phorphiex | 31eb7b48accefe8d55dbfc0006deb922eb274b21110495169515d58b5d76e80e

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03-08-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1b39809afb266f79d47e0e675b58520N.exe
Size

5.4MB
MD5

d1b39809afb266f79d47e0e675b58520
SHA1

644cb33d14cadee497df49d83832025ef767d59c
SHA256

31eb7b48accefe8d55dbfc0006deb922eb274b21110495169515d58b5d76e80e
SHA512

5e4401031e2be27d231e11dde07a43c6ea1c7b8722164068369099262d8c97d6b2f4fb2e49a6e74f82d98f01fbd2aeed3c45eb1ec04d22fc823f9b8c6d9ca0a6
SSDEEP

98304:iCBbQ2H/oEMjghbO76uAqrngBNXsH7zMdDwPgXcM3qn8V/cwduNJKf+tLNJ:i4Rf/JTNXsH7z0DwPgAvwduGf6r

Score

10^/10

phorphiex xmrig credential_access discovery evasion execution loader miner persistence spyware stealer trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Attributes

mutex
x88767657x
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

sysmysldrv.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" sysmysldrv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysmysldrv.exe

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\1908316098.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

2578332438.exewupgrdsv.exe

description	pid	process	target process
PID 2372 created 1352	2372	2578332438.exe	Explorer.EXE
PID 2372 created 1352	2372	2578332438.exe	Explorer.EXE
PID 1712 created 1352	1712	wupgrdsv.exe	Explorer.EXE
PID 1712 created 1352	1712	wupgrdsv.exe	Explorer.EXE

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysmysldrv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmysldrv.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

XMRig Miner payload 5 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1712-326-0x000000013F640000-0x000000013FBB6000-memory.dmp	xmrig
behavioral1/memory/1712-329-0x000000013F640000-0x000000013FBB6000-memory.dmp	xmrig
behavioral1/memory/2772-331-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2772-332-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2772-333-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1416 powershell.exe
336 powershell.exe
2148 powershell.exe
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
1416	powershell.exe
336	powershell.exe
2148	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

6E2E.exe1908316098.exesysmysldrv.exe1252324186.exe1831915462.exe106497810.exe2465037390.exe154226065.exe2578332438.exewupgrdsv.exe

pid	process
2264	6E2E.exe
996	1908316098.exe
1980	sysmysldrv.exe
2276	1252324186.exe
956	1831915462.exe
2832	106497810.exe
2960	2465037390.exe
1804	154226065.exe
2372	2578332438.exe
1712	wupgrdsv.exe

Loads dropped DLL 11 IoCs

Processes:

d1b39809afb266f79d47e0e675b58520N.exe6E2E.exesysmysldrv.exe106497810.exe154226065.exetaskeng.exe

pid	process
2508	d1b39809afb266f79d47e0e675b58520N.exe
2264	6E2E.exe
2264	6E2E.exe
1980	sysmysldrv.exe
1980	sysmysldrv.exe
1980	sysmysldrv.exe
1980	sysmysldrv.exe
2832	106497810.exe
1980	sysmysldrv.exe
1804	154226065.exe
1696	taskeng.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysmysldrv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmysldrv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1908316098.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmysldrv.exe"	1908316098.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wupgrdsv.exe

description pid process target process

PID 1712 set thread context of 2772 1712 wupgrdsv.exe notepad.exe
Drops file in Windows directory 2 IoCs

Processes:

1908316098.exe

description ioc process

File created C:\Windows\sysmysldrv.exe 1908316098.exe
File opened for modification C:\Windows\sysmysldrv.exe 1908316098.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

2156 sc.exe
2164 sc.exe
2144 sc.exe
1804 sc.exe
2432 sc.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 1712 set thread context of 2772	1712	wupgrdsv.exe	notepad.exe

description	ioc	process
File created	C:\Windows\sysmysldrv.exe	1908316098.exe
File opened for modification	C:\Windows\sysmysldrv.exe	1908316098.exe

pid	process
2156	sc.exe
2164	sc.exe
2144	sc.exe
1804	sc.exe
2432	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

sysmysldrv.exesc.exe1908316098.execmd.exe1252324186.exe154226065.exesc.exed1b39809afb266f79d47e0e675b58520N.execmd.exepowershell.exesc.exe6E2E.exesc.exesc.exe106497810.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysmysldrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1908316098.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1252324186.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	154226065.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1b39809afb266f79d47e0e675b58520N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6E2E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	106497810.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

452 schtasks.exe
1476 schtasks.exe

pid	process
452	schtasks.exe
1476	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exe2578332438.exepowershell.exewupgrdsv.exepowershell.exe

pid	process
2148	powershell.exe
2372	2578332438.exe
2372	2578332438.exe
1416	powershell.exe
2372	2578332438.exe
2372	2578332438.exe
1712	wupgrdsv.exe
1712	wupgrdsv.exe
336	powershell.exe
1712	wupgrdsv.exe
1712	wupgrdsv.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

d1b39809afb266f79d47e0e675b58520N.exepowershell.exepowershell.exepowershell.exenotepad.exe

description	pid	process
Token: SeShutdownPrivilege	2508	d1b39809afb266f79d47e0e675b58520N.exe
Token: SeShutdownPrivilege	2508	d1b39809afb266f79d47e0e675b58520N.exe
Token: SeShutdownPrivilege	2508	d1b39809afb266f79d47e0e675b58520N.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeLockMemoryPrivilege	2772	notepad.exe
Token: SeLockMemoryPrivilege	2772	notepad.exe

Suspicious use of FindShellTrayWindow 41 IoCs

Processes:

notepad.exe

pid	process
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe

Suspicious use of SendNotifyMessage 41 IoCs

Processes:

notepad.exe

pid	process
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe
2772	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d1b39809afb266f79d47e0e675b58520N.exe6E2E.exe1908316098.exesysmysldrv.execmd.execmd.exe106497810.exe

description	pid	process	target process
PID 2508 wrote to memory of 2264	2508	d1b39809afb266f79d47e0e675b58520N.exe	6E2E.exe
PID 2508 wrote to memory of 2264	2508	d1b39809afb266f79d47e0e675b58520N.exe	6E2E.exe
PID 2508 wrote to memory of 2264	2508	d1b39809afb266f79d47e0e675b58520N.exe	6E2E.exe
PID 2508 wrote to memory of 2264	2508	d1b39809afb266f79d47e0e675b58520N.exe	6E2E.exe
PID 2264 wrote to memory of 996	2264	6E2E.exe	1908316098.exe
PID 2264 wrote to memory of 996	2264	6E2E.exe	1908316098.exe
PID 2264 wrote to memory of 996	2264	6E2E.exe	1908316098.exe
PID 2264 wrote to memory of 996	2264	6E2E.exe	1908316098.exe
PID 996 wrote to memory of 1980	996	1908316098.exe	sysmysldrv.exe
PID 996 wrote to memory of 1980	996	1908316098.exe	sysmysldrv.exe
PID 996 wrote to memory of 1980	996	1908316098.exe	sysmysldrv.exe
PID 996 wrote to memory of 1980	996	1908316098.exe	sysmysldrv.exe
PID 1980 wrote to memory of 1520	1980	sysmysldrv.exe	cmd.exe
PID 1980 wrote to memory of 1520	1980	sysmysldrv.exe	cmd.exe
PID 1980 wrote to memory of 1520	1980	sysmysldrv.exe	cmd.exe
PID 1980 wrote to memory of 1520	1980	sysmysldrv.exe	cmd.exe
PID 1980 wrote to memory of 1216	1980	sysmysldrv.exe	cmd.exe
PID 1980 wrote to memory of 1216	1980	sysmysldrv.exe	cmd.exe
PID 1980 wrote to memory of 1216	1980	sysmysldrv.exe	cmd.exe
PID 1980 wrote to memory of 1216	1980	sysmysldrv.exe	cmd.exe
PID 1216 wrote to memory of 2144	1216	cmd.exe	sc.exe
PID 1216 wrote to memory of 2144	1216	cmd.exe	sc.exe
PID 1216 wrote to memory of 2144	1216	cmd.exe	sc.exe
PID 1216 wrote to memory of 2144	1216	cmd.exe	sc.exe
PID 1520 wrote to memory of 2148	1520	cmd.exe	powershell.exe
PID 1520 wrote to memory of 2148	1520	cmd.exe	powershell.exe
PID 1520 wrote to memory of 2148	1520	cmd.exe	powershell.exe
PID 1520 wrote to memory of 2148	1520	cmd.exe	powershell.exe
PID 1216 wrote to memory of 1804	1216	cmd.exe	sc.exe
PID 1216 wrote to memory of 1804	1216	cmd.exe	sc.exe
PID 1216 wrote to memory of 1804	1216	cmd.exe	sc.exe
PID 1216 wrote to memory of 1804	1216	cmd.exe	sc.exe
PID 1216 wrote to memory of 2432	1216	cmd.exe	sc.exe
PID 1216 wrote to memory of 2432	1216	cmd.exe	sc.exe
PID 1216 wrote to memory of 2432	1216	cmd.exe	sc.exe
PID 1216 wrote to memory of 2432	1216	cmd.exe	sc.exe
PID 1216 wrote to memory of 2156	1216	cmd.exe	sc.exe
PID 1216 wrote to memory of 2156	1216	cmd.exe	sc.exe
PID 1216 wrote to memory of 2156	1216	cmd.exe	sc.exe
PID 1216 wrote to memory of 2156	1216	cmd.exe	sc.exe
PID 1216 wrote to memory of 2164	1216	cmd.exe	sc.exe
PID 1216 wrote to memory of 2164	1216	cmd.exe	sc.exe
PID 1216 wrote to memory of 2164	1216	cmd.exe	sc.exe
PID 1216 wrote to memory of 2164	1216	cmd.exe	sc.exe
PID 1980 wrote to memory of 2276	1980	sysmysldrv.exe	1252324186.exe
PID 1980 wrote to memory of 2276	1980	sysmysldrv.exe	1252324186.exe
PID 1980 wrote to memory of 2276	1980	sysmysldrv.exe	1252324186.exe
PID 1980 wrote to memory of 2276	1980	sysmysldrv.exe	1252324186.exe
PID 1980 wrote to memory of 956	1980	sysmysldrv.exe	1831915462.exe
PID 1980 wrote to memory of 956	1980	sysmysldrv.exe	1831915462.exe
PID 1980 wrote to memory of 956	1980	sysmysldrv.exe	1831915462.exe
PID 1980 wrote to memory of 956	1980	sysmysldrv.exe	1831915462.exe
PID 1980 wrote to memory of 2832	1980	sysmysldrv.exe	106497810.exe
PID 1980 wrote to memory of 2832	1980	sysmysldrv.exe	106497810.exe
PID 1980 wrote to memory of 2832	1980	sysmysldrv.exe	106497810.exe
PID 1980 wrote to memory of 2832	1980	sysmysldrv.exe	106497810.exe
PID 2832 wrote to memory of 2960	2832	106497810.exe	2465037390.exe
PID 2832 wrote to memory of 2960	2832	106497810.exe	2465037390.exe
PID 2832 wrote to memory of 2960	2832	106497810.exe	2465037390.exe
PID 2832 wrote to memory of 2960	2832	106497810.exe	2465037390.exe
PID 1980 wrote to memory of 1804	1980	sysmysldrv.exe	154226065.exe
PID 1980 wrote to memory of 1804	1980	sysmysldrv.exe	154226065.exe
PID 1980 wrote to memory of 1804	1980	sysmysldrv.exe	154226065.exe
PID 1980 wrote to memory of 1804	1980	sysmysldrv.exe	154226065.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1352
- C:\Users\Admin\AppData\Local\Temp\d1b39809afb266f79d47e0e675b58520N.exe
  "C:\Users\Admin\AppData\Local\Temp\d1b39809afb266f79d47e0e675b58520N.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\6E2E.exe
    "C:\Users\Admin\AppData\Local\Temp\6E2E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\1908316098.exe
      C:\Users\Admin\AppData\Local\Temp\1908316098.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:996
    - - C:\Windows\sysmysldrv.exe
        
        C:\Windows\sysmysldrv.exe
        5⤵
        Modifies security service
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2164
      - C:\Users\Admin\AppData\Local\Temp\1252324186.exe
        
        C:\Users\Admin\AppData\Local\Temp\1252324186.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2276
      - C:\Users\Admin\AppData\Local\Temp\1831915462.exe
        
        C:\Users\Admin\AppData\Local\Temp\1831915462.exe
        6⤵
        Executes dropped EXE
        
        PID:956
      - C:\Users\Admin\AppData\Local\Temp\106497810.exe
        
        C:\Users\Admin\AppData\Local\Temp\106497810.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\2465037390.exe
        
        C:\Users\Admin\AppData\Local\Temp\2465037390.exe
        7⤵
        Executes dropped EXE
        
        PID:2960
      - C:\Users\Admin\AppData\Local\Temp\154226065.exe
        
        C:\Users\Admin\AppData\Local\Temp\154226065.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\2578332438.exe
        
        C:\Users\Admin\AppData\Local\Temp\2578332438.exe
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1476
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
  2⤵
  PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:452
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2772

C:\Windows\system32\taskeng.exe
taskeng.exe {39310316-B381-473C-82EF-7E2CCE900E5A} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:1696
- C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
  "C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2578332438.exe

Filesize
5.4MB

MD5
41ab08c1955fce44bfd0c76a64d1945a

SHA1
2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

SHA256
dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

SHA512
38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E2E.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs\Agent-20240803T193805.log

Filesize
768B

MD5
78103256241bda5e99b304a99972f4f2

SHA1
42ed1233b7fc5e1183ac5410e0a62b6f4b6c08f7

SHA256
7e2bc4f4d4e22797852eb4098b878910b9cef5aab1a78c8526d90f4f95adcec9

SHA512
daea4a9cd89dcfaac01feac21127820cf76bafb77143b6a5251efad3dc2d5e0676d29f1d780c5a7d28419c268bafe8a055b7ed9dd3b53fad392874b35f62ecf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs\AgentErrors-20240803T193805.log

Filesize
305B

MD5
db9a87ea6f4d19a612e3dc0aadcb4aad

SHA1
7670e81f82e0bfb56fad8eab5e1e8668f4621ab8

SHA256
221fbe99ad4524f479363af8169319a79efc9f1e2307a2a2ee1c9f4ec95f6261

SHA512
c7c8c948a3c3f02afccdace131fa58e43ae6a412d921126bdb2fc77525ad7b1867af6c893275b3d34caf184359a680058430fdf42986fb50d99dac3c3ae8553a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs\Features-20240803T193805.log

Filesize
91B

MD5
4b19f58e0f9c981258724d510e738b19

SHA1
25a9d8b96cadc5ebc3da7d59e6eb5805dc1d1c8e

SHA256
d1f04399ebbaee07feee8f375bf33bcd03182fecd316c1e3b1127faabafa3ff1

SHA512
0d038bb828859dc0a591e66d4374be0416f9c2b968c7fe0dc4c973cbeb97053143c52e22bb79cce5c8469c36af0ab96b21773bda2a09bf07aacdff3a5ef55aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs\Operations-20240803T193805.log

Filesize
159B

MD5
5d50f14df5cf9b9a33ea231304f8d745

SHA1
aa900b87e1e7131ff889d2d2931ca6d948383ac8

SHA256
80d9285b57e861fa3bb5634aa445c95b258bd7811819ca9115b827b2641ee29d

SHA512
ac12275b39899b3b6b62ce8dcf4481d5a312ded98eb0cf79a4aca9062c19e50565b4269e0e5b036435133627a37285126f465b6ef34707be48666ed901760772

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs\Telemetry-MessageStats-20240803T193805.log

Filesize
3KB

MD5
7ad6e1ac9946ef709663f6024b6937b7

SHA1
2bc92730a15b04d1b3a981be3258a85aa82eb30f

SHA256
d0f3a27f53ca7df4e70f7a6f0e1034ca29e8bd973c56192345fb2f0ea1170bf4

SHA512
1ab560e6a83b79e92d87ac7912e023cd2d07b5122b3154ebe49c8b2c999f8d4925ed5c47aac13f17f9a6b9daad0266be10df6bd4590aa0afa1f94e2c6197ea4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs\Telemetry-TELE-20240803T193805.log

Filesize
88B

MD5
916b834edf1936911b2094e13a85f347

SHA1
43bce24e86ad8c015a36c8e0433d053b2d86b3fa

SHA256
3fa25f3b3f615da508416ba903d15153102f98423e09ad8da4be2c5f470969fc

SHA512
7c2a400ac44acea9de2602fb9f3801447e5339013aceef6ea93a8e2900b86b96c593f7b28ca3601f530ddd907c1d9a10f743a7e882cea0f4ea95dd1e9e3e90bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs\Telemetry-TELE-20240803T193805.log

Filesize
3KB

MD5
9b74d60ebf04f89945e4005f3e901cb9

SHA1
0618bbd5c5e799a569e1f05785c7e83b6967e287

SHA256
1525e7ba9929ac5ddcb5d6c3f2458abf07660e8a9f955a590e7ebf13d18afddf

SHA512
3ba2647fc89d288f81932c059d6b35ebe99a71b2c2ab786d7baabe55c28b71bef240e58bcb6ac141b9c65a43db50ceb7d599079c19bb59a450590ed5accd0e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs\Telemetry-TELE-20240803T193805.log

Filesize
6KB

MD5
3f98e45784fcd690771f38a237307bd3

SHA1
64d5d7dacd24863e586067cd0f8dbee2bcea317f

SHA256
06c4fd1769dfd705316de09e335a1241f5527815d1954fa9d9538b05d0c0a858

SHA512
ef16352830ee55b56a45882acab334c5d17b4ce5e1aa882601a8e0996cad0d66dd0ba908ded112007801dab97327484f076882fba99db6cbe9ec2b7ed5c8d757

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs\Version-20240803T193805.log

Filesize
157B

MD5
1484d620049125c0b62edd40c7789fb9

SHA1
d61afdf2d18e1c54baf1560dbf0695a758a1bb09

SHA256
02e4132f12c037b09a5eb4fae13dee31e8ff8e9b588e96f81025dbf422030a60

SHA512
ad066f2a4f55758a52e79b83215ed006105f5942ea9940e5add5cda9ef57803a6013cce4254fb3e619bc06815598f6e238c3d2dd89268cf1d47357ec2cff5873

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs\curl-20240803T193805.log

Filesize
151B

MD5
c24c486a74eee5804d034b91c952c9a0

SHA1
a91a0a5c10c0ffe4eac0e5c1fee14fc62c341a3b

SHA256
7a732da9b9feee4700103e9db7801725e34ad325586064d93d34ae1ac01958bb

SHA512
77fa3d831471fa3c5b207e34b9466db6482e7f38b9dc22e6fe429822ad9a7f1e754b08208449c7a8b71998918ff2d0a9dfc02db54762d32256472ec49b33a4b0

Download Submit
C:\Users\Admin\AppData\Local\data\cache\bc\20\bc2095f930a0cd551a40c4b978b6d6e2

Filesize
3KB

MD5
bc2095f930a0cd551a40c4b978b6d6e2

SHA1
7f49e7e45842c88f4ffd1611ba8de2ee5f36d7fa

SHA256
8521eaff77b3e162fb8be1b42c541405e929d2bfbb31fdcf353652f952dfab05

SHA512
d2704bad722a0731b470a7e99f026adf77b50f9756cc6293c345770d84bf3c78782af1c265ee45147af0af3e2b54ab8589c15480ef7422d8e4cf672513ff741a

Download Submit
C:\Users\Admin\AppData\Local\product.db

Filesize
186B

MD5
ea27ecef20f1c880156c24e2879afb98

SHA1
4dbc927d6cc241a9a8ac137f8b196aed19c2ceb5

SHA256
43fbf6de7c35ccc2b98ec9e09b4962ae812ccc7dcf69da0027e653c4cdff2f9e

SHA512
ac25ecd0cd56a9df1d51072d53804d32edf88f447b369081ff08718caa3cfe96f452eb613bda71444e0e2d7af2a6e95c42736d31fca16b8f698b3572a08b65f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UV1NQA6X10YCDYKAOJ8Q.temp

Filesize
7KB

MD5
0d170026eea5e03db5c6a08c97e5e23f

SHA1
0b221856a21f28a708d18a84bf3ac3ff718c9ce9

SHA256
ee32861829826a9d2723345359fbdabbdd6f4e935bd545f969c2ce459da1ad73

SHA512
5db6f426e37aaef163a14b416cf648888e5b8a2ddd95ee7d655daa5d5626d0cd759dbe0643053ded37f8bceff6675f72da9fe1c050f5f981c4fae369e20de6af

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\106497810.exe

Filesize
10KB

MD5
d4039242a73ca683d220aa81a63bf628

SHA1
9f3e58b60b1d56c8461de59e780597e43653e4e9

SHA256
2edde7963b986d6f96c73fa0057a8b0ea163fcd06c9e52c2eeda0728d540955b

SHA512
bae49ddfc82ac532d177981f985f7ea9239fd09c6baa914b679d31aef7a8ee091478d83ac2d6f05c490297eeba5342a783ebbf2b143667b16eefff4cb84a21c7

Download Submit
\Users\Admin\AppData\Local\Temp\1252324186.exe

Filesize
7KB

MD5
af0622340ed8ba48efa92e0b2d9aca7b

SHA1
77e7181b4d4e6957cf13ba37f590cf219aac88cb

SHA256
7b7d433c6c204ed3bcd1ea74106592edfa1a30b6ef7bbc3ed21efcbadc51e526

SHA512
e1368c1c292789115b51cae549bd2d484dbc614eb3e57aa5fce324385d28e9fbddf60064b4c88237b38cded294d090d07c491b646651c45bcd6235630d94ef46

Download Submit
\Users\Admin\AppData\Local\Temp\154226065.exe

Filesize
10KB

MD5
4fe8dc617311f7b6a4b8ebe0b1e24090

SHA1
2bd9341f17c8c0c62e56e1863b1d2f9c43cb30e5

SHA256
5016e413b0c563efc920165e7235c9f2706808877668bd297b41435acc7aade4

SHA512
910a12fbaffd45b0f797a95c6678a32c4a27adbb7d1474f183f8863d310d31fbba17d5d747da87ac4a30dd7cb22c67a4d1c25b302ef0c3f6954d91a459c692db

Download Submit
\Users\Admin\AppData\Local\Temp\1908316098.exe

Filesize
92KB

MD5
be9388b42333b3d4e163b0ace699897b

SHA1
4e1109772eb9cb59c557380822166fe1664403bd

SHA256
d281e0a0f1e1073f2d290a7eb1f77bed4c210dbf83a0f4f4e22073f50faa843f

SHA512
5f887f1060b898c9a88745cde7cf509fdf42947ab8e5948b46c2df659468dc245b24d089bdbec0b314c40b83934698bf4b6feb8954e32810ff8f522aab0af19a

Download Submit
\Users\Admin\AppData\Local\Temp\2465037390.exe

Filesize
20KB

MD5
1382c0a4a9e0a9a2c942458652a4a0e4

SHA1
55ed8ebd6281c280c3e77763773d789a6057e743

SHA256
4cb590dfafb7653379326e840d9b904a3cf05451999c4f9eb66c6e7116b68875

SHA512
cc1ba7e779536b57409c974f16b0d8706fdf8749fb9eca36716d4e84d4f420a650b6476ac08570e684ad1e492da3bbacc15a4e5be4b94a1b708909d683da0b7e

Download Submit
memory/336-323-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/336-324-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/1416-310-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/1416-309-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/1712-326-0x000000013F640000-0x000000013FBB6000-memory.dmp

Filesize
5.5MB

Download
memory/1712-329-0x000000013F640000-0x000000013FBB6000-memory.dmp

Filesize
5.5MB

Download
memory/2372-313-0x000000013FEA0000-0x0000000140416000-memory.dmp

Filesize
5.5MB

Download
memory/2772-330-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2772-331-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2772-332-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2772-333-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2772-334-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download