growtopia | aa094222e49bcf065d68a71ae3ee75b23d6117b991b48a6dc26e38187fc43e76

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-01-2024 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GXImageLogger/GX_Builder.exe
Size

12.9MB
MD5

de6416915830c63685b6771684689d36
SHA1

f3516b1816295056c870e3c15a52aafbf4e9aab3
SHA256

965e26ab119bb1fe78e0f2e9f3a4b85de6b308100faa6c12dd6aa60ee52f42ef
SHA512

7efb6ba401dad084f2e7aa0af834171724168f2bd28da2d28fd3c1083b6286b262f352fe6dac703eacb5624f8b810918293d563353dafd85ac96532da61f25a7
SSDEEP

393216:oNOnxeqv5yEgPDflLNVga2D3o5Doo7Mm:0OnxD56DtLzGD3ohoo7Mm

Score

10^/10

growtopia zgrat evasion persistence pyinstaller rat stealer

Malware Config

Extracted

Family

growtopia

https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2724-63-0x0000000000480000-0x00000000004EC000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-101-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-117-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-125-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-133-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-135-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-131-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-129-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-127-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-123-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-121-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-112-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-109-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-107-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-105-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-103-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-99-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-97-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-95-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-93-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-91-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-89-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-87-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-85-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-83-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-81-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-79-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-77-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-75-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-73-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-71-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-69-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-66-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-67-0x0000000000480000-0x00000000004E5000-memory.dmp	family_zgrat_v1

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 9 IoCs

Processes:

Ilkdt.exeWinHostMgr.exeWinErrorMgr.exeSahyui1337.exeKeyGeneratorTOP.exeKeyGeneratorTOP.exeWinErrorMgr.exebauwrdgwodhv.exe

pid	Process
2724	Ilkdt.exe
2716	WinHostMgr.exe
2560	WinErrorMgr.exe
2292	Sahyui1337.exe
2424	KeyGeneratorTOP.exe
1576	KeyGeneratorTOP.exe
1440	WinErrorMgr.exe
480
400	bauwrdgwodhv.exe

Loads dropped DLL 10 IoCs

Processes:

GX_Builder.exeKeyGeneratorTOP.exeWinErrorMgr.exeKeyGeneratorTOP.exe

pid	Process
1848	GX_Builder.exe
1848	GX_Builder.exe
1848	GX_Builder.exe
1848	GX_Builder.exe
1848	GX_Builder.exe
1848	GX_Builder.exe
2424	KeyGeneratorTOP.exe
2560	WinErrorMgr.exe
1576	KeyGeneratorTOP.exe
480

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

Processes:

flow	ioc
9	pastebin.com
2	discord.com
3	discord.com
8	pastebin.com

Drops file in System32 directory 3 IoCs

Processes:

bauwrdgwodhv.exeWinHostMgr.exepowershell.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	bauwrdgwodhv.exe
File opened for modification	C:\Windows\system32\MRT.exe	WinHostMgr.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

bauwrdgwodhv.exe

description	pid	Process	procid_target
PID 400 set thread context of 1428	400	bauwrdgwodhv.exe	52
PID 400 set thread context of 1516	400	bauwrdgwodhv.exe	53

Drops file in Windows directory 2 IoCs

Processes:

wusa.exewusa.exe

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
2896	sc.exe
596	sc.exe
2356	sc.exe
1604	sc.exe
996	sc.exe
1540	sc.exe
1476	sc.exe
920	sc.exe
1608	sc.exe
1188	sc.exe
2212	sc.exe
2096	sc.exe
1740	sc.exe
1968	sc.exe

Detects Pyinstaller 5 IoCs

pyinstaller

Processes:

resource	yara_rule
behavioral1/files/0x0006000000016f6f-36.dat	pyinstaller
behavioral1/files/0x0006000000016f6f-37.dat	pyinstaller
behavioral1/files/0x0006000000016f6f-52.dat	pyinstaller
behavioral1/files/0x0006000000016f6f-51.dat	pyinstaller
behavioral1/files/0x0006000000016f6f-34.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2684	schtasks.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

explorer.exepowershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e05121905f54da01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sahyui1337.exepowershell.exeWinHostMgr.exebauwrdgwodhv.exepowershell.exeexplorer.exe

pid	Process
2292	Sahyui1337.exe
2292	Sahyui1337.exe
2708	powershell.exe
2716	WinHostMgr.exe
2716	WinHostMgr.exe
2716	WinHostMgr.exe
2716	WinHostMgr.exe
2716	WinHostMgr.exe
2716	WinHostMgr.exe
2716	WinHostMgr.exe
2716	WinHostMgr.exe
2716	WinHostMgr.exe
2716	WinHostMgr.exe
2716	WinHostMgr.exe
2716	WinHostMgr.exe
2716	WinHostMgr.exe
2716	WinHostMgr.exe
2716	WinHostMgr.exe
400	bauwrdgwodhv.exe
1248	powershell.exe
400	bauwrdgwodhv.exe
400	bauwrdgwodhv.exe
400	bauwrdgwodhv.exe
400	bauwrdgwodhv.exe
400	bauwrdgwodhv.exe
400	bauwrdgwodhv.exe
400	bauwrdgwodhv.exe
400	bauwrdgwodhv.exe
400	bauwrdgwodhv.exe
400	bauwrdgwodhv.exe
400	bauwrdgwodhv.exe
400	bauwrdgwodhv.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

Ilkdt.exeSahyui1337.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exe

description	pid	Process
Token: SeDebugPrivilege	2724	Ilkdt.exe
Token: SeDebugPrivilege	2292	Sahyui1337.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeShutdownPrivilege	2512	powercfg.exe
Token: SeShutdownPrivilege	2184	powercfg.exe
Token: SeShutdownPrivilege	1172	powercfg.exe
Token: SeShutdownPrivilege	2504	powercfg.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeShutdownPrivilege	3012	powercfg.exe
Token: SeShutdownPrivilege	340	powercfg.exe
Token: SeShutdownPrivilege	2392	powercfg.exe
Token: SeShutdownPrivilege	2360	powercfg.exe
Token: SeLockMemoryPrivilege	1516	explorer.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

GX_Builder.exeKeyGeneratorTOP.exeWinErrorMgr.exeWinErrorMgr.execmd.execmd.exebauwrdgwodhv.exe

description	pid	Process	procid_target
PID 1848 wrote to memory of 2708	1848	GX_Builder.exe	30
PID 1848 wrote to memory of 2708	1848	GX_Builder.exe	30
PID 1848 wrote to memory of 2708	1848	GX_Builder.exe	30
PID 1848 wrote to memory of 2708	1848	GX_Builder.exe	30
PID 1848 wrote to memory of 2724	1848	GX_Builder.exe	39
PID 1848 wrote to memory of 2724	1848	GX_Builder.exe	39
PID 1848 wrote to memory of 2724	1848	GX_Builder.exe	39
PID 1848 wrote to memory of 2724	1848	GX_Builder.exe	39
PID 1848 wrote to memory of 2716	1848	GX_Builder.exe	32
PID 1848 wrote to memory of 2716	1848	GX_Builder.exe	32
PID 1848 wrote to memory of 2716	1848	GX_Builder.exe	32
PID 1848 wrote to memory of 2716	1848	GX_Builder.exe	32
PID 1848 wrote to memory of 2560	1848	GX_Builder.exe	38
PID 1848 wrote to memory of 2560	1848	GX_Builder.exe	38
PID 1848 wrote to memory of 2560	1848	GX_Builder.exe	38
PID 1848 wrote to memory of 2560	1848	GX_Builder.exe	38
PID 1848 wrote to memory of 2292	1848	GX_Builder.exe	33
PID 1848 wrote to memory of 2292	1848	GX_Builder.exe	33
PID 1848 wrote to memory of 2292	1848	GX_Builder.exe	33
PID 1848 wrote to memory of 2292	1848	GX_Builder.exe	33
PID 1848 wrote to memory of 2424	1848	GX_Builder.exe	37
PID 1848 wrote to memory of 2424	1848	GX_Builder.exe	37
PID 1848 wrote to memory of 2424	1848	GX_Builder.exe	37
PID 1848 wrote to memory of 2424	1848	GX_Builder.exe	37
PID 2424 wrote to memory of 1576	2424	KeyGeneratorTOP.exe	36
PID 2424 wrote to memory of 1576	2424	KeyGeneratorTOP.exe	36
PID 2424 wrote to memory of 1576	2424	KeyGeneratorTOP.exe	36
PID 2560 wrote to memory of 1440	2560	WinErrorMgr.exe	35
PID 2560 wrote to memory of 1440	2560	WinErrorMgr.exe	35
PID 2560 wrote to memory of 1440	2560	WinErrorMgr.exe	35
PID 2560 wrote to memory of 1440	2560	WinErrorMgr.exe	35
PID 1440 wrote to memory of 2684	1440	WinErrorMgr.exe	41
PID 1440 wrote to memory of 2684	1440	WinErrorMgr.exe	41
PID 1440 wrote to memory of 2684	1440	WinErrorMgr.exe	41
PID 1440 wrote to memory of 2684	1440	WinErrorMgr.exe	41
PID 604 wrote to memory of 788	604	cmd.exe	46
PID 604 wrote to memory of 788	604	cmd.exe	46
PID 604 wrote to memory of 788	604	cmd.exe	46
PID 2704 wrote to memory of 1140	2704	cmd.exe	67
PID 2704 wrote to memory of 1140	2704	cmd.exe	67
PID 2704 wrote to memory of 1140	2704	cmd.exe	67
PID 400 wrote to memory of 1428	400	bauwrdgwodhv.exe	52
PID 400 wrote to memory of 1428	400	bauwrdgwodhv.exe	52
PID 400 wrote to memory of 1428	400	bauwrdgwodhv.exe	52
PID 400 wrote to memory of 1428	400	bauwrdgwodhv.exe	52
PID 400 wrote to memory of 1428	400	bauwrdgwodhv.exe	52
PID 400 wrote to memory of 1428	400	bauwrdgwodhv.exe	52
PID 400 wrote to memory of 1428	400	bauwrdgwodhv.exe	52
PID 400 wrote to memory of 1428	400	bauwrdgwodhv.exe	52
PID 400 wrote to memory of 1428	400	bauwrdgwodhv.exe	52
PID 400 wrote to memory of 1516	400	bauwrdgwodhv.exe	53
PID 400 wrote to memory of 1516	400	bauwrdgwodhv.exe	53
PID 400 wrote to memory of 1516	400	bauwrdgwodhv.exe	53
PID 400 wrote to memory of 1516	400	bauwrdgwodhv.exe	53
PID 400 wrote to memory of 1516	400	bauwrdgwodhv.exe	53

C:\Users\Admin\AppData\Local\Temp\GXImageLogger\GX_Builder.exe
"C:\Users\Admin\AppData\Local\Temp\GXImageLogger\GX_Builder.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAeQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAeAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAcQBsACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2716
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    PID:328
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:1740
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1604
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2896
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:920
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1172
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2504
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1608
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:596
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:996
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1188
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:604
- C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe
  "C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
  "C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2424
- C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
  "C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2724

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAA15.tmp" /F
  2⤵
  - Creates scheduled task(s)
  PID:2684

C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
"C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
- Drops file in Windows directory
PID:788

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
1⤵
PID:1428

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
1⤵
- Launches sc.exe
PID:1968

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
1⤵
- Launches sc.exe
PID:2212

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
1⤵
- Launches sc.exe
PID:1476

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
- Drops file in Windows directory
PID:1140

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
1⤵
- Launches sc.exe
PID:1540

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
1⤵
- Launches sc.exe
PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
1⤵
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe

Filesize
127KB

MD5
c238abd4f660aae2b1a95a21d1982398

SHA1
ed52adeba84cbb46dc041d68840a02fce7fc2e26

SHA256
413c35458a145f70180697d24233ac0b9add6c12f0103d358c2bdc6ffd96d47a

SHA512
5f85f62e33320d271657f5fc3bff8c2a8e583903636d6740a8de1bc8b5533cb4218fad1324186c25e9d82a17ee22fddb49c666d05fdd940df10a2c1637b468e3

Download Submit
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe

Filesize
90KB

MD5
88839d7c71cc91c29cc676466c920712

SHA1
b208a5f5eeb1d4d97fc8dd20238856a9e1bf8988

SHA256
9cbb2a62d5e3ceb50132c272bbd7dfdb77f71dd683f4d83716eab411ab02bf06

SHA512
9cc5de0a2d7f23146332ffd92735cec64033b36283f095f6fe1747371b3b1e1f5c50cf17813a951da22a6c4bf2440cad0fb7a9dd7863ac3167143eacc165b760

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe

Filesize
191KB

MD5
e004a568b841c74855f1a8a5d43096c7

SHA1
b90fd74593ae9b5a48cb165b6d7602507e1aeca4

SHA256
d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db

SHA512
402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe

Filesize
85KB

MD5
bdfb28e7d731a3ad788152e35b922562

SHA1
29804bac89f8eede208e56dce8c290731e8e55a0

SHA256
cf2953bdc46b9aa5d0d2738f605382faa858a01641986b73ae98dc05888c70c2

SHA512
c13df21460e861ad3916fa02bec9fb895d0cce74b31ecc840d0adb57ec2fa2c11d961fe10b827be8556537feba18100a9dd926397be58122d7e64244a89437e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
16KB

MD5
31d5646a10fa33eee1837fe2c1223131

SHA1
a55cc738105c94124c22a2a1186605f2075491bd

SHA256
4e11c82b25fc5db85d743931c3f471b4132cd030b8c7a9e0d497d662aef89bc0

SHA512
b417dd6a89d822a1709091cb70911a793f1fef0a4990432691c2f90bd784ab6d5054a2bde72e6de05333cdf3b1164ab88a7862f6c3afabcc7dc58d8fb3b4d460

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
106KB

MD5
469614686e39d4fbc6789dbde4b38bee

SHA1
416edc37e2d52397ff847169de329c6f08da17d3

SHA256
3b7d8556c900654b34118f6a54b15d0b6a7c74ab43277d7247d4bdc9807f08b7

SHA512
f888e01126a3cc2373ba5f58226eb91080561d6f5215db655649aff773ed18f43c420f18b0917c7551a644908cefa2f4a08584fe00f87cdae6b3faaaf78a3237

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
216KB

MD5
1eb0c11a09e5608e5d9dac243d39ee8c

SHA1
46b58376ccde91f1c6b3122703bb0cb767c59312

SHA256
27fca07902e18ea721910159d2ac5efad89bf184040676e19cd472c04713eb4c

SHA512
4a9c673c0f58f7448315920e526251130e8f485bddf14af2aa66543a87f01514dcbbd1188933a8652ee84967e544b5b507551349417ae213547210c658097a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe

Filesize
309KB

MD5
832f9098aba797ce10f6982d22cdad2c

SHA1
dd777d052cda868b3d7c98a5f35c5c1007d94cff

SHA256
9b1190c8fa06b267346d5109e20bf0775afefc19e8f12b401b06410d5b21f9b0

SHA512
1311610d8735c69725e0a932848a061a696ce66b3f70c0746c594426b85a11cb657a9367a3111821f3141ca85d1dfecd329065ce54bd348722f97d9dd05beaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe

Filesize
236KB

MD5
0b5df1c4a13aed8d70e44bf243c9a9eb

SHA1
d3c79d7e56859237e45ba1167fe7f9dd7c212cd4

SHA256
b5d51ac8a8a32946412241b26f58c343c6f544befd8f774945101ff663a7e1ba

SHA512
5a0f171fd8f3c4ec22d6b301e5fdd3710e7487de0ff0cc42eeef519b76b77f21eb8495efb35682fc5643672e58428cd52fcc0c42edc1bd1435c8d9cebcace0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
162KB

MD5
2038d443f2c0bcc84691c0f0c4bd5626

SHA1
8957c71fef4feed8e5200e043d9d33c9abc46866

SHA256
76ad419c7e5d8443e4eac9d300f7b51fbdd7a09d6f68a6cddd3acfbf0330ddc8

SHA512
2d818ea77df29c95ba40fd59c78414932de53336ee440d5bcbe0c19096835561547bf67c72a37713cd1cde9eea11d387d390d2452d2e90be6471553ddfe55de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
67KB

MD5
0e76f6a88ebf8ad1e89347f37eb9b7d5

SHA1
7c6417374b6a359c5331e446ace895d04d0ce574

SHA256
94edf56a3aebb9425d4761e1a115135e256e2a6608a813b162f5a0b6ac7f900d

SHA512
a9d8325950f708410abb950446b504c35a8c8f4e853a89ae664d7130d3528d9b66fa9e45d941ba8406b1ce70d1fbd5037d102418de3958530651619a017b1a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
216KB

MD5
ad443424ddb3ac17bde514e41bdaaf68

SHA1
396a77cf49cb6e21a055a43ffbaf7439781c0460

SHA256
8434160f4683548584cbe381d98daf3afad5c87246394ecb51caa09113766ae1

SHA512
7799c7db56c64931a2ecb9a3711601a0478bf5fd30c4572e83e52a5d6e9ba9e122c0928b7f900e3e1e944f7592ece31ae255ef48ed8dc4035acc4846bfb96304

Download Submit
C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe

Filesize
28KB

MD5
cfe1928322bfcfaccf4387b328ba4f7b

SHA1
3983e281c4522b8c99b811e62223471c5768c555

SHA256
497d95de7dcdeaca59dfd8f4fe37540a346e8ecb8842ad27548951daf6e46496

SHA512
494b0b1b4c962332ecbf6c61f53e11ee740416d9ea88eff33f0be1a40e310698fcffd802b9839b2a24891577641a5bd2cd73d751fc086987c561784dc85929fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24242\python312.dll

Filesize
87KB

MD5
5275ebeb83fd847f8f563ae2d49c5ddd

SHA1
ac69d593015bc089bdccb11b78474e1543178c77

SHA256
af2b83284aa839b7269a80ef438907105c3c0c1dab0f4e0b88e9ae566c3ee26e

SHA512
6c5b9bdadd9515b131f8cc728f3eb4acfe5803e898094b2ba8432af388f4cc13b08a02f15634f34a0a217ca014b8d214a169e570918be919dac60dc7da56cea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAA15.tmp

Filesize
1KB

MD5
7f673f709ab0e7278e38f0fd8e745cd4

SHA1
ac504108a274b7051e3b477bcd51c9d1a4a01c2c

SHA256
da5ab3278aaa04fbd51272a617aef9b903ca53c358fac48fc0f558e257e063a4

SHA512
e932ccbd9d3ec6ee129f0dab82710904b84e657532c5b623d3c7b3b4ce45732caf8ff5d7b39095cf99ecf97d4e40dd9d755eb2b89c8ede629b287c29e41d1132

Download Submit
\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe

Filesize
103KB

MD5
4a51025d08a96513c1ade7dc6382bf45

SHA1
76a51dfd05c17c34d8586dbd930387ae2985c633

SHA256
e299cb62d2be8d7cf01668d79b0d31947b675ba9b496375d1bcec6e23111a518

SHA512
c0596aa28ccdabe77f05fcd5ccba1904ac408607a4f8850ac2a01cf53dfda2abbdaba2b2de3f729890dae3a8e752784bea5f13059abe6c2fb882263ecf6c7355

Download Submit
\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe

Filesize
100KB

MD5
94d7b2a4b72ecdd62d43187528ae317b

SHA1
5a438eff3f13a0b144ee52d484f794433ee6542a

SHA256
1c56ab4245cbedac3103bb4433a225008687c69e1ea05d1b4385e7c1d91307d3

SHA512
b0e5c490b905edb0a0abd55dd0143e8b8212319889dcb7ce15acce123ba7cd8564fdeddde4968444340db2155243a0a9aee683c71b098f9ffd278312a021d519

Download Submit
\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
229KB

MD5
f1813e6ca96d33f80ec1fea76b2dbc01

SHA1
703fb2fb2ccd3c889bd33dd3319123b260c37b33

SHA256
79803577a9c550d3d2d49cd3dd4923a28dd960b27eecd772627e877b32fd414b

SHA512
f16f1ddc50f7af676bb050ca77e4f0afca00b8909971d2cc824ced578c7591cc471eb5b6902cac25a94d5ed33801f1718c06d90fbf95f4b817a8ff12a97487ea

Download Submit
\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
213KB

MD5
aac27b3f47557bc8d4cd370c42c3a5fa

SHA1
aed077e5deee29d058c9daf196d876727b9e360b

SHA256
95da11dc6b31a52701f01a6d4dd4bad9d9633ab44438546be9b32c521328c568

SHA512
32d7de25052c9d2ae15ed6646f9fc5b8552335249aeb32eeaffbb6dce6e860dc4df54ff846f01e06b1d3ae65d668dc37e43b0421c5796f4722b65a334e75f4b1

Download Submit
\Users\Admin\AppData\Local\Temp\Sahyui1337.exe

Filesize
307KB

MD5
41b200fcbf733f7f142c85de45a3ad4d

SHA1
9fb02fc31a2d2d7a7f320b276edf575f2d8faf00

SHA256
708d2007245b9ac697d6656c6e78ebcb343412dc7273e1036fb05b39177ea586

SHA512
7f5b54f9f3c4b9d075b288510c05ec0390cb5f320f921b6df952837657f21b16caaf8004d85bcfa70491e38dca3306cfda4c230e195f8413534bffedd1ded7ea

Download Submit
\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
322KB

MD5
0d2b7824af1e8f97ece45159814dcac5

SHA1
4009b39a2b655a9031e13606e1613497514d8b50

SHA256
69e6ea15a5b97af463716c9b1d1fe52b5ffbc9e1cf46a64457f64140fe1ed13a

SHA512
b48833a953e5c5dd17663542b31d9ae99035cdd42e46ef425d62717471cbe9940e70f65bc706cc553d019a96adfeaf2819786394e6550a71b6b134a8fbe32a17

Download Submit
\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
174KB

MD5
fd0378f109fa3cde9a7e95f72a25bcc5

SHA1
67dee200bbac1dfdaf3d425b828175c8b65e2b10

SHA256
840aecd7bb2a6a5b9cdcf5d1d3a678f3f955823b51c5bc6c9a33c6e87a135aad

SHA512
34c6a4375793afc48e3084a98e03b80bc2b3f4828730bf03176fd922e5ae9c0327725ba754c8672377f2092cbfc1c3df9f34d961dd9afaf1d333b50869650cbc

Download Submit
\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe

Filesize
42KB

MD5
d499e979a50c958f1a67f0e2a28af43d

SHA1
1e5fa0824554c31f19ce01a51edb9bed86f67cf0

SHA256
bc3d545c541e42420ce2c2eabc7e5afab32c869a1adb20adb11735957d0d0b0e

SHA512
668047f178d82bebefeb8c2e7731d34ff24dc755dacd3362b43d8b44c6b148fc51af0d0ab2d0a67f0344ab6158b883fe568e4eeb0e34152108735574f0e1e763

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24242\python312.dll

Filesize
92KB

MD5
be052891acd0aafdbfc3f143ab617078

SHA1
bb0a0b0129e658a2015ccf3ea1e079a06aa580b3

SHA256
ca6b0f183f281aa8a59c0024be5eb9375de8036869456fe639dbb50361dd2856

SHA512
79826b25a170d9e139f1a6bfe987564b863dac58b2e121dc8cbd6de74c3c6357fe810fd2e29e208e18c54337620e6fe85e2f2193a37fd0b8e0b0d859324ef05a

Download Submit
memory/1248-1695-0x0000000000910000-0x0000000000990000-memory.dmp

Filesize
512KB

Download
memory/1248-1692-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

Filesize
9.6MB

Download
memory/1248-1689-0x0000000001170000-0x0000000001178000-memory.dmp

Filesize
32KB

Download
memory/1248-1691-0x0000000000910000-0x0000000000990000-memory.dmp

Filesize
512KB

Download
memory/1248-1688-0x0000000019D00000-0x0000000019FE2000-memory.dmp

Filesize
2.9MB

Download
memory/1248-1694-0x0000000000910000-0x0000000000990000-memory.dmp

Filesize
512KB

Download
memory/1248-1696-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

Filesize
9.6MB

Download
memory/1248-1693-0x0000000000910000-0x0000000000990000-memory.dmp

Filesize
512KB

Download
memory/1248-1690-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

Filesize
9.6MB

Download
memory/1440-119-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/1440-1681-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/1440-1682-0x0000000004880000-0x00000000048C0000-memory.dmp

Filesize
256KB

Download
memory/1440-1670-0x0000000004880000-0x00000000048C0000-memory.dmp

Filesize
256KB

Download
memory/1440-62-0x0000000001010000-0x0000000001020000-memory.dmp

Filesize
64KB

Download
memory/1516-1721-0x0000000000820000-0x0000000000840000-memory.dmp

Filesize
128KB

Download
memory/1516-1722-0x0000000000820000-0x0000000000840000-memory.dmp

Filesize
128KB

Download
memory/2292-59-0x0000000001200000-0x0000000001254000-memory.dmp

Filesize
336KB

Download
memory/2292-821-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-120-0x0000000001160000-0x00000000011E0000-memory.dmp

Filesize
512KB

Download
memory/2292-64-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

Filesize
9.9MB

Download
memory/2560-60-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2560-31-0x0000000000170000-0x0000000000180000-memory.dmp

Filesize
64KB

Download
memory/2708-111-0x0000000072190000-0x000000007273B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-827-0x0000000002850000-0x0000000002890000-memory.dmp

Filesize
256KB

Download
memory/2708-113-0x0000000002850000-0x0000000002890000-memory.dmp

Filesize
256KB

Download
memory/2708-116-0x0000000002850000-0x0000000002890000-memory.dmp

Filesize
256KB

Download
memory/2708-1336-0x0000000072190000-0x000000007273B000-memory.dmp

Filesize
5.7MB

Download
memory/2724-127-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-67-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-66-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-69-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-71-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-73-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-47-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-75-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-77-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-30-0x0000000000360000-0x0000000000396000-memory.dmp

Filesize
216KB

Download
memory/2724-79-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-81-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-83-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-1667-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-85-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-87-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-89-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-91-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-93-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-95-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-97-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-99-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-103-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-105-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-107-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-109-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-112-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-121-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-123-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-129-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-131-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-135-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-133-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-125-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-117-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-115-0x0000000004840000-0x0000000004880000-memory.dmp

Filesize
256KB

Download
memory/2724-101-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/2724-63-0x0000000000480000-0x00000000004EC000-memory.dmp

Filesize
432KB

Download