15878aba9b25e01e329b2b22ab3ae4380f7bd4e7e89a7b46b911

SHA512
2fb231dce895e2807fedd7c4e30bd70b99559c0855d74dc03b5858ca4f30139020b112d67dd94e2610fb3f5e5c65c883837ce08c4f778dc9e2d09bf04f8e60ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
279KB

MD5
9c958fa7a965124c71619b516bdef026

SHA1
c5da5ff9ef628af7a4b0d4c7c1df4a7bc7a1de4f

SHA256
2e218c5df53398284dfe4f28033b0be805c4f2acc2708bba94630dc9e286b89c

SHA512
147f197e67b3e4cf9934774a2e31dc182ffe64044a7c3f512aee0fd7cee9f781fbaf220840f3767a930bd1ac6af8b2df8bbeb10b62693307ee5abb5be5288360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
241KB

MD5
a1cb02962aeb2bd5448497bb7156ae51

SHA1
c44912b9250ba680bc838fc001c7555534a1f818

SHA256
0847ddd398dc2323b42f97c4315edf8d9bc9ff60525d9d7ebcf501d85655ca60

SHA512
046c95fa00a583aa96000614e449346c7fd56b5ccbd462b300325164587a76645f8c385b118e8422e678d50067fbc0be4ff43b17adf43d91271ea298a2ed109f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
327KB

MD5
dbfcb28b511cfb9a1f1be787caac5773

SHA1
c443e38a47c0241edf5fc910ac3b47b30c42a5cb

SHA256
310aaf29392aedde020af205106a188cb6ddfec4606c675336ff84f6847ae619

SHA512
fcff736cbf7e0dcf4321bd2427fd7a6f87dbd6c2603a35b1459f2be789c69e2f2d27b00955c9410a1d5cb68d6957e11c8b62f28d43151481e23e8f91ba50e520

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
233KB

MD5
e4fb1cedad99993223370cfa2bf69607

SHA1
77473730f8ee71e74acf7144cfff5d2418896921

SHA256
ef1d283162aa16091de12d243318363545f1658e618ff5e26bca11fa0d1814d6

SHA512
85c7eb8ed09de0db5ad9d2c8752a13090479fcf67a56ff27f776b0abb2875fd6634c4281d4c45aaed62ca5c4e2bb0d16e1ce2acbd0ad2aaa4221262fc9763482

Download Submit
memory/464-2090-0x0000000007340000-0x0000000007372000-memory.dmp

Filesize
200KB

Download
memory/464-2146-0x0000000007730000-0x000000000773A000-memory.dmp

Filesize
40KB

Download
memory/464-1986-0x00000000053C0000-0x00000000053E2000-memory.dmp

Filesize
136KB

Download
memory/464-1964-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/464-1969-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/464-2035-0x00000000063A0000-0x00000000063BE000-memory.dmp

Filesize
120KB

Download
memory/464-1953-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/464-1955-0x00000000055B0000-0x0000000005BD8000-memory.dmp

Filesize
6.2MB

Download
memory/464-1944-0x0000000004DE0000-0x0000000004E16000-memory.dmp

Filesize
216KB

Download
memory/464-2091-0x000000007FA80000-0x000000007FA90000-memory.dmp

Filesize
64KB

Download
memory/464-2104-0x0000000006930000-0x000000000694E000-memory.dmp

Filesize
120KB

Download
memory/464-2108-0x0000000007580000-0x0000000007623000-memory.dmp

Filesize
652KB

Download
memory/464-2106-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/464-2093-0x0000000072600000-0x000000007264C000-memory.dmp

Filesize
304KB

Download
memory/464-1997-0x0000000005CE0000-0x0000000005D46000-memory.dmp

Filesize
408KB

Download
memory/464-2134-0x00000000076B0000-0x00000000076CA000-memory.dmp

Filesize
104KB

Download
memory/464-2131-0x0000000007CF0000-0x000000000836A000-memory.dmp

Filesize
6.5MB

Download
memory/1148-938-0x0000029EFBE90000-0x0000029EFCA8A000-memory.dmp

Filesize
12.0MB

Download
memory/1148-939-0x0000029EE2AA0000-0x0000029EE2AEC000-memory.dmp

Filesize
304KB

Download
memory/1148-40-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-38-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-36-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-34-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-32-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-30-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-28-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-26-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-972-0x00007FFEF8F60000-0x00007FFEF9A21000-memory.dmp

Filesize
10.8MB

Download
memory/1148-24-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-22-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-20-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-18-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-44-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-16-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-14-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-1-0x00007FFEF8F60000-0x00007FFEF9A21000-memory.dmp

Filesize
10.8MB

Download
memory/1148-46-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-48-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-42-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-936-0x0000029EE2A70000-0x0000029EE2A80000-memory.dmp

Filesize
64KB

Download
memory/1148-937-0x0000029EE2A80000-0x0000029EE2A81000-memory.dmp

Filesize
4KB

Download
memory/1148-867-0x00007FFEF8F60000-0x00007FFEF9A21000-memory.dmp

Filesize
10.8MB

Download
memory/1148-66-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-64-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-62-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-12-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-10-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-8-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-60-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-6-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-4-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-58-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-56-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-54-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-3-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-2-0x0000029EFB230000-0x0000029EFBE94000-memory.dmp

Filesize
12.4MB

Download
memory/1148-52-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1148-0-0x0000029EDFFF0000-0x0000029EE0D82000-memory.dmp

Filesize
13.6MB

Download
memory/1148-50-0x0000029EFB230000-0x0000029EFBE8D000-memory.dmp

Filesize
12.4MB

Download
memory/1580-1415-0x00007FFEF8F60000-0x00007FFEF9A21000-memory.dmp

Filesize
10.8MB

Download
memory/1580-1069-0x000002257BFD0000-0x000002257BFE0000-memory.dmp

Filesize
64KB

Download
memory/1580-1068-0x00007FFEF8F60000-0x00007FFEF9A21000-memory.dmp

Filesize
10.8MB

Download
memory/1580-1072-0x000002257BFD0000-0x000002257BFE0000-memory.dmp

Filesize
64KB

Download
memory/2280-1932-0x0000000007960000-0x0000000007F04000-memory.dmp

Filesize
5.6MB

Download
memory/2280-968-0x0000000005B70000-0x0000000005E0C000-memory.dmp

Filesize
2.6MB

Download
memory/2280-1939-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/2280-1927-0x0000000005A60000-0x0000000005A70000-memory.dmp

Filesize
64KB

Download
memory/2280-964-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/2280-1928-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/2280-965-0x0000000000E50000-0x0000000001206000-memory.dmp

Filesize
3.7MB

Download
memory/2280-1930-0x0000000007290000-0x0000000007322000-memory.dmp

Filesize
584KB

Download
memory/2280-1929-0x0000000006F60000-0x0000000007192000-memory.dmp

Filesize
2.2MB

Download
memory/2280-1931-0x0000000007330000-0x0000000007396000-memory.dmp

Filesize
408KB

Download
memory/2984-1980-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/2984-1968-0x0000000000C90000-0x0000000000D34000-memory.dmp

Filesize
656KB

Download
memory/2984-1971-0x0000000005570000-0x0000000005608000-memory.dmp

Filesize
608KB

Download
memory/3968-975-0x0000000140000000-0x0000000140CBE000-memory.dmp

Filesize
12.7MB

Download
memory/3968-1535-0x0000000140000000-0x0000000140CBE000-memory.dmp

Filesize
12.7MB

Download
memory/4036-2002-0x0000000005EE0000-0x000000000602E000-memory.dmp

Filesize
1.3MB

Download
memory/4036-1957-0x00000000004E0000-0x000000000064C000-memory.dmp

Filesize
1.4MB

Download
memory/4036-1994-0x0000000005450000-0x000000000545A000-memory.dmp

Filesize
40KB

Download
memory/4036-1982-0x0000000005290000-0x00000000052DC000-memory.dmp

Filesize
304KB

Download
memory/4036-1977-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/4036-1972-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/4036-2038-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/4036-1973-0x0000000005120000-0x0000000005286000-memory.dmp

Filesize
1.4MB

Download
memory/4036-1976-0x0000000005B80000-0x0000000005ED4000-memory.dmp

Filesize
3.3MB

Download
memory/4036-2005-0x0000000005430000-0x0000000005444000-memory.dmp

Filesize
80KB

Download
memory/4692-1937-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/4692-1970-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/4692-1938-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/4692-1940-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/4824-1335-0x00007FFEF8F60000-0x00007FFEF9A21000-memory.dmp

Filesize
10.8MB

Download
memory/4824-955-0x000001FCD3650000-0x000001FCD3672000-memory.dmp

Filesize
136KB

Download
memory/4824-961-0x00007FFEF8F60000-0x00007FFEF9A21000-memory.dmp

Filesize
10.8MB

Download
memory/4824-962-0x000001FCD3680000-0x000001FCD3690000-memory.dmp

Filesize
64KB

Download
memory/4824-963-0x000001FCD3680000-0x000001FCD3690000-memory.dmp

Filesize
64KB

Download