Overview

overview

10

Static

static

3

download.exe

windows10-1703-x64

10

download.exe

windows7-x64

1

download.exe

windows10-2004-x64

10

download.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1195s
  • max time network
    1198s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-06-2024 07:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    download.exe

  • Size

    88KB

  • MD5

    94c73dc6cc79de28524a82f04adc7c6b

  • SHA1

    8ce1411adede8a1485ad718160ef01c7a22634de

  • SHA256

    40596da4af2b1b0387147484d112423d317e2fd41cd19bb1b63d2f8429bacee4

  • SHA512

    820b38de02b00668b24e6dc0510f632a7648bd1e647f5a9ee0c7d8bd8b86a49b55db72e1cfa2eff0337dc30d6b1cb45af1f904a9105715618d410ff56841d041

  • SSDEEP

    768:+CIFqF93IfXwXbOfq1okh8BBEjpaPWfu/WYat7PTXDvt976xrXu5Me0:+C4qF9pbOAh8B+Bfu+YaZTXTt97KruM

Score
10/10
umbralxwormexecutionransomwareratspywarestealertrojan

Malware Config

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 22 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\download.exe
    "C:\Users\Admin\AppData\Local\Temp\download.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\luq0g1qf\luq0g1qf.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4249.tmp" "c:\Users\Admin\AppData\Local\Temp\luq0g1qf\CSC32683A2E39B844F5958882D66EA22217.TMP"
        3⤵
          PID:332
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Create /SC ONLOGON /TN Updatew /TR C:\Users\Admin\150F4013\temp\run.cmd /RL HIGHEST /F
        2⤵
        • Creates scheduled task(s)
        PID:1352
      • C:\Users\Admin\150F4013\remote.exe
        "C:\Users\Admin\150F4013\remote.exe"
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4576
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /run /TN Update
          3⤵
            PID:3744
        • C:\Users\Admin\AppData\Local\Temp\skid.exe
          "C:\Users\Admin\AppData\Local\Temp\skid.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:768
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\skid.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1448
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4128
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3288
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:888
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" os get Caption
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:240
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" computersystem get totalphysicalmemory
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4352
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            3⤵
              PID:3968
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2700
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              3⤵
              • Detects videocard installed
              PID:2072
        • C:\Windows\System32\svchost‌.exe
          C:\Windows\System32\svchost‌.exe
          1⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1760
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\svchost‌.exe'
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2176
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost‌.exe'
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:4456
          • C:\Windows\System32\svchost‌.exe
            "C:\Windows\System32\svchost‌.exe"
            2⤵
            • Executes dropped EXE
            • Sets desktop wallpaper using registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2572
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\svchost‌.exe'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2228
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost‌.exe'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4512
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
              3⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:3436
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd9dcf3cb8,0x7ffd9dcf3cc8,0x7ffd9dcf3cd8
                4⤵
                  PID:1260
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,5816244621660989266,16799170560809964524,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1996 /prefetch:2
                  4⤵
                    PID:2272
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,5816244621660989266,16799170560809964524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2080
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,5816244621660989266,16799170560809964524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:1
                    4⤵
                      PID:2956
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,5816244621660989266,16799170560809964524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2864 /prefetch:1
                      4⤵
                        PID:1612
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,5816244621660989266,16799170560809964524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3232 /prefetch:8
                        4⤵
                          PID:3000
                        • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,5816244621660989266,16799170560809964524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
                          4⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:416
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2004,5816244621660989266,16799170560809964524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
                          4⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:788
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,5816244621660989266,16799170560809964524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
                          4⤵
                            PID:4652
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,5816244621660989266,16799170560809964524,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
                            4⤵
                              PID:4984
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,5816244621660989266,16799170560809964524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
                              4⤵
                                PID:4464
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,5816244621660989266,16799170560809964524,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
                                4⤵
                                  PID:3680
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,5816244621660989266,16799170560809964524,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5376 /prefetch:2
                                  4⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3692
                          • C:\Windows\System32\svchost‌.exe
                            C:\Windows\System32\svchost‌.exe
                            1⤵
                            • Executes dropped EXE
                            PID:4668
                          • C:\Windows\System32\svchost‌.exe
                            C:\Windows\System32\svchost‌.exe
                            1⤵
                            • Executes dropped EXE
                            PID:3664
                          • C:\Windows\System32\svchost‌.exe
                            C:\Windows\System32\svchost‌.exe
                            1⤵
                            • Executes dropped EXE
                            PID:2384
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2328
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1948
                              • C:\Windows\System32\svchost‌.exe
                                C:\Windows\System32\svchost‌.exe
                                1⤵
                                • Executes dropped EXE
                                PID:4488
                              • C:\Windows\System32\svchost‌.exe
                                C:\Windows\System32\svchost‌.exe
                                1⤵
                                • Executes dropped EXE
                                PID:4192
                              • C:\Windows\System32\svchost‌.exe
                                C:\Windows\System32\svchost‌.exe
                                1⤵
                                • Executes dropped EXE
                                PID:2608
                              • C:\Windows\System32\svchost‌.exe
                                C:\Windows\System32\svchost‌.exe
                                1⤵
                                • Executes dropped EXE
                                PID:1600
                              • C:\Windows\System32\svchost‌.exe
                                C:\Windows\System32\svchost‌.exe
                                1⤵
                                • Executes dropped EXE
                                PID:4576
                              • C:\Windows\System32\svchost‌.exe
                                C:\Windows\System32\svchost‌.exe
                                1⤵
                                • Executes dropped EXE
                                PID:2532
                              • C:\Windows\System32\svchost‌.exe
                                C:\Windows\System32\svchost‌.exe
                                1⤵
                                • Executes dropped EXE
                                PID:756
                              • C:\Windows\System32\svchost‌.exe
                                C:\Windows\System32\svchost‌.exe
                                1⤵
                                • Executes dropped EXE
                                PID:1020
                              • C:\Windows\System32\svchost‌.exe
                                C:\Windows\System32\svchost‌.exe
                                1⤵
                                • Executes dropped EXE
                                PID:1460
                              • C:\Windows\System32\svchost‌.exe
                                C:\Windows\System32\svchost‌.exe
                                1⤵
                                • Executes dropped EXE
                                PID:4624
                              • C:\Windows\System32\svchost‌.exe
                                C:\Windows\System32\svchost‌.exe
                                1⤵
                                • Executes dropped EXE
                                PID:3124
                              • C:\Windows\System32\svchost‌.exe
                                C:\Windows\System32\svchost‌.exe
                                1⤵
                                • Executes dropped EXE
                                PID:3768
                              • C:\Windows\System32\svchost‌.exe
                                C:\Windows\System32\svchost‌.exe
                                1⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of SetWindowsHookEx
                                PID:4856
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\svchost‌.exe'
                                  2⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:4792
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost‌.exe'
                                  2⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:4772
                              • C:\Windows\System32\svchost‌.exe
                                C:\Windows\System32\svchost‌.exe
                                1⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of SetWindowsHookEx
                                PID:2584
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\svchost‌.exe'
                                  2⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3160
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost‌.exe'
                                  2⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:4712
                              • C:\Windows\System32\svchost‌.exe
                                C:\Windows\System32\svchost‌.exe
                                1⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of SetWindowsHookEx
                                PID:1632
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\svchost‌.exe'
                                  2⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3492
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost‌.exe'
                                  2⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3132

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\150F4013\remote.exe
                                Filesize

                                258KB

                                MD5

                                5b361316509f8f3194eb12dd8b741c6c

                                SHA1

                                e98492f076095a6f323e80277ad55bc0639406aa

                                SHA256

                                2c94d9e87ad5c843048c4a09c3733b1d0326f3b5ce6a40e7b964f45034011dd4

                                SHA512

                                8b22c6147703bc05f3405db877061d64642a3353661c7893482e9c8c897453e1edde3a39abdcda18ed50c296a520efb1430a2a0a7c1d119de363d72bb360abd0

                                Download Submit

                              • C:\Users\Admin\150F4013\temp\run.cmd
                                Filesize

                                230B

                                MD5

                                414df6503c9c035562085abea409a80a

                                SHA1

                                2eaaea0bc22b4fc6ad05c0acc0612ca3c72cb21d

                                SHA256

                                13a32b30bbbdca31954c5090e4cd5f191635dd6316f9f9669613865cb713eacb

                                SHA512

                                6c7dee2462193bda3176fce634e642302c1e14b7329eb4408dc26b1a0d7e57a81f3cc5f143371691f6d3803cb66bd35035184d5df4dee8798b22e478e4966e09

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                Filesize

                                2KB

                                MD5

                                627073ee3ca9676911bee35548eff2b8

                                SHA1

                                4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                SHA256

                                85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                SHA512

                                3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost‌.exe.log
                                Filesize

                                1KB

                                MD5

                                f1e0735a4f9fdd204b756c443a43caf0

                                SHA1

                                ee1c48e1686baca06e2068acd13b34055c18851d

                                SHA256

                                8fe7802963693519d4677b45307efbd2a07c57b972fa7ccc7078295748a3e7ae

                                SHA512

                                e8266d11e87391196b4cf71818b53f553005886dc02fd94e27b151626c87536683a30adb9cccb7d121ecc3a00c8ce0ccfb93e8f54dcbf39ba3b14902e0fbb80f

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                c1c7e2f451eb3836d23007799bc21d5f

                                SHA1

                                11a25f6055210aa7f99d77346b0d4f1dc123ce79

                                SHA256

                                429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800

                                SHA512

                                2ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                3e8da23bfc0196c05b9012686584b15f

                                SHA1

                                fb1d19522a3010ed695e8cb21e86f40e6b18bac8

                                SHA256

                                3493fca835debd398989e95ff84d97aae8a3053ef158fc16e92fa028fb3e23b1

                                SHA512

                                85a1f3ddfc5d43f52bd19b26fdc934c3a63f52ef1b1e76daba1fb3fb9c121b01a59f0f58b03d1a7d6dc0a936f0c6daaba1d071832cbf43d0b5b9d212d699f18b

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                992d020117ddbcaaaf8d0081ecc656a6

                                SHA1

                                8b7c64d10554f5b404cb768c315a11cbd57eaf7a

                                SHA256

                                8681ad36ec938c4f6131f8af7973f54157ec09724fdc2d71b971bb407d350409

                                SHA512

                                e155a9a3e94d0ba6b79af08f04edc2775efb5facab870dfc8db8870b694409ad423a710019afe4cbdfb39f2e902b73cb3b3b8804ae9c19f6cfbf223173f00023

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                46295cac801e5d4857d09837238a6394

                                SHA1

                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                SHA256

                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                SHA512

                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                206702161f94c5cd39fadd03f4014d98

                                SHA1

                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                SHA256

                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                SHA512

                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                11KB

                                MD5

                                68f01d33c72e6bb0d531c429a90dd90a

                                SHA1

                                03b0e105b0cbbf007b5e9297b219adcdb353b01d

                                SHA256

                                277d3f95d60187e5fb235d657c70f2c56d30a9e6bda9230051a7509a57b10332

                                SHA512

                                0eb1224e8ebeb7c2db81ed76a5e31dbcffdd3c1d616de5ee6fbbf7331d709ac1379a19274cbda7d076fe944ce55ffd296e794e2ebd9af96a33f77a06fe4da122

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                1KB

                                MD5

                                7332074ae2b01262736b6fbd9e100dac

                                SHA1

                                22f992165065107cc9417fa4117240d84414a13c

                                SHA256

                                baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

                                SHA512

                                4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                1KB

                                MD5

                                63e54ca6551a4a091cca75d55e9122b2

                                SHA1

                                7afd34b6d2008fec2a36d984d535aea7406a66ce

                                SHA256

                                e263f5f17c235debb019644319a773d5feabd2f80fdb3d7783762ba572fe875b

                                SHA512

                                22e332795de470945a1864cfe32e90cd993554cf139467610abdb20b1608c2a7e0177f001b2b6f0032daa780980207943b6e1e4f0960e0576a1aea76fd1dd13e

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                249bae35812033e47f43f84e9faafe65

                                SHA1

                                3957e3ce3aca6eb02186dd4128d7603d0f1f8fc8

                                SHA256

                                29f830b2d505fdbb9cddd0496b8aa4f23a47411426bea9c0b03b7c49096697a5

                                SHA512

                                a2c2fd3b6a3657aa6aca58fdfd568cbb4cb98668445584dae6ef9a5e4f87276507725e96f467788164b4d90014aedc0e23bb2bba011fd69b9e67b3e50e0d3128

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                64B

                                MD5

                                d1a79640b4fbfefe2173b565a2aed3af

                                SHA1

                                faba0a328aaa9578c787bcf082fb992fe399d2f9

                                SHA256

                                a4fb105e4bc4a88f5602481a094b7eac39bb5ed58358630a3ffee0c550ea9afe

                                SHA512

                                dce1d0e09d0edc99b4ae8abdfe52ec1901fd4a6071e437afb7d230644b6ecf6ce197f3c87ab09543bae7be175c0d0e909d5dccfd5118b2e2060cd3bee7e64575

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                fcbfea2bed3d0d2533fe957f0f83e35c

                                SHA1

                                70ca46e89e31d8918c482848cd566090aaffd910

                                SHA256

                                e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

                                SHA512

                                d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                4a7f03a7ad1cae046d8ceac04256e5ae

                                SHA1

                                ef0bf767c91cba32b33c0b48f74f5eb153ae43d3

                                SHA256

                                e8aa3162f519e3670b0fc79dfbeeca68ea2b65a17900cf3aafc6a48de3296d60

                                SHA512

                                382a91848be121734bce9f533bcb4747e5f21db5b1ea5dfc8cc567005f5be0f1dcc73a55516b83feb931cdc90601ed4d36fb890687f08e1056ff98da2365f01d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                4914eb0b2ff51bfa48484b5cc8454218

                                SHA1

                                6a7c3e36ce53b42497884d4c4a3bda438dd4374b

                                SHA256

                                7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

                                SHA512

                                83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                1189a72e42e2321edf1ed3a8d5568687

                                SHA1

                                a2142fc754d6830de107d9d46f398483156f16a6

                                SHA256

                                009aee0a5f2d25ed79160e75cde58722def11663334ed20283e3afca32f971ea

                                SHA512

                                b1eb9b7aa7a57d0acec93b8152229b1f274a8d1b8f19133513486587f39b0636a9df89ddc6c2013e001d831f2b23cd0bb0fc084131824ea8e1dff134cd6d4f29

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                b0a85f07903eaad4aace8865ff28679f

                                SHA1

                                caa147464cf2e31bf9b482c3ba3c5c71951566d1

                                SHA256

                                c85c7915e0bcc6cc3d7dd2f6b9d9e4f9a3cf0ccefa043b1c500facac8428bfd5

                                SHA512

                                7a650a74a049e71b748f60614723de2b9d2385a0f404606bcb22ae807e22a74c53cf672df9e7a23605dfff37865443a5899eafea323134a818eb59c96e0f94bd

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                8bedab8202e050da3e13e02fab6274cb

                                SHA1

                                7701c354dc8b4800dd08bd19364a077cdb06a38c

                                SHA256

                                7bbaea5bbe608dca85ec8e43168d337e8cd7699c8574b448885c6431a9fdb8e7

                                SHA512

                                7a4fc3af42a90fc95373f39e590c3553d3c0f56de0e5b432d57f5763ede7c24a157214208a8463ed5f613c7f699bd37e5ef90090671090b80b5430335cf4bf89

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                b9b360b86f321509992675cbbb2c25f5

                                SHA1

                                c0dc0f9c0558894eaf0c3769d6381f85c45faa88

                                SHA256

                                9dcf8030e8774487863580166d2124101c8691de2e2d7f4a4be3cadd810237c2

                                SHA512

                                375949cd016ea6df701949dab08173e340f25141b7ca067d2baa98ce3c0b3e48b920bb7f2c59cdd4ab8a2c5d3b59cd38f241ea312aef145daef60dec03378af5

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                d0a4a3b9a52b8fe3b019f6cd0ef3dad6

                                SHA1

                                fed70ce7834c3b97edbd078eccda1e5effa527cd

                                SHA256

                                21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

                                SHA512

                                1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                948B

                                MD5

                                fa21dd50b4e64421076f843031c8ccf7

                                SHA1

                                2c56e94f130c0d8d77116e939ffee4e37cf982bd

                                SHA256

                                e4f21aca1e12aafa8de7af24b79a75526e902c7d4b3fea5bdb6e723976997be3

                                SHA512

                                b8de2bfeb7af06c587dd1f424d410cf83471f31a55a3ea4c4481ce07ffd9bf66ddc1f7775ecd6ac65ac33baaec90ba5a208a9aefc84f31125a50dfb919982687

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\RES4249.tmp
                                Filesize

                                1KB

                                MD5

                                55bf4de8cb23a96c6e7123398db7a6ed

                                SHA1

                                cb91286dfd2ac92bc176c90fff5b5161b2b0140f

                                SHA256

                                6b6fd2ca69c1c2e343595a87bfd5cf250a80d9abc65d632e15e1f4e6edf67398

                                SHA512

                                8d15f5208ad530ce715c823bdcf80782749d80baed459d0d0a930c288b96bae2502c967eb812e62f308119c6df6c5cc31592207e897898ec75e4dd7a28f16fe4

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_55afj1by.tmv.ps1
                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\luq0g1qf\luq0g1qf.dll
                                Filesize

                                3KB

                                MD5

                                b647026748a118b75db2a764afa1e055

                                SHA1

                                f71eb260ea2a452731227bca32827a53b913756f

                                SHA256

                                64fea59c7a4a9e2a620c3ce13cf874099b4aa96858f5b2468fcb6224a84a42b3

                                SHA512

                                c315bb8dd1ee5d8eaeccf2d12bdf602437dc656b9fe6fbb1ae4f666e96601ec4b4deb21e4fd4d18e68ecd04486baf9499eb64fc6fe2847d20c1d1ad29acc4a0b

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\skid.exe
                                Filesize

                                229KB

                                MD5

                                1adeea63d576dea9add98e01e9fe78b4

                                SHA1

                                8f754fd661d9ce2e9e9a7278b4dd7096b13fc585

                                SHA256

                                5a2904a05d5d2f5d3d3ef44bdf54e74341ae9b54ba5f6545b37acf187eec4f84

                                SHA512

                                0ba3c5555273a15c5406f0bd1b5f1a3888814bdbb4130f80eae1f973497c4e5d81a92ed0797a55316b358a42a955fe44f476d1e0e90c15211dc30f4dd20c58cb

                                Download Submit

                              • C:\Users\Admin\Desktop\How To Decrypt My Files.html
                                Filesize

                                621B

                                MD5

                                2c6e511719c3d8bd7713d82c7bd3505f

                                SHA1

                                9aeff9fb080890557136a3a75c0688d23092de1f

                                SHA256

                                145008816a1f9eb9e0a49f56a65099dc541c941e92b65beb52d99698baf2e69f

                                SHA512

                                5533c2b6392dca8cdb707512d86f465a692c8f46b0ae2eb1d208198cfe08dcc7b7281a389282e1b106cd565ea5d60fb0ae5651608dc06857cac26c2af181755a

                                Download Submit

                              • C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC
                                Filesize

                                16B

                                MD5

                                b044c773336313b711fc64696c3cae56

                                SHA1

                                b197062e6b8eec66366e296a6b8541f21df4557a

                                SHA256

                                089ade10c6bcebde6ac13da466b2550e336e61242f85715fffc59632ef3778f9

                                SHA512

                                9f2631475eb87e986ce64659ea079b3a4a369c5ed293e4896b45a475586a2d7a584ed97ade43a47881b446b09003c9edd458b186acf44bc7a54e396a31d1abd5

                                Download Submit

                              • C:\Windows\System32\svchost‌.exe
                                Filesize

                                75KB

                                MD5

                                4215e3706e043c0af260e1a19ee77b08

                                SHA1

                                fed96918f57562492f5c6c9a4630ffaaedeb587b

                                SHA256

                                be9f90f035ff41d59d5579c507eef589daad57aa749128f88df76ca7d858a488

                                SHA512

                                38e946bf7692fa9ef6fd078853f2b2e21d3034f43b109c9de86c61020533f8cd557df8721e1b5b6e907762c2e83422a6d98999a109b9876cc6590422d3bb0733

                                Download Submit

                              • \??\c:\Users\Admin\AppData\Local\Temp\luq0g1qf\CSC32683A2E39B844F5958882D66EA22217.TMP
                                Filesize

                                652B

                                MD5

                                72df70869000da1b6aac1d8e079cebd7

                                SHA1

                                39ce3301b5da430959f7b5cb521580b3e5985809

                                SHA256

                                39b9923aabcd434ef657b30c2a93e56a25d153e6d81bfc53f70113a6697cf8d6

                                SHA512

                                d922f0671b796fbaaa0a38ec86a48ab4cb9df05029d66e1c9d5d51a4c6863822fdbf610b593c25f6c99a8ed7a8be078be44c3ce551f810b6287b0ec5fbe06d4c

                                Download Submit

                              • \??\c:\Users\Admin\AppData\Local\Temp\luq0g1qf\luq0g1qf.0.cs
                                Filesize

                                260B

                                MD5

                                c693814f693e6bcc3e3fc8c329045ebf

                                SHA1

                                2a0cb4b246ec0dd4180d3a16336564078eae7a37

                                SHA256

                                c8f0ea4dc2b29ed53ac9dbdcf0ce45263a1719a7232b1affdd9825ee0c775651

                                SHA512

                                593b5db1257228119d52f46da6bd433c14f23e0cd3414395ad442121f88a703f02352e29b7a38f666844c3a89239c23c54f7002b3ab04682ee74ae1792888d9b

                                Download Submit

                              • \??\c:\Users\Admin\AppData\Local\Temp\luq0g1qf\luq0g1qf.cmdline
                                Filesize

                                369B

                                MD5

                                754f90991aa5de27915be94576ce679b

                                SHA1

                                17469427c7dea64bafeaef38de50730c358aac20

                                SHA256

                                d417e3b4cd4de866be05ff71c3709fb6bfc39a1ac83373c55ef313ee8fab86e8

                                SHA512

                                cbcfcf9f165afb9dc447e8f646668a193fd1fa1b6f24401e6d61ef12b47ae570c86b0147de057291bfa486e116ee09720fa2d5f2bef10fa22935324efde38c68

                                Download Submit

                              • memory/768-118-0x00000261EC3E0000-0x00000261EC3EA000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/768-60-0x00000261EA6D0000-0x00000261EA710000-memory.dmp

                                Filesize

                                256KB

                                Download

                              • memory/768-82-0x00000261ECF60000-0x00000261ECFD6000-memory.dmp

                                Filesize

                                472KB

                                Download

                              • memory/768-83-0x00000261ECEE0000-0x00000261ECF30000-memory.dmp

                                Filesize

                                320KB

                                Download

                              • memory/768-84-0x00000261EC520000-0x00000261EC53E000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/768-119-0x00000261ECD90000-0x00000261ECDA2000-memory.dmp

                                Filesize

                                72KB

                                Download

                              • memory/816-12-0x00007FFDA2570000-0x00007FFDA3032000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/816-27-0x00007FFDA2573000-0x00007FFDA2575000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/816-153-0x00007FFDA2570000-0x00007FFDA3032000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/816-158-0x00007FFDA2570000-0x00007FFDA3032000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/816-30-0x00007FFDA2570000-0x00007FFDA3032000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/816-1-0x0000000000310000-0x000000000032C000-memory.dmp

                                Filesize

                                112KB

                                Download

                              • memory/816-0-0x00007FFDA2573000-0x00007FFDA2575000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/816-10-0x000000001AF00000-0x000000001AF22000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/816-11-0x00007FFDA2570000-0x00007FFDA3032000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/816-28-0x00007FFDA2570000-0x00007FFDA3032000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/816-25-0x000000001CE20000-0x000000001CE28000-memory.dmp

                                Filesize

                                32KB

                                Download

                              • memory/1760-160-0x000000001CF30000-0x000000001D0B8000-memory.dmp

                                Filesize

                                1.5MB

                                Download

                              • memory/1760-48-0x0000000000540000-0x000000000055A000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/1760-159-0x000000001C120000-0x000000001C12C000-memory.dmp

                                Filesize

                                48KB

                                Download

                              • memory/2572-187-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

                                Filesize

                                48KB

                                Download

                              • memory/4576-42-0x0000000000F60000-0x0000000000FA6000-memory.dmp

                                Filesize

                                280KB

                                Download