Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

tmp.exe

windows7-x64

8

tmp.exe

windows10-1703-x64

8

tmp.exe

windows10-2004-x64

8

tmp.exe

windows11-21h2-x64

1

Resubmissions

11/04/2024, 06:38

240411-hd63esha9z 8

11/04/2024, 06:37

240411-hdp4xaha9x 8

11/04/2024, 06:37

240411-hdlrgsha9w 8

11/04/2024, 06:37

240411-hdk5ysha9t 8

11/04/2024, 06:37

240411-hdkjesha9s 8

07/04/2024, 08:23

240407-kabhfsgg71 8

07/04/2024, 08:23

240407-j97t9shc64 8

07/04/2024, 08:22

240407-j93wbagg7w 8

07/04/2024, 08:22

240407-j9yatsgg7s 7

Analysis

  • max time kernel
    1800s
  • max time network
    1808s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11/04/2024, 06:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    5.3MB

  • MD5

    5fe4ea367cee11e92ad4644d8ac3cef7

  • SHA1

    44faea4a352b7860a9eafca82bd3c9b054b6db29

  • SHA256

    1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b

  • SHA512

    1c4499eadaf44847a7a001c2622e558bc130c9ad608b4ec977480e002cf50c9eb36a65974b86a2db69e9bc43e7d239122389a6cf1ca2849c59bc137441fb0a4f

  • SSDEEP

    98304:lgU5484Bq1qdguoOzv4I3KOn6Ka1uFof9Hn6sdw5yOc4:iU54mqL9zvH3qO

Score
8/10
discoveryevasion

Malware Config

Signatures

  • Contacts a large (720) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 22 IoCs
    evasion
  • Executes dropped EXE 12 IoCs
  • Drops file in System32 directory 38 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:500
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2196
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
      2⤵
      • Creates scheduled task(s)
      PID:4740
    • C:\Windows\System\svchost.exe
      "C:\Windows\System\svchost.exe" formal
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5004
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4796
      • C:\Users\Admin\AppData\Local\Temp\~tl6671.tmp
        C:\Users\Admin\AppData\Local\Temp\~tl6671.tmp
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4720
        • C:\Windows\SYSTEM32\netsh.exe
          netsh int ipv4 set dynamicport tcp start=1025 num=64511
          4⤵
            PID:216
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:312
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:4372
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2876
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1936
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /delete /TN "Timer"
            4⤵
              PID:1708
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
              4⤵
              • Creates scheduled task(s)
              PID:1636
            • C:\Windows\System\svchost.exe
              "C:\Windows\System\svchost.exe" formal
              4⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:4348
              • C:\Windows\SYSTEM32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                5⤵
                  PID:4708
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:4276
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:4052
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2196
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1616
                • C:\Users\Admin\AppData\Local\Temp\~tl3394.tmp
                  C:\Users\Admin\AppData\Local\Temp\~tl3394.tmp
                  5⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:980
                  • C:\Windows\SYSTEM32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    6⤵
                      PID:3112
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:3912
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:1536
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2172
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2088
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            1⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2500
            • C:\Windows\system32\netsh.exe
              netsh int ipv4 set dynamicport tcp start=1025 num=64511
              2⤵
                PID:4780
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                2⤵
                • Modifies Windows Firewall
                PID:1152
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                2⤵
                • Modifies Windows Firewall
                PID:3208
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                2⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:4484
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                2⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:32
              • C:\Windows\TEMP\~tlA585.tmp
                C:\Windows\TEMP\~tlA585.tmp
                2⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                PID:4208
                • C:\Windows\system32\netsh.exe
                  netsh int ipv4 set dynamicport tcp start=1025 num=64511
                  3⤵
                    PID:1620
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    3⤵
                    • Modifies Windows Firewall
                    PID:4836
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    3⤵
                    • Modifies Windows Firewall
                    PID:1152
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                    3⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    PID:348
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                    3⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3780
              • \??\c:\windows\system\svchost.exe
                c:\windows\system\svchost.exe
                1⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                PID:5088
                • C:\Windows\system32\netsh.exe
                  netsh int ipv4 set dynamicport tcp start=1025 num=64511
                  2⤵
                    PID:2904
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    2⤵
                    • Modifies Windows Firewall
                    PID:1424
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    2⤵
                    • Modifies Windows Firewall
                    PID:4136
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                    2⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2388
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                    2⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    PID:404
                  • C:\Windows\TEMP\~tl1103.tmp
                    C:\Windows\TEMP\~tl1103.tmp
                    2⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    PID:4328
                    • C:\Windows\system32\netsh.exe
                      netsh int ipv4 set dynamicport tcp start=1025 num=64511
                      3⤵
                        PID:888
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        3⤵
                        • Modifies Windows Firewall
                        • Modifies data under HKEY_USERS
                        PID:1524
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        3⤵
                        • Modifies Windows Firewall
                        PID:348
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                        3⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        PID:5104
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                        3⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        PID:2156
                  • \??\c:\windows\system\svchost.exe
                    c:\windows\system\svchost.exe
                    1⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Drops file in Windows directory
                    • Modifies data under HKEY_USERS
                    PID:3324
                    • C:\Windows\system32\netsh.exe
                      netsh int ipv4 set dynamicport tcp start=1025 num=64511
                      2⤵
                        PID:4052
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        2⤵
                        • Modifies Windows Firewall
                        • Modifies data under HKEY_USERS
                        PID:3652
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        2⤵
                        • Modifies Windows Firewall
                        PID:4676
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                        2⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        PID:4824
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                        2⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        PID:3544
                      • C:\Windows\TEMP\~tl7936.tmp
                        C:\Windows\TEMP\~tl7936.tmp
                        2⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        PID:1124
                        • C:\Windows\system32\netsh.exe
                          netsh int ipv4 set dynamicport tcp start=1025 num=64511
                          3⤵
                          • Modifies data under HKEY_USERS
                          PID:404
                        • C:\Windows\System32\netsh.exe
                          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                          3⤵
                          • Modifies Windows Firewall
                          PID:4792
                        • C:\Windows\System32\netsh.exe
                          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                          3⤵
                          • Modifies Windows Firewall
                          PID:2852
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                          3⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:3704
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                          3⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:4672
                    • \??\c:\windows\system\svchost.exe
                      c:\windows\system\svchost.exe
                      1⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Drops file in Windows directory
                      PID:4748
                      • C:\Windows\system32\netsh.exe
                        netsh int ipv4 set dynamicport tcp start=1025 num=64511
                        2⤵
                          PID:836
                        • C:\Windows\System32\netsh.exe
                          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                          2⤵
                          • Modifies Windows Firewall
                          PID:1984
                        • C:\Windows\System32\netsh.exe
                          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                          2⤵
                          • Modifies Windows Firewall
                          PID:2948
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                          2⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:4116
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                          2⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:3872
                        • C:\Windows\TEMP\~tlDFE2.tmp
                          C:\Windows\TEMP\~tlDFE2.tmp
                          2⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          PID:2596
                          • C:\Windows\system32\netsh.exe
                            netsh int ipv4 set dynamicport tcp start=1025 num=64511
                            3⤵
                              PID:1496
                            • C:\Windows\System32\netsh.exe
                              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                              3⤵
                              • Modifies Windows Firewall
                              • Modifies data under HKEY_USERS
                              PID:4480
                            • C:\Windows\System32\netsh.exe
                              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                              3⤵
                              • Modifies Windows Firewall
                              • Modifies data under HKEY_USERS
                              PID:1288
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                              3⤵
                              • Drops file in System32 directory
                              • Modifies data under HKEY_USERS
                              PID:304
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                              3⤵
                              • Drops file in System32 directory
                              • Modifies data under HKEY_USERS
                              PID:2280

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                          Filesize

                          2KB

                          MD5

                          cd5b15b46b9fe0d89c2b8d351c303d2a

                          SHA1

                          e1d30a8f98585e20c709732c013e926c7078a3c2

                          SHA256

                          0a8a0dcbec27e07c8dc9ef31622ac41591871416ccd9146f40d8cc9a2421da7a

                          SHA512

                          d7261b2ff89adcdb909b775c6a47b3cd366b7c3f5cbb4f60428e849582c93e14e76d7dcadec79003eef7c9a3059e305d5e4f6b5b912b9ebc3518e06b0d284dd7

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          14831081dfc3f79fa28091aef491a0ec

                          SHA1

                          600fa76809c4a93897aa4a68d55dfd7cb21c1ada

                          SHA256

                          dcbb1638ab2d29bad5a34efac127cecc8ec9c67f26f78a9b5093f2ca9f1089be

                          SHA512

                          7bc9ea7291e994815ef3cb1692569c5733805fd5c1bb492f3f2afc180c96996c1b44d95a662fa50b1047810ccc16326e65f32d32c5cc70eb0b00acdeeae3371c

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          805cc3b95d3c50a22373f3ef27551dd0

                          SHA1

                          e8eba8a1fd7e5a8219ae50358c688b4692344513

                          SHA256

                          20b306476532e2b8dddbd15a72d07b409f4a057756e8b286235c6de833a784e5

                          SHA512

                          560e08d7f69b8b3279040ec3a7a276937a587148d93daec854c093e53c5564eac823db3bc2fec29d001cf38c61919aebbeec76a53e9cee8ba6621745c67b56fc

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          39d34e8dfa8d68a0e959bf47772e4ccf

                          SHA1

                          98cb297f01e8e247bd48a1ddaa3a74df92bfb863

                          SHA256

                          682573a731c2ffe71fcc487af7d63712cad8baf9dcc9fd044842789e824e9d6d

                          SHA512

                          3ad1ea004591f72bbf032c918dfc45a661bae1396f17abad80b193164c0e570ca2d84d8da793d5100aca5feccb0ca008c72853763df71097cc75034a47f31cab

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          ec310733dfb69a61d315735441d52624

                          SHA1

                          98e5a840c94f47310e77157b4b08591785660c22

                          SHA256

                          28279b751ad8380d4e9f9277a4ac7d79dc8b82fde6eb30e25c38138463d8ae13

                          SHA512

                          d05a0a9fb69c6e77a688234fb29db51d0b946f2124f1c998f15708fbba7bf4d78590b9a05cd7c72c7919e94bf7648027346f8446b9c8828cf42e8c6c381bd446

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          876eafc0265b4782288df8c2137d2b0e

                          SHA1

                          3bfa798904cf0e80a3bb26156c7d16cde946be34

                          SHA256

                          fbaaf09ed0f940c99f81ae7aea39fb3e4a70ee3784806f29f7a78de932bfae71

                          SHA512

                          371ab42de4921641e5addc74b7471671e5eb5ad8e9f133e20f6fb479eaa5300454bd2d2cab97ba5409ba1529d552bcc15be05720a9f96c5ca08be0b238d3fef2

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r5ukb14d.lcj.ps1
                          Filesize

                          1B

                          MD5

                          c4ca4238a0b923820dcc509a6f75849b

                          SHA1

                          356a192b7913b04c54574d18c28d46e6395428ab

                          SHA256

                          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                          SHA512

                          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\~tl3394.tmp
                          Filesize

                          393KB

                          MD5

                          9dbdd43a2e0b032604943c252eaf634a

                          SHA1

                          9584dc66f3c1cce4210fdf827a1b4e2bb22263af

                          SHA256

                          33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

                          SHA512

                          b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\~tl6671.tmp
                          Filesize

                          385KB

                          MD5

                          e802c96760e48c5139995ffb2d891f90

                          SHA1

                          bba3d278c0eb1094a26e5d2f4c099ad685371578

                          SHA256

                          cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

                          SHA512

                          97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
                          Filesize

                          2.7MB

                          MD5

                          c9b1dde253446b4b2bc6a0ad4d3022c2

                          SHA1

                          66cf356f3717f3d07a1c568c7146f9f9f14adf9f

                          SHA256

                          4fcc265cafab726d5e03b652e7b3fb4681a28f0dc5349825fe28b5413c96d3f3

                          SHA512

                          0e8f41766a67cea5d48950d0f30b5c5e1c6b7e9a5d77515e2be72d719c11bed624991c8764c7edddb0981dffd34fbd6e6e89d9ac9bd65164a14b27f21a2ce005

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
                          Filesize

                          9.7MB

                          MD5

                          d75c58e349d78e297fe299b2bd737dfa

                          SHA1

                          070be861f1054d71340e366c97ed30fd75c29f86

                          SHA256

                          d5e8291c3240c3d8df3253fbb943ce87b53af3aca89b714583211ca5718dedd3

                          SHA512

                          4c94f241675b87bf3c095c8707faf1d215f1e8f6ded7112fd3e0b6e3b080ef1b119f1bdb1d5583917de48aeaf2c3ede91245d441546c95da9ceb7239904ffd93

                          Download Submit

                        • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg
                          Filesize

                          393KB

                          MD5

                          72e28e2092a43e0d70289f62bec20e65

                          SHA1

                          944f2b81392ee946f4767376882c5c1bda6dddb5

                          SHA256

                          6ec8fe67dc01d8c3de9cfc94ca49ae25e46ed61f5a48f1a956ef269efa4ae08f

                          SHA512

                          31c0587cd1df4d63088973d72a015b144b64411031ac4c1904c54c4f43b5990b8016cc6d29e3b0238f86432005588c72b98806306918fdaf2786498de340e466

                          Download Submit

                        • C:\Windows\System\svchost.exe
                          Filesize

                          5.3MB

                          MD5

                          5fe4ea367cee11e92ad4644d8ac3cef7

                          SHA1

                          44faea4a352b7860a9eafca82bd3c9b054b6db29

                          SHA256

                          1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b

                          SHA512

                          1c4499eadaf44847a7a001c2622e558bc130c9ad608b4ec977480e002cf50c9eb36a65974b86a2db69e9bc43e7d239122389a6cf1ca2849c59bc137441fb0a4f

                          Download Submit

                        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                          Filesize

                          3KB

                          MD5

                          70b3ee3839890cd6e33de100160aa0f3

                          SHA1

                          ea985ff7cc4164f5f436cb0ab193bd598fd51a49

                          SHA256

                          fe9953998fabade77ae9294bb7fedfe83a59e7289a7dece404a8c82f15f7e46e

                          SHA512

                          5f12857006e4f6fe1130f2135a13575f606d3d7863cdcfdd207443bbfb9039b3b041cfb48ea5dd8daec318a7287891d3bfb2086c23bf6b0aa09bc254330274da

                          Download Submit

                        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          13e67faca0c84a8061b7add632e480b7

                          SHA1

                          fba001325bc61055ef7cbe44e61c6c671d14bcfe

                          SHA256

                          4cc7ec19f4f0c947e77d314877be9fb6f27380b8a801648d2d46c793f2100add

                          SHA512

                          f7219750b7e23d9a0c28503f38342904b213e589d24a9abb9266f5987788e03e8d8b80fa364b9b8a5569836878720b999486076aa837a4a9d4a9a1e90dc2d0c7

                          Download Submit

                        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          d29ff02514ae29dd32a0df10e8726a56

                          SHA1

                          7dab7a75432fda309c9121ec342c8d6c2ee55786

                          SHA256

                          8b74889f3e872eac0221bf8a946f19a95c80d2b32066f1aba13e8925bf8a6867

                          SHA512

                          e758165fee2c525251c3ca02e324f5252b121f44815ba8d5675c55431e71dc7bfa1406771eed2ba5e3c998a748537145b6a556ffc2843bdce294ca101abcdfde

                          Download Submit

                        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          69530d87ccd6228b8abc1c3d4ca2393c

                          SHA1

                          997ec76edee63aae9f1256d9def7b02ec1d142de

                          SHA256

                          fcdf26827fdbffdb51444132db046641d38108b0a42451b2ba035165dca357a9

                          SHA512

                          23497857f519a589b12605018d2c987914d6c44bd195b156a776165b9d1a356a46a701dbe9d2d03687a58560d89142500ebac03fc11c895d7e900b349519521f

                          Download Submit

                        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          53516eb47c1dbee690b69384849effc9

                          SHA1

                          7b87f3764814df40e87e7d528a551049b7e0f99a

                          SHA256

                          cc935818d0ed3f14292152614faf085c8dc4219404e8c364065477b8d8467dd8

                          SHA512

                          ee4701a20ef2948c9cbb2f362d61dba2f8b6b1c664e1022dad05cdf0b17a604c299520347589e560e87c3e3880a3ba2cb3fd61558eea664494dc0551af9d6af8

                          Download Submit

                        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          760B

                          MD5

                          f006ad02b5ec892d76b327c148875b11

                          SHA1

                          3a6b9fa32c5d564077d13d5ddb3acfcd6febd911

                          SHA256

                          708e9cb08a0827227b0290a6e686f93fba8fc408e71c6ad8c69eb6f95e27705a

                          SHA512

                          dc86bc464d8f9068c21786f35a33b4edc7dd8c7a2ad57eaafc0302d623a6c3755140fe0f7f226dc52b11f4ae654ce7f1bcc3d6a28eced5811df654061880d0ee

                          Download Submit

                        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          a4ad52be09e615ed378ebaf61f970432

                          SHA1

                          59a3478fa4ba10d8ffe16451d20047cbb869420f

                          SHA256

                          256eee0489b67e0364efc2bf41dcd9273821159b745f05cf048b0c94dc69a837

                          SHA512

                          18130dd5caa8e09bd94afc01e9609a2b8a8e7e0c0e9ee6d2b587d4daec7f1cd20d608ce00e16385d4b0b167669a5386d8166432f2e66d43e316c0bed2865964f

                          Download Submit

                        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          6779e1684940604403a8bddcac985991

                          SHA1

                          9ef05e6f1baa52cd96ceb6d2fd198db68e3bb8a7

                          SHA256

                          47820e6c631c58e9939f356ddff5abf04055207458b63397e77ac31ad0d8a6ae

                          SHA512

                          aff1f26bdf9e74c7871f5a4aa9020469b9a49611140b759742ba198582c46c7c782ba73083cd18f8b819e17a2494f907449ce952794cf931b371b53ea3a23534

                          Download Submit

                        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          b447a4532d0e97fb74956eaef74fffd9

                          SHA1

                          618294d14e47500f67201bd4d0f6f74eab6b4708

                          SHA256

                          d4c0d09036004a3fcc1525505861221a0760b6f02dfa961c55034efa8f7cde08

                          SHA512

                          b347ea7b560bc522c1f42e5404a95b7f927de6aa310b5617361b5651ca890b18e67a3d1dc044d54a6af6c140cdf4cf846d717ef4515b02159711bd84ef69eaf6

                          Download Submit

                        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          631f4b3792b263fdda6b265e93be4747

                          SHA1

                          1d6916097d419198bfdf78530d59d0d9f3e12d45

                          SHA256

                          4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

                          SHA512

                          e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

                          Download Submit

                        • memory/500-47-0x0000018549C50000-0x0000018549C60000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/500-102-0x0000018549C50000-0x0000018549C60000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/500-21-0x0000018549DE0000-0x0000018549E56000-memory.dmp

                          Filesize

                          472KB

                          Download

                        • memory/500-16-0x0000018549C50000-0x0000018549C60000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/500-107-0x00007FFB628A0000-0x00007FFB6328C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/500-12-0x0000018549BF0000-0x0000018549C12000-memory.dmp

                          Filesize

                          136KB

                          Download

                        • memory/500-13-0x00007FFB628A0000-0x00007FFB6328C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/980-493-0x0000000140000000-0x0000000140170400-memory.dmp

                          Filesize

                          1.4MB

                          Download

                        • memory/980-601-0x0000000140000000-0x0000000140170400-memory.dmp

                          Filesize

                          1.4MB

                          Download

                        • memory/980-495-0x0000000140000000-0x0000000140170400-memory.dmp

                          Filesize

                          1.4MB

                          Download

                        • memory/980-496-0x0000000140000000-0x0000000140170400-memory.dmp

                          Filesize

                          1.4MB

                          Download

                        • memory/980-497-0x0000000140000000-0x0000000140170400-memory.dmp

                          Filesize

                          1.4MB

                          Download

                        • memory/1616-485-0x00007FFB628A0000-0x00007FFB6328C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/1616-480-0x000001FAA5570000-0x000001FAA5580000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/1616-448-0x000001FAA5570000-0x000001FAA5580000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/1616-398-0x000001FAA5570000-0x000001FAA5580000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/1616-399-0x000001FAA5570000-0x000001FAA5580000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/1616-394-0x00007FFB628A0000-0x00007FFB6328C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/1936-363-0x000001D4AEF80000-0x000001D4AEF90000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/1936-366-0x00007FFB628A0000-0x00007FFB6328C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/1936-282-0x00007FFB628A0000-0x00007FFB6328C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/1936-285-0x000001D4AEF80000-0x000001D4AEF90000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/1936-284-0x000001D4AEF80000-0x000001D4AEF90000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/1936-315-0x000001D4AEF80000-0x000001D4AEF90000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2088-508-0x00007FFB628A0000-0x00007FFB6328C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2088-541-0x00000259A6D90000-0x00000259A6DA0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2088-510-0x00000259A6D90000-0x00000259A6DA0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2088-511-0x00000259A6D90000-0x00000259A6DA0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2172-505-0x000001C45B9A0000-0x000001C45B9B0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2172-501-0x00007FFB628A0000-0x00007FFB6328C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2172-503-0x000001C45B9A0000-0x000001C45B9B0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2196-94-0x000001C2EC1C0000-0x000001C2EC1D0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2196-469-0x000001EC1AD20000-0x000001EC1AD30000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2196-99-0x00007FFB628A0000-0x00007FFB6328C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2196-46-0x000001C2EC1C0000-0x000001C2EC1D0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2196-386-0x00007FFB628A0000-0x00007FFB6328C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2196-389-0x000001EC1AD20000-0x000001EC1AD30000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2196-390-0x000001EC1AD20000-0x000001EC1AD30000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2196-15-0x000001C2EC1C0000-0x000001C2EC1D0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2196-14-0x00007FFB628A0000-0x00007FFB6328C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2196-481-0x00007FFB628A0000-0x00007FFB6328C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2196-414-0x000001EC1AD20000-0x000001EC1AD30000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2500-956-0x0000000140000000-0x000000014015E400-memory.dmp

                          Filesize

                          1.4MB

                          Download

                        • memory/2500-630-0x0000000140000000-0x000000014015E400-memory.dmp

                          Filesize

                          1.4MB

                          Download

                        • memory/2652-113-0x0000000140000000-0x0000000140645400-memory.dmp

                          Filesize

                          6.3MB

                          Download

                        • memory/2652-2-0x0000000140000000-0x0000000140645400-memory.dmp

                          Filesize

                          6.3MB

                          Download

                        • memory/2652-3-0x0000000140000000-0x0000000140645400-memory.dmp

                          Filesize

                          6.3MB

                          Download

                        • memory/2652-1-0x0000000140000000-0x0000000140645400-memory.dmp

                          Filesize

                          6.3MB

                          Download

                        • memory/2652-0-0x0000000140000000-0x0000000140645400-memory.dmp

                          Filesize

                          6.3MB

                          Download

                        • memory/2864-269-0x0000000140000000-0x0000000140645400-memory.dmp

                          Filesize

                          6.3MB

                          Download

                        • memory/2864-220-0x0000000031E20000-0x000000003231C000-memory.dmp

                          Filesize

                          5.0MB

                          Download

                        • memory/2864-117-0x0000000140000000-0x0000000140645400-memory.dmp

                          Filesize

                          6.3MB

                          Download

                        • memory/2864-116-0x0000000140000000-0x0000000140645400-memory.dmp

                          Filesize

                          6.3MB

                          Download

                        • memory/2876-278-0x0000026F7C5A0000-0x0000026F7C5B0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2876-277-0x0000026F7C5A0000-0x0000026F7C5B0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2876-373-0x00007FFB628A0000-0x00007FFB6328C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2876-369-0x0000026F7C5A0000-0x0000026F7C5B0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2876-275-0x00007FFB628A0000-0x00007FFB6328C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2876-316-0x0000026F7C5A0000-0x0000026F7C5B0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4208-961-0x0000000140000000-0x0000000140170400-memory.dmp

                          Filesize

                          1.4MB

                          Download

                        • memory/4348-383-0x0000000140000000-0x000000014015E400-memory.dmp

                          Filesize

                          1.4MB

                          Download

                        • memory/4348-381-0x0000000140000000-0x000000014015E400-memory.dmp

                          Filesize

                          1.4MB

                          Download

                        • memory/4348-494-0x0000000140000000-0x000000014015E400-memory.dmp

                          Filesize

                          1.4MB

                          Download

                        • memory/4720-268-0x0000000140000000-0x000000014015E400-memory.dmp

                          Filesize

                          1.4MB

                          Download

                        • memory/4720-270-0x0000000140000000-0x000000014015E400-memory.dmp

                          Filesize

                          1.4MB

                          Download

                        • memory/4720-271-0x0000000140000000-0x000000014015E400-memory.dmp

                          Filesize

                          1.4MB

                          Download

                        • memory/4720-382-0x0000000140000000-0x000000014015E400-memory.dmp

                          Filesize

                          1.4MB

                          Download

                        • memory/4720-266-0x0000000140000000-0x000000014015E400-memory.dmp

                          Filesize

                          1.4MB

                          Download

                        • memory/4796-126-0x00007FFB628A0000-0x00007FFB6328C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/4796-129-0x000001822A030000-0x000001822A040000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4796-130-0x000001822A030000-0x000001822A040000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4796-162-0x000001822A030000-0x000001822A040000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4796-209-0x000001822A030000-0x000001822A040000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4796-219-0x00007FFB628A0000-0x00007FFB6328C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/5004-122-0x00007FFB628A0000-0x00007FFB6328C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/5004-128-0x000001B86D080000-0x000001B86D090000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5004-131-0x000001B86D080000-0x000001B86D090000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5004-165-0x000001B86D080000-0x000001B86D090000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5004-212-0x000001B86D080000-0x000001B86D090000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5004-218-0x00007FFB628A0000-0x00007FFB6328C000-memory.dmp

                          Filesize

                          9.9MB

                          Download