aurora | af28c04f796374b21521aeb2ea9c9c12b6f468d58ebe306838836dc5d9f16f8f

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28-07-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe
Size

21.3MB
MD5

416de11d210ae0ff50214021ff57b32b
SHA1

3142453c18080b83d8dbdeba89524beea1c94ff3
SHA256

72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850
SHA512

e1f061f99e9e4e42c21269a32c9f3cfa711a8a95caf7628637d5606ae7846fc73ae982b0ee78646026c41e5c1e61e21a15829967d2fed534070e3c40e2731e4c
SSDEEP

393216:TYTogFuaMaKQy6SSTMX3q7wLta40K3pNPS4n+yubbcEVPxEV+aqdvx1LB1x8NFN:TYT1Fu/6SSTMq+YK3Hx+3r5Np1FL8NF

Score

10^/10

aurora quasar redline sectoprat shurk xmrig cheat themdas discovery evasion execution infostealer miner persistence rat spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

154.81.220.233:28105

Extracted

Family

quasar

Version

1.4.1

Botnet

themdas

auroraforge.art:55326

thesirenmika.com:55713

Mutex

0cbdfe7f-0215-41e8-a7b5-d4fbbc555089

Attributes

encryption_key
A730DFF691ED1723ED88E36A2C5E7ED5CCF91DD1
install_name
up2.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/memory/1948-100-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/1948-99-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/1948-98-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/1948-95-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/1948-93-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018741-14.dat	family_redline
behavioral1/memory/2844-31-0x00000000001A0000-0x00000000001BE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018741-14.dat	family_sectoprat
behavioral1/memory/2844-31-0x00000000001A0000-0x00000000001BE000-memory.dmp	family_sectoprat

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000600000001938e-35.dat	shurk_stealer
behavioral1/memory/2424-84-0x000000013FB20000-0x00000001413EF000-memory.dmp	shurk_stealer

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

description	pid	Process	procid_target
PID 2596 created 1124	2596	vlc.exe	20
PID 2596 created 1124	2596	vlc.exe	20
PID 2596 created 1124	2596	vlc.exe	20
PID 1688 created 1124	1688	svchost.exe	20
PID 1688 created 1124	1688	svchost.exe	20
PID 1688 created 1124	1688	svchost.exe	20
PID 1688 created 1124	1688	svchost.exe	20

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral1/memory/1688-126-0x000000013FD90000-0x000000014032A000-memory.dmp	xmrig
behavioral1/memory/2344-129-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2344-131-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2344-133-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2344-136-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2344-138-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2344-140-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2344-142-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2344-144-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2344-146-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2344-148-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2836	attrib.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe

Executes dropped EXE 7 IoCs

pid	Process
2728	AdobeUpdate.exe
2844	build.exe
2848	OneDrive.exe
2596	vlc.exe
2424	Aurora.exe
1252	Msedge.exe
1688	svchost.exe

Loads dropped DLL 9 IoCs

pid	Process
824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe
824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe
824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe
824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe
824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe
824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe
1628	Process not Found
1388	cmd.exe
908	taskeng.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2872	icacls.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/824-54-0x0000000000990000-0x000000000245A000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "C:\\Users\\Admin\\AppData\\Local\\Msedge.exe"	AdobeUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\OneDriveUpdate\\OneDrive Updater.exe"	powershell.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1944	powershell.exe
448	powershell.exe
584	powershell.exe

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1600	powercfg.exe
2472	powercfg.exe
1888	powercfg.exe
300	cmd.exe
1784	powercfg.exe
924	powercfg.exe
980	cmd.exe
352	powercfg.exe
1416	powercfg.exe
804	powercfg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2848 set thread context of 1948	2848	OneDrive.exe	52
PID 1688 set thread context of 876	1688	svchost.exe	75
PID 1688 set thread context of 2344	1688	svchost.exe	76

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDrive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2820	cmd.exe
2740	cmd.exe
2912	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2912	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2200	schtasks.exe
2924	schtasks.exe
1192	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe
1944	powershell.exe
2596	vlc.exe
2596	vlc.exe
2596	vlc.exe
2596	vlc.exe
448	powershell.exe
2596	vlc.exe
2596	vlc.exe
1688	svchost.exe
1688	svchost.exe
1688	svchost.exe
1688	svchost.exe
584	powershell.exe
1688	svchost.exe
1688	svchost.exe
1688	svchost.exe
1688	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2844	build.exe
Token: SeDebugPrivilege	1948	RegAsm.exe
Token: SeShutdownPrivilege	804	powercfg.exe
Token: SeShutdownPrivilege	1784	powercfg.exe
Token: SeShutdownPrivilege	924	powercfg.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeShutdownPrivilege	1600	powercfg.exe
Token: SeShutdownPrivilege	2472	powercfg.exe
Token: SeShutdownPrivilege	352	powercfg.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeShutdownPrivilege	1416	powercfg.exe
Token: SeShutdownPrivilege	1888	powercfg.exe
Token: SeLockMemoryPrivilege	2344	svchost.exe
Token: SeLockMemoryPrivilege	2344	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe
2344	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2728	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	31
PID 824 wrote to memory of 2728	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	31
PID 824 wrote to memory of 2728	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	31
PID 824 wrote to memory of 2728	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	31
PID 824 wrote to memory of 2844	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	32
PID 824 wrote to memory of 2844	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	32
PID 824 wrote to memory of 2844	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	32
PID 824 wrote to memory of 2844	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	32
PID 824 wrote to memory of 2848	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	34
PID 824 wrote to memory of 2848	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	34
PID 824 wrote to memory of 2848	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	34
PID 824 wrote to memory of 2848	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	34
PID 824 wrote to memory of 2596	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	35
PID 824 wrote to memory of 2596	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	35
PID 824 wrote to memory of 2596	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	35
PID 824 wrote to memory of 2596	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	35
PID 2728 wrote to memory of 2820	2728	AdobeUpdate.exe	36
PID 2728 wrote to memory of 2820	2728	AdobeUpdate.exe	36
PID 2728 wrote to memory of 2820	2728	AdobeUpdate.exe	36
PID 2820 wrote to memory of 2740	2820	cmd.exe	38
PID 2820 wrote to memory of 2740	2820	cmd.exe	38
PID 2820 wrote to memory of 2740	2820	cmd.exe	38
PID 824 wrote to memory of 2424	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	40
PID 824 wrote to memory of 2424	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	40
PID 824 wrote to memory of 2424	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	40
PID 824 wrote to memory of 2424	824	72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe	40
PID 2740 wrote to memory of 2912	2740	cmd.exe	42
PID 2740 wrote to memory of 2912	2740	cmd.exe	42
PID 2740 wrote to memory of 2912	2740	cmd.exe	42
PID 2740 wrote to memory of 2836	2740	cmd.exe	43
PID 2740 wrote to memory of 2836	2740	cmd.exe	43
PID 2740 wrote to memory of 2836	2740	cmd.exe	43
PID 2740 wrote to memory of 2872	2740	cmd.exe	44
PID 2740 wrote to memory of 2872	2740	cmd.exe	44
PID 2740 wrote to memory of 2872	2740	cmd.exe	44
PID 2740 wrote to memory of 1388	2740	cmd.exe	45
PID 2740 wrote to memory of 1388	2740	cmd.exe	45
PID 2740 wrote to memory of 1388	2740	cmd.exe	45
PID 2848 wrote to memory of 1944	2848	OneDrive.exe	46
PID 2848 wrote to memory of 1944	2848	OneDrive.exe	46
PID 2848 wrote to memory of 1944	2848	OneDrive.exe	46
PID 2848 wrote to memory of 1944	2848	OneDrive.exe	46
PID 1388 wrote to memory of 1252	1388	cmd.exe	48
PID 1388 wrote to memory of 1252	1388	cmd.exe	48
PID 1388 wrote to memory of 1252	1388	cmd.exe	48
PID 2848 wrote to memory of 1892	2848	OneDrive.exe	49
PID 2848 wrote to memory of 1892	2848	OneDrive.exe	49
PID 2848 wrote to memory of 1892	2848	OneDrive.exe	49
PID 2848 wrote to memory of 1892	2848	OneDrive.exe	49
PID 1892 wrote to memory of 2200	1892	cmd.exe	51
PID 1892 wrote to memory of 2200	1892	cmd.exe	51
PID 1892 wrote to memory of 2200	1892	cmd.exe	51
PID 1892 wrote to memory of 2200	1892	cmd.exe	51
PID 2848 wrote to memory of 1948	2848	OneDrive.exe	52
PID 2848 wrote to memory of 1948	2848	OneDrive.exe	52
PID 2848 wrote to memory of 1948	2848	OneDrive.exe	52
PID 2848 wrote to memory of 1948	2848	OneDrive.exe	52
PID 2848 wrote to memory of 1948	2848	OneDrive.exe	52
PID 2848 wrote to memory of 1948	2848	OneDrive.exe	52
PID 2848 wrote to memory of 1948	2848	OneDrive.exe	52
PID 2848 wrote to memory of 1948	2848	OneDrive.exe	52
PID 2848 wrote to memory of 1948	2848	OneDrive.exe	52
PID 2848 wrote to memory of 1948	2848	OneDrive.exe	52
PID 2848 wrote to memory of 1948	2848	OneDrive.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2836	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1124
- C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe
  "C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
    "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe" && exit" && && exit "
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\system32\cmd.exe
        
        cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe"
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\system32\PING.EXE
        
        ping localhost -n 1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2912
      - C:\Windows\system32\attrib.exe
        
        attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2836
      - C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA)
        6⤵
        Modifies file permissions
        
        PID:2872
      - C:\Windows\system32\cmd.exe
        
        cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Msedge.exe
        
        C:\Users\Admin\AppData\Local\Msedge.exe
        7⤵
        Executes dropped EXE
        
        PID:1252
- - C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
    "C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate' -Value '"C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe"' -PropertyType 'String'
      4⤵
      Adds Run key to start application
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1944
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /C schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1892
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2200
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      #cmd
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1948
- - C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
    "C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2596
- - C:\Users\Admin\AppData\Local\Temp\Aurora.exe
    "C:\Users\Admin\AppData\Local\Temp\Aurora.exe"
    3⤵
    - Executes dropped EXE
    PID:2424
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:300
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:804
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:924
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn ConsoleWindowsHost /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2924
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "ConsoleWindowsHost"
  2⤵
  PID:1140
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:980
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:352
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:584
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn ConsoleWindowsHost /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1192
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:876
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2344

C:\Windows\system32\taskeng.exe
taskeng.exe {13CC630C-48AF-4DFD-9C5F-4F5463C9FE30} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:908
- C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe
  C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab1538.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1605.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe

Filesize
80KB

MD5
65f0a85c4b056d6bcee60c49e2372e35

SHA1
6af820a2030950617bf150777af4a43a06a17184

SHA256
d64768ea74224057220bff451504b6128ddfb6161617b668626c490c84b3ae8e

SHA512
7a50bd0b3908f830494b2bff13a051ba0cdc7900934dbf8a62616f6d29b914f05f8029bbcc429a095254ebb6ab2a2d92c05dd6aebf57e34cde20f152243df383

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z2FCJFND2T29L6YFZ7P3.temp

Filesize
7KB

MD5
533cdacb2424c7fa2206a5242638b6f7

SHA1
7ab0e332ec311316006829f1ca75d38b905eae92

SHA256
42e61ac924eef8c34ba386fa2b75c1c46d0aede8370442456a92df342a6e41c6

SHA512
3ef996e2ab8d4701a682903276e5b550b80fa2295d60578e0eb11c0dbfbb79007d1d06fc00d475f04d12ce9c8313a17f146cc553d2b0226e49e578f0389f9561

Download Submit
\Users\Admin\AppData\Local\Temp\Aurora.exe

Filesize
25.2MB

MD5
1504c863a05885816d2c8874137ae7a7

SHA1
5b16d440a7e9b5887886549f016f252900b5c0ac

SHA256
33fc61e81efa609df51277aef261623bb291e2dd5359362d50070f7a441df0ad

SHA512
055d2650ac996443130c05a742bcaabc576dbde29cc21ea956f66132f7e6da8a5771beb9cd51ff2384b2230ebe68990b35d8b14611613db2b8d2764846a487f9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe

Filesize
95KB

MD5
c9a9d471428a5f92068c0823e6454254

SHA1
8b8ee8612b9b8bfbb165b3a8ca0d4a377b589dd2

SHA256
b0ffaa8c7d8fe1e804afc87e6f7659483c69d421911ddbfc410270011b91bfb5

SHA512
ca34022e99a48639fb3566ec4eb901a2f91121aee6a1f1bc601492dd94387873afc8af499aefed8d644aef8f564ca46a12ea40176da7f8d7b4e60f4b505ac8af

Download Submit
\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe

Filesize
3.2MB

MD5
3b4f58cd4bca7274be25e885be00798b

SHA1
eb57c281d8324a1079db97c9da43483a65debbed

SHA256
a6832546e1d261c33deea58e1cbb8a391af91628b130454d55aef3e292862d80

SHA512
dc909730b2feacba3c14c98a2b443d5c12dfd74ce74db53cf7e564e01707ac365811e4d3b95c0cefe2b87ebd1b074fb4a395360911c3d11de4fa8957e9bad121

Download Submit
\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe

Filesize
5.6MB

MD5
b9fc8581b52abfc6b563da731438e27d

SHA1
43111fe9b307c850a379fe2d64d279e994680de3

SHA256
e03debe75b2f4f4c937c50773064b9a692b262bfce4472e67900edf3f7726058

SHA512
c62540e73870caf9a93fbc2396ac99867f8f6e87661240d7642022130008bdb769954f1e8a58d13698172e62cc5b7d44a73b2f1d999db47822eb294c629436a5

Download Submit
memory/448-107-0x0000000002830000-0x0000000002838000-memory.dmp

Filesize
32KB

Download
memory/448-106-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/584-121-0x0000000002200000-0x0000000002208000-memory.dmp

Filesize
32KB

Download
memory/584-120-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/824-2-0x0000000075DC0000-0x0000000075E07000-memory.dmp

Filesize
284KB

Download
memory/824-0-0x0000000000990000-0x000000000245A000-memory.dmp

Filesize
26.8MB

Download
memory/824-1-0x0000000075DCE000-0x0000000075DCF000-memory.dmp

Filesize
4KB

Download
memory/824-54-0x0000000000990000-0x000000000245A000-memory.dmp

Filesize
26.8MB

Download
memory/824-50-0x0000000075DC0000-0x0000000075E07000-memory.dmp

Filesize
284KB

Download
memory/824-6-0x0000000075DC0000-0x0000000075E07000-memory.dmp

Filesize
284KB

Download
memory/876-128-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/876-132-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1688-126-0x000000013FD90000-0x000000014032A000-memory.dmp

Filesize
5.6MB

Download
memory/1688-114-0x000000013FD90000-0x000000014032A000-memory.dmp

Filesize
5.6MB

Download
memory/1948-100-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1948-93-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1948-91-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1948-95-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1948-97-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1948-98-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1948-99-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1948-89-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2344-136-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2344-138-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2344-127-0x0000000000240000-0x0000000000260000-memory.dmp

Filesize
128KB

Download
memory/2344-144-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2344-148-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2344-129-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2344-131-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2344-142-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2344-133-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2344-140-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2344-146-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2424-84-0x000000013FB20000-0x00000001413EF000-memory.dmp

Filesize
24.8MB

Download
memory/2596-101-0x000000013FA60000-0x000000013FFFA000-memory.dmp

Filesize
5.6MB

Download
memory/2596-110-0x000000013FA60000-0x000000013FFFA000-memory.dmp

Filesize
5.6MB

Download
memory/2844-31-0x00000000001A0000-0x00000000001BE000-memory.dmp

Filesize
120KB

Download
memory/2848-32-0x00000000013D0000-0x00000000016FE000-memory.dmp

Filesize
3.2MB

Download