Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

64e589ec7b...ab.exe

windows11-21h2-x64

1

64e589ec7b...ab.exe

windows7-x64

8

64e589ec7b...ab.exe

windows10-1703-x64

8

64e589ec7b...ab.exe

windows10-2004-x64

8

64e589ec7b...ab.exe

windows11-21h2-x64

1

Resubmissions

17/04/2024, 12:37

240417-pths4afc45 8

17/04/2024, 12:37

240417-ptg7kafc43 8

17/04/2024, 12:36

240417-ptcbbafc34 8

17/04/2024, 12:36

240417-ptbpsafc29 8

17/04/2024, 12:36

240417-pta39afc28 8

16/04/2024, 13:44

240416-q1vxnsda7z 8

Analysis

  • max time kernel
    1799s
  • max time network
    1801s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 12:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe

  • Size

    5.3MB

  • MD5

    63552c60caeefe5f2d0e4028b3cc65d3

  • SHA1

    dbed3040d53495a6afda01bfb8399376792eb48c

  • SHA256

    64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab

  • SHA512

    caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0

  • SSDEEP

    98304:vwrOjNr08jQxkFg97Nw76XgfqCPa1AQy2cmw:YC5r0wQxKg97Nw76XgyC6

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 22 IoCs
    evasion
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops file in System32 directory 30 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
    "C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4240
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1980
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
      2⤵
      • Creates scheduled task(s)
      PID:2680
    • C:\Windows\System\svchost.exe
      "C:\Windows\System\svchost.exe" formal
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1328
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3160
      • C:\Users\Admin\AppData\Local\Temp\~tl15E.tmp
        C:\Users\Admin\AppData\Local\Temp\~tl15E.tmp
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Windows\SYSTEM32\netsh.exe
          netsh int ipv4 set dynamicport tcp start=1025 num=64511
          4⤵
            PID:2220
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:380
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:448
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1120
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2012
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /delete /TN "Timer"
            4⤵
              PID:1352
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
              4⤵
              • Creates scheduled task(s)
              PID:4444
            • C:\Windows\System\svchost.exe
              "C:\Windows\System\svchost.exe" formal
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:856
              • C:\Windows\SYSTEM32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                5⤵
                  PID:4952
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:4172
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:4784
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:992
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3576
                • C:\Users\Admin\AppData\Local\Temp\~tlE0C1.tmp
                  C:\Users\Admin\AppData\Local\Temp\~tlE0C1.tmp
                  5⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:2396
                  • C:\Windows\SYSTEM32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    6⤵
                      PID:1008
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:2980
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:1040
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2516
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1524
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            1⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4348
            • C:\Windows\system32\netsh.exe
              netsh int ipv4 set dynamicport tcp start=1025 num=64511
              2⤵
                PID:2996
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                2⤵
                • Modifies Windows Firewall
                PID:4584
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                2⤵
                • Modifies Windows Firewall
                PID:4476
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                2⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:876
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                2⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4860
              • C:\Windows\TEMP\~tl9095.tmp
                C:\Windows\TEMP\~tl9095.tmp
                2⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:3360
                • C:\Windows\system32\netsh.exe
                  netsh int ipv4 set dynamicport tcp start=1025 num=64511
                  3⤵
                    PID:3296
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    3⤵
                    • Modifies Windows Firewall
                    PID:5052
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    3⤵
                    • Modifies Windows Firewall
                    PID:4076
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                    3⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2044
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                    3⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3776
              • \??\c:\windows\system\svchost.exe
                c:\windows\system\svchost.exe
                1⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                PID:3904
                • C:\Windows\system32\netsh.exe
                  netsh int ipv4 set dynamicport tcp start=1025 num=64511
                  2⤵
                    PID:4808
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    2⤵
                    • Modifies Windows Firewall
                    PID:3588
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    2⤵
                    • Modifies Windows Firewall
                    PID:2500
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                    2⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4900
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                    2⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4704
                  • C:\Windows\TEMP\~tlF83B.tmp
                    C:\Windows\TEMP\~tlF83B.tmp
                    2⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4684
                    • C:\Windows\system32\netsh.exe
                      netsh int ipv4 set dynamicport tcp start=1025 num=64511
                      3⤵
                        PID:3396
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        3⤵
                        • Modifies Windows Firewall
                        PID:3620
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        3⤵
                        • Modifies Windows Firewall
                        PID:2384
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                        3⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1360
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                        3⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3348
                  • \??\c:\windows\system\svchost.exe
                    c:\windows\system\svchost.exe
                    1⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Drops file in Windows directory
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1580
                    • C:\Windows\system32\netsh.exe
                      netsh int ipv4 set dynamicport tcp start=1025 num=64511
                      2⤵
                        PID:2564
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        2⤵
                        • Modifies Windows Firewall
                        PID:372
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        2⤵
                        • Modifies Windows Firewall
                        PID:1760
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                        2⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4148
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                        2⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4548
                      • C:\Windows\TEMP\~tl606E.tmp
                        C:\Windows\TEMP\~tl606E.tmp
                        2⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        PID:3044
                        • C:\Windows\system32\netsh.exe
                          netsh int ipv4 set dynamicport tcp start=1025 num=64511
                          3⤵
                            PID:1440
                          • C:\Windows\System32\netsh.exe
                            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                            3⤵
                            • Modifies Windows Firewall
                            PID:4484
                          • C:\Windows\System32\netsh.exe
                            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                            3⤵
                            • Modifies Windows Firewall
                            PID:2776
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                            3⤵
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3908
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                            3⤵
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1768
                      • \??\c:\windows\system\svchost.exe
                        c:\windows\system\svchost.exe
                        1⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Drops file in Windows directory
                        PID:1792
                        • C:\Windows\system32\netsh.exe
                          netsh int ipv4 set dynamicport tcp start=1025 num=64511
                          2⤵
                            PID:1044
                          • C:\Windows\System32\netsh.exe
                            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                            2⤵
                            • Modifies Windows Firewall
                            PID:3280
                          • C:\Windows\System32\netsh.exe
                            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                            2⤵
                            • Modifies Windows Firewall
                            PID:4512
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                            2⤵
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4912
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                            2⤵
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3332
                          • C:\Windows\TEMP\~tlC768.tmp
                            C:\Windows\TEMP\~tlC768.tmp
                            2⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            PID:2064
                            • C:\Windows\system32\netsh.exe
                              netsh int ipv4 set dynamicport tcp start=1025 num=64511
                              3⤵
                                PID:588
                              • C:\Windows\System32\netsh.exe
                                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                3⤵
                                • Modifies Windows Firewall
                                PID:4416
                              • C:\Windows\System32\netsh.exe
                                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                3⤵
                                • Modifies Windows Firewall
                                PID:2568
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                3⤵
                                • Drops file in System32 directory
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:740
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                                3⤵
                                • Drops file in System32 directory
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3200

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                            Filesize

                            2KB

                            MD5

                            d85ba6ff808d9e5444a4b369f5bc2730

                            SHA1

                            31aa9d96590fff6981b315e0b391b575e4c0804a

                            SHA256

                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                            SHA512

                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            22310ad6749d8cc38284aa616efcd100

                            SHA1

                            440ef4a0a53bfa7c83fe84326a1dff4326dcb515

                            SHA256

                            55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

                            SHA512

                            2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            d8cb3e9459807e35f02130fad3f9860d

                            SHA1

                            5af7f32cb8a30e850892b15e9164030a041f4bd6

                            SHA256

                            2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

                            SHA512

                            045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            34f595487e6bfd1d11c7de88ee50356a

                            SHA1

                            4caad088c15766cc0fa1f42009260e9a02f953bb

                            SHA256

                            0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

                            SHA512

                            10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            d28a889fd956d5cb3accfbaf1143eb6f

                            SHA1

                            157ba54b365341f8ff06707d996b3635da8446f7

                            SHA256

                            21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                            SHA512

                            0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            47605a4dda32c9dff09a9ca441417339

                            SHA1

                            4f68c895c35b0dc36257fc8251e70b968c560b62

                            SHA256

                            e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

                            SHA512

                            b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1wpxkf0c.t1t.ps1
                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\~tl15E.tmp
                            Filesize

                            385KB

                            MD5

                            e802c96760e48c5139995ffb2d891f90

                            SHA1

                            bba3d278c0eb1094a26e5d2f4c099ad685371578

                            SHA256

                            cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

                            SHA512

                            97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\~tlE0C1.tmp
                            Filesize

                            393KB

                            MD5

                            9dbdd43a2e0b032604943c252eaf634a

                            SHA1

                            9584dc66f3c1cce4210fdf827a1b4e2bb22263af

                            SHA256

                            33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

                            SHA512

                            b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
                            Filesize

                            2.6MB

                            MD5

                            e7634067c1219da664e2c13a622988bf

                            SHA1

                            b354b3912ec59fefecdaa660af50c679b136b6ca

                            SHA256

                            e1f51b61149b811c5029caaa39ddf54faa18fcd18bbcf432155ad324fbc0fdb7

                            SHA512

                            b61ea1448ec13e88c66e043c0f99d95a2626e631841bec0b0e2e1dd6cbbcb8f8587d414f3ad32794ccdadf7c763910ed844220684f3edc71109f47fe4353c944

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
                            Filesize

                            14.8MB

                            MD5

                            87460ced82b8fbf7a8f394d549fb8cf7

                            SHA1

                            169e8a2b7f8a4eac0a0bcba5f4b0d2645e77ad4a

                            SHA256

                            07a01ea3342c2d0416ebf6346f18aa04b005e30953e38c6fd182b6d5bd93becb

                            SHA512

                            9ddf08134d8851f3e8a14bce317992630e194bc02b7be8b46fd5b28ef11d2a8d8081dbd284245d04d3a7c6d3939dae4e9eb91c667ce2c62ead930002d08e369a

                            Download Submit

                          • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg
                            Filesize

                            393KB

                            MD5

                            72e28e2092a43e0d70289f62bec20e65

                            SHA1

                            944f2b81392ee946f4767376882c5c1bda6dddb5

                            SHA256

                            6ec8fe67dc01d8c3de9cfc94ca49ae25e46ed61f5a48f1a956ef269efa4ae08f

                            SHA512

                            31c0587cd1df4d63088973d72a015b144b64411031ac4c1904c54c4f43b5990b8016cc6d29e3b0238f86432005588c72b98806306918fdaf2786498de340e466

                            Download Submit

                          • C:\Windows\System\svchost.exe
                            Filesize

                            5.3MB

                            MD5

                            63552c60caeefe5f2d0e4028b3cc65d3

                            SHA1

                            dbed3040d53495a6afda01bfb8399376792eb48c

                            SHA256

                            64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab

                            SHA512

                            caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0

                            Download Submit

                          • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                            Filesize

                            4KB

                            MD5

                            bdb25c22d14ec917e30faf353826c5de

                            SHA1

                            6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

                            SHA256

                            e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

                            SHA512

                            b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

                            Download Submit

                          • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            54c816b7583d22f96cd0ee351a4189ca

                            SHA1

                            83e9a8914a287e5865481c2c841973bc062559c7

                            SHA256

                            633d0997831c4dcac75aded02766cf1fbd52e01681762de4cb5f73be467e89b0

                            SHA512

                            af0546cb9ebbdaa67a9e27f920678499208fc69141f582e029e664b7aeafedf27297b934f117e1dc5b83172fedb178c439abdc56111c4084d4a39d7835c548c4

                            Download Submit

                          • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            855B

                            MD5

                            58dd25f0d7f432aa9be1cd89e5f7f1b8

                            SHA1

                            c98febbfd07b5b067b9ddd322b1dd99ce07f81be

                            SHA256

                            14d1c3ccafc6a14acfcda633136849173b973601bbad5dd0f5fb7fec989b575c

                            SHA512

                            3c80009237b6f6893b2f48fc7c1ccb5dced44fe7535b1b79aeaec4e62f3d602065bae821bd556ede0a4f7eadb2bec77dfbcc2643302b37c50a69d4d897a197ca

                            Download Submit

                          • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            7e428aea1e8381e89378ab3addbcf298

                            SHA1

                            5d3854328868b928a07681e749117d6f100b94e4

                            SHA256

                            fcec6e8957187a65bb03233f86174a1b38be96dad3e7091afe02c665ee025bb8

                            SHA512

                            4937f2824bd9f066342542065a9b7ee8de9667c839c5caa3b2eba3fe030ee9a2c77708cf773a3e916cde1ede8387756ee54eea64a5e60692c3d0e8aed21d2a2e

                            Download Submit

                          • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            120B

                            MD5

                            cf40733164caa44bf40f8be96406aa11

                            SHA1

                            3431ccfc403a78a3afbf8085bf79a92562c978f2

                            SHA256

                            6089ab1685de318bc56da05100b83eb1ebb191c37bf4adf80fa8c5347ef4dc90

                            SHA512

                            2d39535149db6bf646cbe26857c8b536720906d4b5941ed4212a45213f67166d36cb89f04cee94049167ede06a767059f1bc235cf349bec1feaab23c045eb21a

                            Download Submit

                          • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            b42c70c1dbf0d1d477ec86902db9e986

                            SHA1

                            1d1c0a670748b3d10bee8272e5d67a4fabefd31f

                            SHA256

                            8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

                            SHA512

                            57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

                            Download Submit

                          • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            796B

                            MD5

                            96c80f70ddba083aca13d8962434aad2

                            SHA1

                            5371d33807844f86022d89bb8e3f1837421aa0cb

                            SHA256

                            7984387bca36d060a5822be86d48ccdbec8b2b15f3733eac78b2e1a13dbdb360

                            SHA512

                            74997e3a5825154b3b05636f237ded2bf4949636b5c3831e45f8d353cb38d2249b58d05b54f32e77e214b5c260b022e9e1bba6931909d995ff03a5e4735a2add

                            Download Submit

                          • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            6714d2ce29e2b80c6ec82827abecc844

                            SHA1

                            c5316f2b4b4a073e25a694e20d7ee47441d459fc

                            SHA256

                            085cf746903ae4fe3be49a9ef382f64cc09d7cec88789f9c207c9e2886c53e9b

                            SHA512

                            93d8275ca299d01c41c4a1e7077c2a1c22e6a017962d3aab60411dfa59d05144f170a01eae278dad64da55f3dba57d2a2986d8bcbb4c48e018652f1b0dae90f7

                            Download Submit

                          • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            877cbe19207b431000ab1f991bf8ca46

                            SHA1

                            16fefd70e50230c0a26cbb00cad1016ea7745d6c

                            SHA256

                            9d70a7dc15e248b27d6bf474b86ac4ec094cc2f0d043dd125036bc2d319d4c50

                            SHA512

                            91e6a97a69cbc727d7a97abc2abe44df32d0bfb509ceecabd9fbfd0208dbd659248e05f11abed60caeb84d6f12307255379be2a4db613703e2067044724a13fa

                            Download Submit

                          • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            704B

                            MD5

                            81a04dc8645f2ffb60da43428e74cd45

                            SHA1

                            53c5b2813ada6c7ac6e31c6d8abcb566f60931d7

                            SHA256

                            3ed0969d331d0cfbecb663032d6ff4d52d7b53f22b1b14485ea183da88cde0ff

                            SHA512

                            a3150377b345bbceb9b18c110d8303d5e2d55eaf3b44c0a7decc33f5b5b3c01af44deedd3cdc9184cd782c2db893dddae662a647015a48631f1f3730382e6b2e

                            Download Submit

                          • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            c760880d6bc08cda4e37517b962c15c8

                            SHA1

                            f5ffa613e2160452ec84b89fe7a1d2fb5a1c1c12

                            SHA256

                            19a17a4c2670d8b8d6b08f4f8e07f3cc87c0c42634f0dbccc26f035185b56396

                            SHA512

                            4f7a4fa10f47a7bf3a7159e54e3c3dc89d0e950e8ef58cf34dda0f960916a4a5aee6adf3ba342326a591e34f7cbb03404700bb3578edb1fee3be1f439ae76ea0

                            Download Submit

                          • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            a3af6b6752764b70e843397de266e5e5

                            SHA1

                            067a680a02a8eab0ce869b9d7adcecde95668b33

                            SHA256

                            a6187a6b67113725ad9c54050be51232ee15408e6fac2b8a6166e87af04689c4

                            SHA512

                            de1e1af659dd1ebb18ca008ea3103f14b66396c7af2a0a73e999d05d5572cafbe1f84816e330953e2f4d136fecad983a03f747480c9ddb92895204b34fe232e2

                            Download Submit

                          • memory/856-226-0x0000000140000000-0x000000014015E400-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/856-186-0x0000000140000000-0x000000014015E400-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/856-188-0x0000000140000000-0x000000014015E400-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/876-340-0x000002AE659F0000-0x000002AE65A0C000-memory.dmp

                            Filesize

                            112KB

                            Download

                          • memory/876-302-0x00007FFD61CB0000-0x00007FFD62771000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/876-303-0x000002AE65330000-0x000002AE65340000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/876-304-0x000002AE65330000-0x000002AE65340000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/876-327-0x000002AE657D0000-0x000002AE65885000-memory.dmp

                            Filesize

                            724KB

                            Download

                          • memory/876-326-0x00007FF487760000-0x00007FF487770000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/876-325-0x000002AE657B0000-0x000002AE657CC000-memory.dmp

                            Filesize

                            112KB

                            Download

                          • memory/876-339-0x000002AE65560000-0x000002AE6556A000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/992-199-0x0000016D61220000-0x0000016D61230000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/992-195-0x00007FFD61B30000-0x00007FFD625F1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/992-214-0x00007FFD61B30000-0x00007FFD625F1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/1120-171-0x00007FFD61A50000-0x00007FFD62511000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/1120-146-0x00007FFD61A50000-0x00007FFD62511000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/1120-147-0x00000222FB6C0000-0x00000222FB6D0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/1328-84-0x00007FFD60D90000-0x00007FFD61851000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/1328-56-0x00007FFD60D90000-0x00007FFD61851000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/1328-57-0x00000144AACF0000-0x00000144AAD00000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/1524-243-0x000001D23B220000-0x000001D23B230000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/1524-257-0x00007FFD61B30000-0x00007FFD625F1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/1524-242-0x000001D23B220000-0x000001D23B230000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/1524-241-0x00007FFD61B30000-0x00007FFD625F1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/1980-13-0x00007FFD60D90000-0x00007FFD61851000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/1980-38-0x00007FFD60D90000-0x00007FFD61851000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/1980-18-0x0000027DB14F0000-0x0000027DB1500000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/1980-19-0x0000027DB14F0000-0x0000027DB1500000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/1980-7-0x0000027DB14C0000-0x0000027DB14E2000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/2012-159-0x000002454A8C0000-0x000002454A8D0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2012-174-0x00007FFD61A50000-0x00007FFD62511000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/2012-160-0x000002454A8C0000-0x000002454A8D0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2012-158-0x00007FFD61A50000-0x00007FFD62511000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/2396-259-0x0000000140000000-0x0000000140170400-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/2396-260-0x0000000140000000-0x0000000140170400-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/2396-225-0x0000000140000000-0x0000000140170400-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/2396-228-0x0000000140000000-0x0000000140170400-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/2396-227-0x0000000140000000-0x0000000140170400-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/2396-229-0x0000000140000000-0x0000000140170400-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/2516-254-0x00007FFD61B30000-0x00007FFD625F1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/2516-230-0x00007FFD61B30000-0x00007FFD625F1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/2528-54-0x0000000140000000-0x0000000140644400-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2528-129-0x0000000140000000-0x0000000140644400-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2528-86-0x0000000015540000-0x0000000015A3C000-memory.dmp

                            Filesize

                            5.0MB

                            Download

                          • memory/2528-101-0x0000000140000000-0x0000000140644400-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2528-141-0x0000000140000000-0x0000000140644400-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2528-134-0x0000000140000000-0x0000000140644400-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2528-55-0x0000000140000000-0x0000000140644400-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2568-143-0x0000000140000000-0x000000014015E400-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/2568-187-0x0000000140000000-0x000000014015E400-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/2568-144-0x0000000140000000-0x000000014015E400-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/2568-140-0x0000000140000000-0x000000014015E400-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/2568-145-0x0000000140000000-0x000000014015E400-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/3160-85-0x00007FFD60D90000-0x00007FFD61851000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3160-80-0x0000012A6E750000-0x0000012A6E760000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/3160-76-0x00007FFD60D90000-0x00007FFD61851000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3160-77-0x0000012A6E750000-0x0000012A6E760000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/3160-78-0x0000012A6E750000-0x0000012A6E760000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/3576-202-0x000001E76C730000-0x000001E76C740000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/3576-201-0x00007FFD61B30000-0x00007FFD625F1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3576-203-0x000001E76C730000-0x000001E76C740000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/3576-217-0x00007FFD61B30000-0x00007FFD625F1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3796-0-0x0000000140000000-0x0000000140644400-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/3796-6-0x0000000140000000-0x0000000140644400-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/3796-5-0x0000000140000000-0x0000000140644400-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/3796-4-0x0000000140000000-0x0000000140644400-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/3796-3-0x0000000140000000-0x0000000140644400-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/3796-49-0x0000000140000000-0x0000000140644400-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/4240-20-0x000001A769AC0000-0x000001A769AD0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/4240-30-0x00007FFD60D90000-0x00007FFD61851000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4240-37-0x00007FFD60D90000-0x00007FFD61851000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4240-31-0x000001A769AC0000-0x000001A769AD0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/4348-292-0x0000000140000000-0x000000014015E400-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/4348-288-0x0000000140000000-0x000000014015E400-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/4348-287-0x0000000140000000-0x000000014015E400-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/4860-343-0x0000018369590000-0x0000018369598000-memory.dmp

                            Filesize

                            32KB

                            Download

                          • memory/4860-344-0x00000183695C0000-0x00000183695C6000-memory.dmp

                            Filesize

                            24KB

                            Download

                          • memory/4860-342-0x00000183695E0000-0x00000183695FA000-memory.dmp

                            Filesize

                            104KB

                            Download

                          • memory/4860-341-0x0000018369580000-0x000001836958A000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/4860-337-0x00007FF4E4030000-0x00007FF4E4040000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/4860-338-0x00000183508A0000-0x00000183508B0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/4860-310-0x00007FFD61CB0000-0x00007FFD62771000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4860-311-0x00000183508A0000-0x00000183508B0000-memory.dmp

                            Filesize

                            64KB

                            Download