Overview

overview

8

Static

static

3

e9e34828dd...d5.exe

windows10-1703-x64

8

e9e34828dd...d5.exe

windows7-x64

8

e9e34828dd...d5.exe

windows10-1703-x64

8

e9e34828dd...d5.exe

windows10-2004-x64

8

e9e34828dd...d5.exe

windows11-21h2-x64

7

Resubmissions

17/04/2024, 11:54

240417-n29fcafd81 8

17/04/2024, 11:54

240417-n285ksdh43 8

17/04/2024, 11:54

240417-n28h2sfd8z 8

17/04/2024, 11:54

240417-n246mafd8x 8

17/04/2024, 11:54

240417-n24j4afd8w 8

16/04/2024, 10:48

240416-mwlxesad2t 8

Analysis

  • max time kernel
    1799s
  • max time network
    1802s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17/04/2024, 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe

  • Size

    5.3MB

  • MD5

    4a6096deaaaf3fe393b61d66540ce4ab

  • SHA1

    9f91f6feae419a73a3371e06206b5e459281cff0

  • SHA256

    e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5

  • SHA512

    9322c12a042ef7914bedf73618b135775f99bcc352e23b606e6887f1e7843bda3fb9025a06eefb4bd1468a69565f6f8d34bacf0d0fcbd4ee7c34cd46c96e6d01

  • SSDEEP

    98304:GBze+DWzwgfjGmMdivlucHq81K0U4DzRtNCC6rYOALRiNKpRyE3Rb1:4ze9cidud8pUSzpXOALRi4pT91

Score
8/10
discoveryevasion

Malware Config

Signatures

  • Contacts a large (1126) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 22 IoCs
    evasion
  • Executes dropped EXE 12 IoCs
  • Drops file in System32 directory 41 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe
    "C:\Users\Admin\AppData\Local\Temp\e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2780
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4576
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
      2⤵
      • Creates scheduled task(s)
      PID:3268
    • C:\Windows\System\svchost.exe
      "C:\Windows\System\svchost.exe" formal
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4388
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:772
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:68
      • C:\Users\Admin\AppData\Local\Temp\~tl7896.tmp
        C:\Users\Admin\AppData\Local\Temp\~tl7896.tmp
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4512
        • C:\Windows\SYSTEM32\netsh.exe
          netsh int ipv4 set dynamicport tcp start=1025 num=64511
          4⤵
            PID:1836
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:3100
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:4592
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5024
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3732
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /delete /TN "Timer"
            4⤵
              PID:4420
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
              4⤵
              • Creates scheduled task(s)
              PID:1664
            • C:\Windows\System\svchost.exe
              "C:\Windows\System\svchost.exe" formal
              4⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:64
              • C:\Windows\SYSTEM32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                5⤵
                  PID:3852
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:4936
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:4584
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1428
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1680
                • C:\Users\Admin\AppData\Local\Temp\~tl6B53.tmp
                  C:\Users\Admin\AppData\Local\Temp\~tl6B53.tmp
                  5⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:2284
                  • C:\Windows\SYSTEM32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    6⤵
                      PID:3480
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:4712
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:1804
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4512
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1472
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            1⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1748
            • C:\Windows\system32\netsh.exe
              netsh int ipv4 set dynamicport tcp start=1025 num=64511
              2⤵
              • Modifies data under HKEY_USERS
              PID:3516
            • C:\Windows\System32\netsh.exe
              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
              2⤵
              • Modifies Windows Firewall
              PID:2296
            • C:\Windows\System32\netsh.exe
              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
              2⤵
              • Modifies Windows Firewall
              PID:1888
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
              2⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              PID:3384
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
              2⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              PID:4676
            • C:\Windows\TEMP\~tl682E.tmp
              C:\Windows\TEMP\~tl682E.tmp
              2⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              PID:1524
              • C:\Windows\system32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                3⤵
                  PID:5112
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  3⤵
                  • Modifies Windows Firewall
                  PID:4340
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  3⤵
                  • Modifies Windows Firewall
                  PID:996
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  3⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4644
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  3⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4572
            • \??\c:\windows\system\svchost.exe
              c:\windows\system\svchost.exe
              1⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              PID:216
              • C:\Windows\system32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                2⤵
                  PID:932
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  2⤵
                  • Modifies Windows Firewall
                  PID:1372
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  2⤵
                  • Modifies Windows Firewall
                  PID:1444
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  2⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4648
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  2⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3548
                • C:\Windows\TEMP\~tlCFF3.tmp
                  C:\Windows\TEMP\~tlCFF3.tmp
                  2⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  PID:4288
                  • C:\Windows\system32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    3⤵
                      PID:4596
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      3⤵
                      • Modifies Windows Firewall
                      PID:4240
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      3⤵
                      • Modifies Windows Firewall
                      PID:1956
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                      3⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      PID:3876
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                      3⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      PID:64
                • \??\c:\windows\system\svchost.exe
                  c:\windows\system\svchost.exe
                  1⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Drops file in Windows directory
                  • Modifies data under HKEY_USERS
                  PID:2920
                  • C:\Windows\system32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    2⤵
                      PID:3256
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      2⤵
                      • Modifies Windows Firewall
                      PID:4424
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      2⤵
                      • Modifies Windows Firewall
                      PID:3464
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                      2⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      PID:3940
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                      2⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      PID:4916
                    • C:\Windows\TEMP\~tl40A1.tmp
                      C:\Windows\TEMP\~tl40A1.tmp
                      2⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      PID:900
                      • C:\Windows\system32\netsh.exe
                        netsh int ipv4 set dynamicport tcp start=1025 num=64511
                        3⤵
                          PID:3908
                        • C:\Windows\System32\netsh.exe
                          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                          3⤵
                          • Modifies Windows Firewall
                          PID:192
                        • C:\Windows\System32\netsh.exe
                          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                          3⤵
                          • Modifies Windows Firewall
                          • Modifies data under HKEY_USERS
                          PID:2948
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                          3⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:1440
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                          3⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:972
                    • \??\c:\windows\system\svchost.exe
                      c:\windows\system\svchost.exe
                      1⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Drops file in Windows directory
                      PID:3924
                      • C:\Windows\system32\netsh.exe
                        netsh int ipv4 set dynamicport tcp start=1025 num=64511
                        2⤵
                          PID:4116
                        • C:\Windows\System32\netsh.exe
                          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                          2⤵
                          • Modifies Windows Firewall
                          PID:1572
                        • C:\Windows\System32\netsh.exe
                          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                          2⤵
                          • Modifies Windows Firewall
                          PID:2728
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                          2⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:4540
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                          2⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:3684
                        • C:\Windows\TEMP\~tlAF3D.tmp
                          C:\Windows\TEMP\~tlAF3D.tmp
                          2⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          PID:2428
                          • C:\Windows\system32\netsh.exe
                            netsh int ipv4 set dynamicport tcp start=1025 num=64511
                            3⤵
                            • Modifies data under HKEY_USERS
                            PID:648
                          • C:\Windows\System32\netsh.exe
                            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                            3⤵
                            • Modifies Windows Firewall
                            PID:3944
                          • C:\Windows\System32\netsh.exe
                            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                            3⤵
                            • Modifies Windows Firewall
                            PID:60
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                            3⤵
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            PID:2204
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                            3⤵
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            PID:680

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                        Filesize

                        2KB

                        MD5

                        cd5b15b46b9fe0d89c2b8d351c303d2a

                        SHA1

                        e1d30a8f98585e20c709732c013e926c7078a3c2

                        SHA256

                        0a8a0dcbec27e07c8dc9ef31622ac41591871416ccd9146f40d8cc9a2421da7a

                        SHA512

                        d7261b2ff89adcdb909b775c6a47b3cd366b7c3f5cbb4f60428e849582c93e14e76d7dcadec79003eef7c9a3059e305d5e4f6b5b912b9ebc3518e06b0d284dd7

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        291B

                        MD5

                        34e83e3d702f89263d216834036dd351

                        SHA1

                        1cacb59d7015a31d701398943367b50fd66506b6

                        SHA256

                        6da7ce13a46c3d11aced521aa8f388e341ace0dcf86180e5e0fedd108d3928c8

                        SHA512

                        7bc3593567b0dc0a41ce3baad0205fc9228fd61381e94971448ae4b87b8dcad4032deac039070469851e972f636beec3212cccff379509d1fe72c6cc28732706

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        1KB

                        MD5

                        cd6448170a2a479bc0eecbbbedbf288c

                        SHA1

                        68151783f621f379cb6b75c184bb2dddc3dad40c

                        SHA256

                        cc93065ef11aed27cec65cc5cfcb695d7a281972977908fd94e4b4a6fd13835f

                        SHA512

                        8a23c82433cf271a4cd78d6517a51a93dcb24e038f49b1dc18f6b9fdb17dcd7fca8672ccd7ff84a60ef9c72bc6753b85803314dd318e69f569e633b537bc0b37

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        1KB

                        MD5

                        d847d0d0f1713fa8ad7f9c3acee8f322

                        SHA1

                        a35692962caa89e60166af7a8969a9b4e36c562c

                        SHA256

                        387a48b6628332f6fbd0bf50d15d955a125bb40b99a4ee6b08479a9ab33a072c

                        SHA512

                        971b536ac22a514c3ab49c40623062a6dcb951a76f983d382536e99056592ea9e3a280262aeafe8c2ffae908fe66f641ada1d1f9affd1e825336a0934c8c5eae

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        1KB

                        MD5

                        adac08c1d01400753eea2f92af36880b

                        SHA1

                        a60759bdf444338148171b355d86f4af298e4de1

                        SHA256

                        a0d2153301a1a461d8abd06465243a05fc09761a949ed312381a7971e18e59f1

                        SHA512

                        25e39967f39e8e3eeb2df9892da830fde43936417697ac1cfebab049e7555299a5f8171f5132307ee83935dd645a7f3bcc91aac80b6c6d91a5492352ef57c43d

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        1KB

                        MD5

                        a09666eac37fbaec8eb9921971ca13d7

                        SHA1

                        92e9d22c8ef0509bfe6da6702738a359b7344192

                        SHA256

                        9efb065ac67af0f22dd03721a9ed1b1d65e0f5348cd34f3f71dfa1eae4e1c0ac

                        SHA512

                        e0eeac934a9569f935371e689b504790ddd1ba5fe7c35b972b83ac82892dd20624c62f6a78d0a9261af4330d7e9b9fbfe6ac949ae7bcd2c71a618a428f7f9344

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        1KB

                        MD5

                        569dfcf2759fb1fcff9ce7209cc0894d

                        SHA1

                        7515ef58a95919e6457eb1e454620e565f270738

                        SHA256

                        1a69e712afc463828fbc3de7414f9de4a213efa2e20e1fae7e7b09d8d9421e70

                        SHA512

                        94c6aec9555028cd759edfd28c183542ecab1d4f00eac1bccb4f351c9c1ab0f023a52f937e145bd6e78727e006c4e0cabccc33e34d6cf86942f6e9150be29dc3

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1zxtdaqy.wcn.ps1
                        Filesize

                        1B

                        MD5

                        c4ca4238a0b923820dcc509a6f75849b

                        SHA1

                        356a192b7913b04c54574d18c28d46e6395428ab

                        SHA256

                        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                        SHA512

                        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\~tl6B53.tmp
                        Filesize

                        393KB

                        MD5

                        9dbdd43a2e0b032604943c252eaf634a

                        SHA1

                        9584dc66f3c1cce4210fdf827a1b4e2bb22263af

                        SHA256

                        33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

                        SHA512

                        b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\~tl7896.tmp
                        Filesize

                        385KB

                        MD5

                        e802c96760e48c5139995ffb2d891f90

                        SHA1

                        bba3d278c0eb1094a26e5d2f4c099ad685371578

                        SHA256

                        cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

                        SHA512

                        97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
                        Filesize

                        2.6MB

                        MD5

                        ce429ca18521f43e55a599bb78c1cc24

                        SHA1

                        264524f1bf8939e983069aa7752fd2f66798f7b0

                        SHA256

                        ed9ec12bba9fded5d2021a7c9f0474e2f09cc7f1b85617d3e789653dd3e581a4

                        SHA512

                        f8bc49d99fc4958e96e39331b80ea795c2124048ec9c199bce6b33ecf435a27c53c8b3517142d9a8695b125ee750afb8503fd6de384fd67c7ca2364d6f8999ab

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
                        Filesize

                        15.0MB

                        MD5

                        18b3e45d47deaffe6bd46ad4b71d13ba

                        SHA1

                        ab92f95e99593c1452a150d08888d521cffa3065

                        SHA256

                        c66116b9b379bd2eb625c7abdd9bba8e4088610948fcf9650f6d96f48e828f9d

                        SHA512

                        081178f574e7d49f329b46477259647833e19ab401624c402a6f12b0ff59a7fca955d51e6ebf4c28774da32a2ff1c1acee21a9a8d8d99a2123770988cc93e88a

                        Download Submit

                      • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg
                        Filesize

                        393KB

                        MD5

                        72e28e2092a43e0d70289f62bec20e65

                        SHA1

                        944f2b81392ee946f4767376882c5c1bda6dddb5

                        SHA256

                        6ec8fe67dc01d8c3de9cfc94ca49ae25e46ed61f5a48f1a956ef269efa4ae08f

                        SHA512

                        31c0587cd1df4d63088973d72a015b144b64411031ac4c1904c54c4f43b5990b8016cc6d29e3b0238f86432005588c72b98806306918fdaf2786498de340e466

                        Download Submit

                      • C:\Windows\System\svchost.exe
                        Filesize

                        5.3MB

                        MD5

                        4a6096deaaaf3fe393b61d66540ce4ab

                        SHA1

                        9f91f6feae419a73a3371e06206b5e459281cff0

                        SHA256

                        e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5

                        SHA512

                        9322c12a042ef7914bedf73618b135775f99bcc352e23b606e6887f1e7843bda3fb9025a06eefb4bd1468a69565f6f8d34bacf0d0fcbd4ee7c34cd46c96e6d01

                        Download Submit

                      • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                        Filesize

                        3KB

                        MD5

                        478f1c1fcff584f4f440469ed71d2d43

                        SHA1

                        0900e9dc39580d527c145715f985a5a86e80b66c

                        SHA256

                        c918bf6bad93b653f9d05007634b088be7b91ed4350b777905d0520d93d650eb

                        SHA512

                        4ed62f2add77e0dd8e07e101ee06bdb8a15808b701c7580b09704bd4befdecf7cfe2fa29d6e96f2149a92f4e1b0cae0d9810a5cde3f4940145f8120f7322d1a7

                        Download Submit

                      • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        238B

                        MD5

                        9ba6b6d4349205355156f622caeab348

                        SHA1

                        732a088122a20b3ef02895c6b23ce6213b147d3f

                        SHA256

                        7682364047d3ab80513edb7de403e5d38644bc7d7c958f777137492b80c3edd1

                        SHA512

                        543dff25f76fb3b727e39885a3f0e6db0186fc629e94e69f0ddbafbe8e6cc9d38b355536d837db47e46e30102e08380ab6ff993aa25edcb8a7d4804ba004b81c

                        Download Submit

                      • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        1KB

                        MD5

                        d03d7688ce6a97b613f1d70ac7d35bb7

                        SHA1

                        ed6013656778a4e42f603e1f90e17a44b53609dc

                        SHA256

                        9ed9637e10b509e13ebe42cd29cdeeb27502862b243349dae5955b17836e2ec5

                        SHA512

                        de2fbbb173a6d5dbe50b014105a3b9fe76c759e4e3f3569f6be7f8ea56b8aa055724680c9879531ba334d81e730be102ede9cffe40a88096c65c5e33f26e4050

                        Download Submit

                      • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        1KB

                        MD5

                        e9d12fbdb708bc93bbcdc58836932664

                        SHA1

                        9d30d763acbe3fc11c7abc76211a0e6a96d7729e

                        SHA256

                        d5a80b5c419dbaff5a9fa7fe681702950c9b56eb1975aaed0cdb1412cceeed55

                        SHA512

                        8ae8f1a7ba72ee42690758605ef6ef7c2fd53a9860bbadbe192574eeacbbc5fa633a7ccf24873e00deb9e43b968bfce2f4a92146d7ba72514b5ac6a4a1961f5b

                        Download Submit

                      • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        1KB

                        MD5

                        090d628911e80097006ddd9b5185acf0

                        SHA1

                        393dcb147dc9a39fd5c7034a60998f9f4eb3d9d9

                        SHA256

                        129cb956614253f37a24fd398eeb0f9b58d8c37af2e725920eb677714c06da58

                        SHA512

                        98ff306980bf8ed2168958824aff6f5a60cede491d3070569f3d43819511083dba36962e977b78833bb95cdc645eafac40732c07fbdf3772c5df8f901b8864ed

                        Download Submit

                      • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        1KB

                        MD5

                        62dfe980c7cb47220278044b9227b88e

                        SHA1

                        1daf71e3ff9f7ba2915e939c6c3cf7ec5a309d98

                        SHA256

                        3d13cf90f22ec2a6fe9da67db00545581aa8f8c3bbfe1812832a216f92cdd23a

                        SHA512

                        dceb60199539aab1db79bea6530808f3714d254a6ef1083df770bcd4cdb984ab9932f41c2644714ae5b14968acee40e4e3b8215eb34134edb0503b342dca1f76

                        Download Submit

                      • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        1KB

                        MD5

                        107546403faea127d3b37b9fe17c8049

                        SHA1

                        b456310efda3af71e89887c5a46e0aa493e244b5

                        SHA256

                        253805320c8c265a9c295e453d9bfc19484cab5e5756ec44e07c359fe14ac650

                        SHA512

                        ad98a463e566d8e6afa5abcc91f18e96f711e31319c44ce0b39bb24a60fd9ed5829522362718db268add261a1c022aba4fe46ca21cc58cda112658e57e7d9e65

                        Download Submit

                      • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        1KB

                        MD5

                        0f0a22392f443d7245e77f82ded37bde

                        SHA1

                        5bfd4604694f2807167f7f45e953375135319ebf

                        SHA256

                        890d8344a25f28df64cd133988764a0dc987e762b5cf366f10cf1bb89a8d9273

                        SHA512

                        26ddce3739b28d5779fac72a509156ac463d73d3281d6819b2e24d3e47438d156f1a1029fbbc8526789d8a7ec39b2cf38ace2da8d410c8c86457a01003e8dc88

                        Download Submit

                      • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        1KB

                        MD5

                        8b4e261fdbc669a3ab4ce1951f64b6d0

                        SHA1

                        f220df89c6d4ac24e31a542af997a35a512de365

                        SHA256

                        57041b41d40f0c36f7653beab1718fbdaaf7d5ffc0fd72b64c8a541a5dc8c8d2

                        SHA512

                        eb7ea8f5d08af67f841c45321a174f806d3fc19e907e02999b0aa4388042bf9b7879e939e3ffac94394a7442a920a8f9d96586a50d00cc51f32f3a5bc71d8ae2

                        Download Submit

                      • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        1KB

                        MD5

                        7a1ebcc51380124f1bafbe67c5f83fad

                        SHA1

                        888c905d49922b0da1083bb8d819d7244d61efae

                        SHA256

                        49026bdb74d4716f39b249208bf3e4949b0cae59841d1ba4f8d3953cb5fa8a04

                        SHA512

                        b9a1217efb52debb78fc2569fe1921a0b417ec911ba9139b780b402951d15723a5ea5eb71f4cf8a04d0dd909ac9aebc728195a1466392806943b1af652f670a5

                        Download Submit

                      • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        1KB

                        MD5

                        631f4b3792b263fdda6b265e93be4747

                        SHA1

                        1d6916097d419198bfdf78530d59d0d9f3e12d45

                        SHA256

                        4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

                        SHA512

                        e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

                        Download Submit

                      • memory/64-503-0x0000000140000000-0x000000014015E400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/64-385-0x0000000140000000-0x000000014015E400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/64-384-0x0000000140000000-0x000000014015E400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/64-387-0x0000000140000000-0x000000014015E400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/64-497-0x0000000140000000-0x000000014015E400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/68-126-0x0000023C77830000-0x0000023C77840000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/68-158-0x0000023C77830000-0x0000023C77840000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/68-207-0x0000023C77830000-0x0000023C77840000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/68-124-0x0000023C77830000-0x0000023C77840000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/68-216-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/68-121-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/772-125-0x000001216D370000-0x000001216D380000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/772-210-0x000001216D370000-0x000001216D380000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/772-118-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/772-159-0x000001216D370000-0x000001216D380000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/772-217-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/772-127-0x000001216D370000-0x000001216D380000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1428-391-0x00007FFBCBF20000-0x00007FFBCC90C000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/1428-492-0x00007FFBCBF20000-0x00007FFBCC90C000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/1428-393-0x00000275FD770000-0x00000275FD780000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1428-474-0x00000275FD770000-0x00000275FD780000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1428-394-0x00000275FD770000-0x00000275FD780000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1428-422-0x00000275FD770000-0x00000275FD780000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1524-979-0x0000000140000000-0x0000000140170400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/1524-1298-0x0000000140000000-0x0000000140170400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/1680-399-0x00007FFBCBF20000-0x00007FFBCC90C000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/1680-405-0x000002841C450000-0x000002841C460000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1680-404-0x000002841C450000-0x000002841C460000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1680-452-0x000002841C450000-0x000002841C460000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1680-488-0x000002841C450000-0x000002841C460000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1680-493-0x00007FFBCBF20000-0x00007FFBCC90C000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/1748-648-0x0000000140000000-0x000000014015E400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/1748-975-0x0000000140000000-0x000000014015E400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/2284-615-0x0000000140000000-0x0000000140170400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/2284-616-0x0000000140000000-0x0000000140170400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/2284-502-0x0000000140000000-0x0000000140170400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/2284-505-0x0000000140000000-0x0000000140170400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/2284-504-0x0000000140000000-0x0000000140170400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/2284-506-0x0000000140000000-0x0000000140170400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/2284-507-0x0000000140000000-0x0000000140170400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/2780-9-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/2780-11-0x0000024BFF960000-0x0000024BFF970000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2780-15-0x0000024BFF960000-0x0000024BFF970000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2780-46-0x0000024BFF960000-0x0000024BFF970000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2780-105-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/2780-100-0x0000024BFF960000-0x0000024BFF970000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3732-369-0x000002286F210000-0x000002286F220000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3732-284-0x00007FFBCC0D0000-0x00007FFBCCABC000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/3732-287-0x000002286F210000-0x000002286F220000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3732-296-0x000002286F210000-0x000002286F220000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3732-376-0x00007FFBCC0D0000-0x00007FFBCCABC000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/3732-338-0x000002286F210000-0x000002286F220000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4388-266-0x0000000140000000-0x0000000140647000-memory.dmp

                        Filesize

                        6.3MB

                        Download

                      • memory/4388-112-0x0000000140000000-0x0000000140647000-memory.dmp

                        Filesize

                        6.3MB

                        Download

                      • memory/4388-218-0x0000000140000000-0x0000000140647000-memory.dmp

                        Filesize

                        6.3MB

                        Download

                      • memory/4388-219-0x0000000036B10000-0x000000003700C000-memory.dmp

                        Filesize

                        5.0MB

                        Download

                      • memory/4496-107-0x0000000140000000-0x0000000140647000-memory.dmp

                        Filesize

                        6.3MB

                        Download

                      • memory/4496-113-0x0000000140000000-0x0000000140647000-memory.dmp

                        Filesize

                        6.3MB

                        Download

                      • memory/4496-0-0x0000000140000000-0x0000000140647000-memory.dmp

                        Filesize

                        6.3MB

                        Download

                      • memory/4512-513-0x00000259FDDC0000-0x00000259FDDD0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4512-265-0x0000000140000000-0x000000014015E400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/4512-386-0x0000000140000000-0x000000014015E400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/4512-270-0x0000000140000000-0x000000014015E400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/4512-511-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/4512-267-0x0000000140000000-0x000000014015E400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/4512-268-0x0000000140000000-0x000000014015E400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/4512-269-0x0000000140000000-0x000000014015E400-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/4576-12-0x0000029977BE0000-0x0000029977BF0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4576-13-0x0000029977B60000-0x0000029977B82000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/4576-93-0x0000029977BE0000-0x0000029977BF0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4576-99-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/4576-6-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/4576-45-0x0000029977BE0000-0x0000029977BF0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4576-20-0x0000029977D70000-0x0000029977DE6000-memory.dmp

                        Filesize

                        472KB

                        Download

                      • memory/4576-14-0x0000029977BE0000-0x0000029977BF0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/5024-361-0x000001E01A780000-0x000001E01A790000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/5024-276-0x000001E01A780000-0x000001E01A790000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/5024-277-0x000001E01A780000-0x000001E01A790000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/5024-273-0x00007FFBCC0D0000-0x00007FFBCCABC000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/5024-375-0x00007FFBCC0D0000-0x00007FFBCCABC000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/5024-302-0x000001E01A780000-0x000001E01A790000-memory.dmp

                        Filesize

                        64KB

                        Download