Overview

overview

8

Static

static

3

tmp.exe

windows7-x64

8

tmp.exe

windows10-1703-x64

8

tmp.exe

windows10-2004-x64

8

tmp.exe

windows11-21h2-x64

1

Resubmissions

11-04-2024 06:38

240411-hd63esha9z 8

11-04-2024 06:37

240411-hdp4xaha9x 8

11-04-2024 06:37

240411-hdlrgsha9w 8

11-04-2024 06:37

240411-hdk5ysha9t 8

11-04-2024 06:37

240411-hdkjesha9s 8

07-04-2024 08:23

240407-kabhfsgg71 8

07-04-2024 08:23

240407-j97t9shc64 8

07-04-2024 08:22

240407-j93wbagg7w 8

07-04-2024 08:22

240407-j9yatsgg7s 7

Analysis

  • max time kernel
    1801s
  • max time network
    1806s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-04-2024 06:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    5.3MB

  • MD5

    5fe4ea367cee11e92ad4644d8ac3cef7

  • SHA1

    44faea4a352b7860a9eafca82bd3c9b054b6db29

  • SHA256

    1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b

  • SHA512

    1c4499eadaf44847a7a001c2622e558bc130c9ad608b4ec977480e002cf50c9eb36a65974b86a2db69e9bc43e7d239122389a6cf1ca2849c59bc137441fb0a4f

  • SSDEEP

    98304:lgU5484Bq1qdguoOzv4I3KOn6Ka1uFof9Hn6sdw5yOc4:iU54mqL9zvH3qO

Score
8/10
discoveryevasion

Malware Config

Signatures

  • Contacts a large (916) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 22 IoCs
    evasion
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops file in System32 directory 30 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2084
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1368
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
      2⤵
      • Creates scheduled task(s)
      PID:3332
    • C:\Windows\System\svchost.exe
      "C:\Windows\System\svchost.exe" formal
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4804
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4168
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4152
      • C:\Users\Admin\AppData\Local\Temp\~tlC20E.tmp
        C:\Users\Admin\AppData\Local\Temp\~tlC20E.tmp
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3900
        • C:\Windows\SYSTEM32\netsh.exe
          netsh int ipv4 set dynamicport tcp start=1025 num=64511
          4⤵
            PID:1876
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:3896
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:3864
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4312
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2500
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /delete /TN "Timer"
            4⤵
              PID:4896
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
              4⤵
              • Creates scheduled task(s)
              PID:2804
            • C:\Windows\System\svchost.exe
              "C:\Windows\System\svchost.exe" formal
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:3116
              • C:\Windows\SYSTEM32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                5⤵
                  PID:3392
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:2352
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:3420
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4884
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4272
                • C:\Users\Admin\AppData\Local\Temp\~tl9E74.tmp
                  C:\Users\Admin\AppData\Local\Temp\~tl9E74.tmp
                  5⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:1608
                  • C:\Windows\SYSTEM32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    6⤵
                      PID:3484
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:4020
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:1388
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1444
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1060
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:2940
            • \??\c:\windows\system\svchost.exe
              c:\windows\system\svchost.exe
              1⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:3120
              • C:\Windows\system32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                2⤵
                  PID:212
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  2⤵
                  • Modifies Windows Firewall
                  PID:3416
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  2⤵
                  • Modifies Windows Firewall
                  PID:2260
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  2⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4064
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  2⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3472
                • C:\Windows\TEMP\~tl4A9E.tmp
                  C:\Windows\TEMP\~tl4A9E.tmp
                  2⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4676
                  • C:\Windows\system32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    3⤵
                      PID:4236
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      3⤵
                      • Modifies Windows Firewall
                      PID:3008
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      3⤵
                      • Modifies Windows Firewall
                      PID:2732
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                      3⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4928
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                      3⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4844
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3896 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
                  1⤵
                    PID:224
                  • \??\c:\windows\system\svchost.exe
                    c:\windows\system\svchost.exe
                    1⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Drops file in Windows directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4560
                    • C:\Windows\system32\netsh.exe
                      netsh int ipv4 set dynamicport tcp start=1025 num=64511
                      2⤵
                        PID:864
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        2⤵
                        • Modifies Windows Firewall
                        PID:1588
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        2⤵
                        • Modifies Windows Firewall
                        PID:3500
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                        2⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1060
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                        2⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4732
                      • C:\Windows\TEMP\~tlB2C1.tmp
                        C:\Windows\TEMP\~tlB2C1.tmp
                        2⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        PID:3824
                        • C:\Windows\system32\netsh.exe
                          netsh int ipv4 set dynamicport tcp start=1025 num=64511
                          3⤵
                            PID:2876
                          • C:\Windows\System32\netsh.exe
                            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                            3⤵
                            • Modifies Windows Firewall
                            PID:4948
                          • C:\Windows\System32\netsh.exe
                            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                            3⤵
                            • Modifies Windows Firewall
                            PID:2040
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                            3⤵
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5108
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                            3⤵
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1444
                      • \??\c:\windows\system\svchost.exe
                        c:\windows\system\svchost.exe
                        1⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Drops file in Windows directory
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1028
                        • C:\Windows\system32\netsh.exe
                          netsh int ipv4 set dynamicport tcp start=1025 num=64511
                          2⤵
                            PID:4488
                          • C:\Windows\System32\netsh.exe
                            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                            2⤵
                            • Modifies Windows Firewall
                            PID:1756
                          • C:\Windows\System32\netsh.exe
                            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                            2⤵
                            • Modifies Windows Firewall
                            PID:4168
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                            2⤵
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4688
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                            2⤵
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4644
                          • C:\Windows\TEMP\~tl1C6B.tmp
                            C:\Windows\TEMP\~tl1C6B.tmp
                            2⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            PID:1000
                            • C:\Windows\system32\netsh.exe
                              netsh int ipv4 set dynamicport tcp start=1025 num=64511
                              3⤵
                                PID:1448
                              • C:\Windows\System32\netsh.exe
                                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                3⤵
                                • Modifies Windows Firewall
                                PID:4960
                              • C:\Windows\System32\netsh.exe
                                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                3⤵
                                • Modifies Windows Firewall
                                PID:1392
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                3⤵
                                • Drops file in System32 directory
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3816
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                                3⤵
                                • Drops file in System32 directory
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3400
                          • \??\c:\windows\system\svchost.exe
                            c:\windows\system\svchost.exe
                            1⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Drops file in Windows directory
                            • Modifies data under HKEY_USERS
                            PID:3208
                            • C:\Windows\system32\netsh.exe
                              netsh int ipv4 set dynamicport tcp start=1025 num=64511
                              2⤵
                                PID:3724
                              • C:\Windows\System32\netsh.exe
                                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                2⤵
                                • Modifies Windows Firewall
                                PID:3920
                              • C:\Windows\System32\netsh.exe
                                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                2⤵
                                • Modifies Windows Firewall
                                PID:4516
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                2⤵
                                • Drops file in System32 directory
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1960
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                                2⤵
                                • Drops file in System32 directory
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4424
                              • C:\Windows\TEMP\~tl8450.tmp
                                C:\Windows\TEMP\~tl8450.tmp
                                2⤵
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • Modifies data under HKEY_USERS
                                PID:764
                                • C:\Windows\system32\netsh.exe
                                  netsh int ipv4 set dynamicport tcp start=1025 num=64511
                                  3⤵
                                    PID:1620
                                  • C:\Windows\System32\netsh.exe
                                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                    3⤵
                                    • Modifies Windows Firewall
                                    PID:2540
                                  • C:\Windows\System32\netsh.exe
                                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                    3⤵
                                    • Modifies Windows Firewall
                                    PID:3972
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                    3⤵
                                    • Drops file in System32 directory
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4900
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                                    3⤵
                                    • Drops file in System32 directory
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3488

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                Filesize

                                2KB

                                MD5

                                d85ba6ff808d9e5444a4b369f5bc2730

                                SHA1

                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                SHA256

                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                SHA512

                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                0a7dafd4af6ce4631e060c6f6896935e

                                SHA1

                                6d56bec43b43f2141b581c28d1928689b556df25

                                SHA256

                                ca04a16d6f41b98c5df52fe878d44d913c7b4400497441e6d11a1b41d4298119

                                SHA512

                                8159d4de8ff4f425b3ffbede9b420f749f0394183df823e39dba01e1d511b697ed4b60f84c46f7165c473610e1699882b4109af5c4ccfafa000c3846a08d3fac

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                9ca62829cf9a43f0efba832e7048c78e

                                SHA1

                                0b6f8169a0dc6e5ca68cc1e21dc060f9332b02f5

                                SHA256

                                9a8b857c70b3d9bf6176eb63ef2cb24a3694c3f18896233722e0e4f5ac8f4b41

                                SHA512

                                23ac129228b4ec7b0d97209383827e758cb873ddf752d1f361beccfd7df12aa728f76df648103fa5496fb23f9762c8c396a314e2a59d01ce72b9aba178b92cfd

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                e58749a7a1826f6ea62df1e2ef63a32b

                                SHA1

                                c0bca21658b8be4f37b71eec9578bfefa44f862d

                                SHA256

                                0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93

                                SHA512

                                4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                b3bc9ca267ea2969eb6201d77e58560c

                                SHA1

                                78f83a443aa1ca235edcab2da9e2fda6fecc1da4

                                SHA256

                                7ea18b6f900f2c30a5c34845d62d4fe9fc1f11e40714b3dbd69592cbfb5dc695

                                SHA512

                                8cc70e4f88f3d9f59beec22dafdb403144f7f390250205e08279a2f8e01e783af44ae31aa4a8a7ea05865b05303ac5e5048f7fb44488be538d9701b6195e9b28

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                e448fe0d240184c6597a31d3be2ced58

                                SHA1

                                372b8d8c19246d3e38cd3ba123cc0f56070f03cd

                                SHA256

                                c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

                                SHA512

                                0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                64B

                                MD5

                                6629ee5abf4434c11307b03b7e079443

                                SHA1

                                ea20725f1ae2f189fb00a3bcbb8143681a2914ec

                                SHA256

                                c000ce2516e7e9eef31414b0512a2415c5770b9af085883ba20bfaa2c965330f

                                SHA512

                                67dc272ef70938fea434a2b51ca6504f1e9d2f5e10615a80a1a1315ed4ef2f1637d720ba29de402f89e49d5f0e911f0d1bfbfee3ecdcfd473e9148599c7df613

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_33vpnf52.tzp.ps1
                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\~tl9E74.tmp
                                Filesize

                                393KB

                                MD5

                                9dbdd43a2e0b032604943c252eaf634a

                                SHA1

                                9584dc66f3c1cce4210fdf827a1b4e2bb22263af

                                SHA256

                                33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

                                SHA512

                                b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\~tlC20E.tmp
                                Filesize

                                385KB

                                MD5

                                e802c96760e48c5139995ffb2d891f90

                                SHA1

                                bba3d278c0eb1094a26e5d2f4c099ad685371578

                                SHA256

                                cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

                                SHA512

                                97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
                                Filesize

                                2.7MB

                                MD5

                                c9b1dde253446b4b2bc6a0ad4d3022c2

                                SHA1

                                66cf356f3717f3d07a1c568c7146f9f9f14adf9f

                                SHA256

                                4fcc265cafab726d5e03b652e7b3fb4681a28f0dc5349825fe28b5413c96d3f3

                                SHA512

                                0e8f41766a67cea5d48950d0f30b5c5e1c6b7e9a5d77515e2be72d719c11bed624991c8764c7edddb0981dffd34fbd6e6e89d9ac9bd65164a14b27f21a2ce005

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
                                Filesize

                                15.0MB

                                MD5

                                5c8a1f8fd835c8cba6773049e15b03ea

                                SHA1

                                8866ba6ba7b055d9532c153e2afc1d79818e75c2

                                SHA256

                                17952e0177ce6ad42833c03d50ffdf0fb845178f94735d450362aaf74dab9779

                                SHA512

                                37a9c6b823d1355a3dc9bc6106c9ec09cf501e65009103c74718a65897646e55e3dac187371bcfd0661023056122cc0ce7cdbfb8adffa6b0769a7a72ad524f55

                                Download Submit

                              • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg
                                Filesize

                                393KB

                                MD5

                                72e28e2092a43e0d70289f62bec20e65

                                SHA1

                                944f2b81392ee946f4767376882c5c1bda6dddb5

                                SHA256

                                6ec8fe67dc01d8c3de9cfc94ca49ae25e46ed61f5a48f1a956ef269efa4ae08f

                                SHA512

                                31c0587cd1df4d63088973d72a015b144b64411031ac4c1904c54c4f43b5990b8016cc6d29e3b0238f86432005588c72b98806306918fdaf2786498de340e466

                                Download Submit

                              • C:\Windows\System\svchost.exe
                                Filesize

                                5.3MB

                                MD5

                                5fe4ea367cee11e92ad4644d8ac3cef7

                                SHA1

                                44faea4a352b7860a9eafca82bd3c9b054b6db29

                                SHA256

                                1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b

                                SHA512

                                1c4499eadaf44847a7a001c2622e558bc130c9ad608b4ec977480e002cf50c9eb36a65974b86a2db69e9bc43e7d239122389a6cf1ca2849c59bc137441fb0a4f

                                Download Submit

                              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                Filesize

                                4KB

                                MD5

                                bdb25c22d14ec917e30faf353826c5de

                                SHA1

                                6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

                                SHA256

                                e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

                                SHA512

                                b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

                                Download Submit

                              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                1KB

                                MD5

                                295c8977d7d5ff4218c1ebd3f7c0d4ec

                                SHA1

                                9e282bb3542bfba8ebbfd45d12d97c828816fb40

                                SHA256

                                f74ca2854372d254b0a8af8fc83d1bc023453b66cfdbeb34deca9849eca7b68a

                                SHA512

                                25c7b64425d151156c8b91838b0037ac27cd15e852e8970e7e34bfbc186f192b5394b7d16a7b75c91e309d0d581d66f1035aeeae6dbd66e9bce1f4191d1ce132

                                Download Submit

                              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                856B

                                MD5

                                95d4fa0605be734a6dddedd1d412ce13

                                SHA1

                                4c3cddddc728b635849cc3362729d5823f8237d7

                                SHA256

                                abb84289b886cf944d52335a13c2ddf10427fe4230442585f8e90929c2f2c54f

                                SHA512

                                b6b2b1f35d40898272aab004c98fa1864df07ca26ede7c134289565b74b2c5f0cf320675a64a6305fcdbf1d121a2161f6e08bfd7702980cc841ce70bec0757be

                                Download Submit

                              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                1KB

                                MD5

                                5cd35827fec8e152db9fd3eac1d7d734

                                SHA1

                                bbdf5d5da3ee4a24445a4085f52a0140853d93eb

                                SHA256

                                b1d7795a025527ced239a8ffb5c10551dff70d9efe7748cfc0bbcaef3ea90808

                                SHA512

                                be4b1601a28e7cd04f39c191b9bfbb6975ef7d3d16b486145d0ccd2f38a0875914a29d12087f5fc58bfdf5922468b4c5b60e90ccaf0379fe1906a923babdcf10

                                Download Submit

                              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                936B

                                MD5

                                8e07da89dbd9d504dccecf7f9c99a85a

                                SHA1

                                6e4608dbdd3ddc2e19d92b6e427139f7ef5a9ffc

                                SHA256

                                b2e55cb902da13eb15334f39c7b4b2a7588bddd6ae5c2ed404cac5713ae9890c

                                SHA512

                                f3a9d7fe90ac265cc47a65370a03719c374ccdf30b43707398b6dd8d126665c4ba2ada1c4ccd9dd5a681e14490788b8cd724633ac8f0d816b107b2d5995672ad

                                Download Submit

                              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                1KB

                                MD5

                                b42c70c1dbf0d1d477ec86902db9e986

                                SHA1

                                1d1c0a670748b3d10bee8272e5d67a4fabefd31f

                                SHA256

                                8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

                                SHA512

                                57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

                                Download Submit

                              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                232B

                                MD5

                                b8db8cc4faa91bc081c87c3b3cf780b5

                                SHA1

                                fefa554bc550fb9a06f25c38f0822a8bbf8b8d70

                                SHA256

                                b9c2c0f493b8b12f71831a888c0fb2797f681635f5b6cf681c2d9f0aa7d3fa2f

                                SHA512

                                830ec1a6d449a8fdd06cce6e5535e715073f473e70deb279707c056672379aa912bd856b53648c3ab8fca94e926ca2d51f3fcd7be9df97bad87920113ffa69f0

                                Download Submit

                              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                1KB

                                MD5

                                a2f9b358febe03b1f7cd43aaeb9830c0

                                SHA1

                                2e7ea147c70b8110c93d9a2562e970c10b005d9f

                                SHA256

                                d8375178143b6c6f18cc9922a016f4cfb4613bfec47a1479dedb0f426997c626

                                SHA512

                                071367c578a5165957b529ac4b00d421a508bc3745bef2cf8720b732c5c92fff80dae93d8bd1d0185752dab0e55551219551d048ab7295130fe2a2fbc3534ac7

                                Download Submit

                              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                976B

                                MD5

                                21d75cfbffb3c43aaaf486f146819581

                                SHA1

                                989dc3b1d3f1e244939ea4e2732e3ab730612422

                                SHA256

                                05ef5f091d32e2b471b53229f31210a9dae34134f609a4438b3085d12c6e8e1e

                                SHA512

                                0952cd426fdfa95498e95e537dea3814f2e34841d306c9bf92e7b8300b8ccfdfc80dac2ddf3fe85de0024da73dab016fc97d19a0ccd42974f7c916060a662985

                                Download Submit

                              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                1KB

                                MD5

                                a96175269c35d354dd9ab45adaf9e104

                                SHA1

                                0f87cebf806e2084e210a1167490f45b3e129c65

                                SHA256

                                ebcab2b58fe1e11aee7573752caedad63ff43e35a3f6b4e18d8f841c9fcea4e7

                                SHA512

                                a1adf5842fcbcc73cd151bd5866086cd630b2ecbdba101fa66b5f3ffdc19e405287f046ca5251b0ccfb6831d720d62b3f1f9fb9a677401c76c094abee12000e9

                                Download Submit

                              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                1KB

                                MD5

                                2d4ef51ce6af8a65068e0451d4c50cea

                                SHA1

                                1113ecf0f32707482de74c2cc4e37df437268083

                                SHA256

                                d7b341f731863e026c8fe39ce3d151bebba0708911c22bae4e3af1394e86bb86

                                SHA512

                                69c466570e3ef5bb837b68dba79676e394113af9512246b068e22be9639181d1a4b1b908826a51cd1218d22b34af6a9c7d47d8a13372f1ccd2e4c54a27309a33

                                Download Submit

                              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                1KB

                                MD5

                                edfd33de9ce0e7ac7f9c7e675e68fbf2

                                SHA1

                                8b63bb7922ed057619a48c59bb7e5684356342b8

                                SHA256

                                2c8781cfd6b81fc4969c706eb216ac0e85d97164c13d63d9e084081cae3b72ab

                                SHA512

                                45c09025ec82b5182ba9f42a57ff9dbf4738b4f91d6e03ebf51c70d78af00db2dfbf8be7c96bbb24b882cb0e702c514608de459c48cc9961dd886f9fa7dcbf90

                                Download Submit

                              • memory/1060-245-0x000001AC705E0000-0x000001AC705F0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/1060-257-0x000001AC705E0000-0x000001AC705F0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/1060-263-0x00007FFAE2790000-0x00007FFAE3251000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/1060-244-0x00007FFAE2790000-0x00007FFAE3251000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/1368-38-0x00007FFAE2750000-0x00007FFAE3211000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/1368-10-0x0000024200030000-0x0000024200052000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/1368-25-0x00007FFAE2750000-0x00007FFAE3211000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/1368-26-0x0000024181BC0000-0x0000024181BD0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/1368-27-0x0000024181BC0000-0x0000024181BD0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/1368-31-0x0000024181BC0000-0x0000024181BD0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/1444-48-0x0000000140000000-0x0000000140645400-memory.dmp

                                Filesize

                                6.3MB

                                Download

                              • memory/1444-2-0x0000000140000000-0x0000000140645400-memory.dmp

                                Filesize

                                6.3MB

                                Download

                              • memory/1444-232-0x00007FFAE2790000-0x00007FFAE3251000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/1444-1-0x0000000140000000-0x0000000140645400-memory.dmp

                                Filesize

                                6.3MB

                                Download

                              • memory/1444-233-0x000001FD774B0000-0x000001FD774C0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/1444-234-0x000001FD774B0000-0x000001FD774C0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/1444-3-0x0000000140000000-0x0000000140645400-memory.dmp

                                Filesize

                                6.3MB

                                Download

                              • memory/1444-4-0x0000000140000000-0x0000000140645400-memory.dmp

                                Filesize

                                6.3MB

                                Download

                              • memory/1444-256-0x000001FD774B0000-0x000001FD774C0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/1444-0-0x0000000140000000-0x0000000140645400-memory.dmp

                                Filesize

                                6.3MB

                                Download

                              • memory/1444-258-0x000001FD774B0000-0x000001FD774C0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/1444-260-0x00007FFAE2790000-0x00007FFAE3251000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/1608-230-0x0000000140000000-0x0000000140170400-memory.dmp

                                Filesize

                                1.4MB

                                Download

                              • memory/1608-265-0x0000000140000000-0x0000000140170400-memory.dmp

                                Filesize

                                1.4MB

                                Download

                              • memory/1608-226-0x0000000140000000-0x0000000140170400-memory.dmp

                                Filesize

                                1.4MB

                                Download

                              • memory/1608-231-0x0000000140000000-0x0000000140170400-memory.dmp

                                Filesize

                                1.4MB

                                Download

                              • memory/1608-229-0x0000000140000000-0x0000000140170400-memory.dmp

                                Filesize

                                1.4MB

                                Download

                              • memory/2084-24-0x00007FFAE2750000-0x00007FFAE3211000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/2084-37-0x00007FFAE2750000-0x00007FFAE3211000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/2084-30-0x000001C1D9840000-0x000001C1D9850000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/2084-29-0x000001C1D9840000-0x000001C1D9850000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/2084-28-0x000001C1D9840000-0x000001C1D9850000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/2500-170-0x00007FFAE2790000-0x00007FFAE3251000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/2500-152-0x000002176D360000-0x000002176D370000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/2500-151-0x00007FFAE2790000-0x00007FFAE3251000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/2500-163-0x000002176D360000-0x000002176D370000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/2500-153-0x000002176D360000-0x000002176D370000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/2500-167-0x000002176D360000-0x000002176D370000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/3116-185-0x0000000140000000-0x000000014015E400-memory.dmp

                                Filesize

                                1.4MB

                                Download

                              • memory/3116-182-0x0000000140000000-0x000000014015E400-memory.dmp

                                Filesize

                                1.4MB

                                Download

                              • memory/3116-227-0x0000000140000000-0x000000014015E400-memory.dmp

                                Filesize

                                1.4MB

                                Download

                              • memory/3120-295-0x0000000140000000-0x000000014015E400-memory.dmp

                                Filesize

                                1.4MB

                                Download

                              • memory/3120-369-0x0000000140000000-0x000000014015E400-memory.dmp

                                Filesize

                                1.4MB

                                Download

                              • memory/3900-132-0x0000000140000000-0x000000014015E400-memory.dmp

                                Filesize

                                1.4MB

                                Download

                              • memory/3900-135-0x0000000140000000-0x000000014015E400-memory.dmp

                                Filesize

                                1.4MB

                                Download

                              • memory/3900-136-0x0000000140000000-0x000000014015E400-memory.dmp

                                Filesize

                                1.4MB

                                Download

                              • memory/3900-137-0x0000000140000000-0x000000014015E400-memory.dmp

                                Filesize

                                1.4MB

                                Download

                              • memory/3900-184-0x0000000140000000-0x000000014015E400-memory.dmp

                                Filesize

                                1.4MB

                                Download

                              • memory/4152-67-0x000001C2E5700000-0x000001C2E5710000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4152-84-0x00007FFAE2670000-0x00007FFAE3131000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/4152-66-0x00007FFAE2670000-0x00007FFAE3131000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/4152-78-0x000001C2E5700000-0x000001C2E5710000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4152-81-0x000001C2E5700000-0x000001C2E5710000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4168-53-0x00007FFAE2670000-0x00007FFAE3131000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/4168-54-0x000002643ED20000-0x000002643ED30000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4168-55-0x000002643ED20000-0x000002643ED30000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4168-77-0x000002643ED20000-0x000002643ED30000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4168-80-0x00007FFAE2670000-0x00007FFAE3131000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/4272-198-0x00007FFAE2790000-0x00007FFAE3251000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/4272-217-0x00007FFAE2790000-0x00007FFAE3251000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/4272-213-0x000002122B9D0000-0x000002122B9E0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4272-210-0x000002122B9D0000-0x000002122B9E0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4272-199-0x000002122B9D0000-0x000002122B9E0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4312-166-0x00007FFAE2790000-0x00007FFAE3251000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/4312-164-0x0000015431F00000-0x0000015431F10000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4312-149-0x0000015431F00000-0x0000015431F10000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4312-139-0x0000015431F00000-0x0000015431F10000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4312-138-0x00007FFAE2790000-0x00007FFAE3251000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/4676-374-0x0000000140000000-0x0000000140170400-memory.dmp

                                Filesize

                                1.4MB

                                Download

                              • memory/4804-133-0x0000000140000000-0x0000000140645400-memory.dmp

                                Filesize

                                6.3MB

                                Download

                              • memory/4804-52-0x0000000140000000-0x0000000140645400-memory.dmp

                                Filesize

                                6.3MB

                                Download

                              • memory/4804-51-0x0000000140000000-0x0000000140645400-memory.dmp

                                Filesize

                                6.3MB

                                Download

                              • memory/4804-85-0x000000003B8D0000-0x000000003BDCC000-memory.dmp

                                Filesize

                                5.0MB

                                Download

                              • memory/4884-188-0x0000019A6F750000-0x0000019A6F760000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4884-212-0x0000019A6F750000-0x0000019A6F760000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4884-211-0x0000019A6F750000-0x0000019A6F760000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4884-218-0x00007FFAE2790000-0x00007FFAE3251000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/4884-186-0x00007FFAE2790000-0x00007FFAE3251000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/4884-187-0x0000019A6F750000-0x0000019A6F760000-memory.dmp

                                Filesize

                                64KB

                                Download