Analysis

  • max time kernel
    96s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2024 21:39

General

  • Target

    https://workupload.com/file/e3Ntgx8nVXy

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7488189478:AAH6VIMvTK1qt_asd4dAuNYuoUWUeh-2Kvg/sendPhot

Signatures

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 3 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://workupload.com/file/e3Ntgx8nVXy
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4136
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebbe046f8,0x7ffebbe04708,0x7ffebbe04718
      2⤵
        PID:4092
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        2⤵
          PID:2940
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3856
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
          2⤵
            PID:2056
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
            2⤵
              PID:464
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
              2⤵
                PID:1788
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
                2⤵
                  PID:4988
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4152
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
                  2⤵
                    PID:1052
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
                    2⤵
                      PID:2536
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3412 /prefetch:8
                      2⤵
                        PID:840
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
                        2⤵
                          PID:2852
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3356 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2316
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
                          2⤵
                            PID:3300
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
                            2⤵
                              PID:60
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
                              2⤵
                                PID:5308
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
                                2⤵
                                  PID:5560
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
                                  2⤵
                                    PID:5576
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
                                    2⤵
                                      PID:5660
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
                                      2⤵
                                        PID:5984
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
                                        2⤵
                                          PID:5248
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:2424
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:4660
                                          • C:\Windows\System32\rundll32.exe
                                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                            1⤵
                                              PID:2872
                                            • C:\Program Files\7-Zip\7zG.exe
                                              "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SolaraBootstrapper\" -spe -an -ai#7zMap30531:98:7zEvent6480
                                              1⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of FindShellTrayWindow
                                              PID:5228
                                            • C:\Users\Admin\Downloads\SolaraBootstrapper\SolaraBootstrapper.exe
                                              "C:\Users\Admin\Downloads\SolaraBootstrapper\SolaraBootstrapper.exe"
                                              1⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry class
                                              PID:2996
                                              • C:\Windows\SysWOW64\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\SurrogateFontsavesMonitor\t5yJBPVpMtfS5Dt2mh2uGFn.vbe"
                                                2⤵
                                                • Checks computer location settings
                                                • System Location Discovery: System Language Discovery
                                                PID:1292
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c ""C:\SurrogateFontsavesMonitor\DKJr3MNjVDR1qneh6ELWUMeDWcnK8FGizjUQ7CRm3l0LL5J0EDSITahYbF.bat" "
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:3548
                                                  • C:\SurrogateFontsavesMonitor\ProviderInto.exe
                                                    "C:\SurrogateFontsavesMonitor/ProviderInto.exe"
                                                    4⤵
                                                    • Modifies WinLogon for persistence
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Adds Run key to start application
                                                    • Drops file in Program Files directory
                                                    • Drops file in Windows directory
                                                    • Modifies registry class
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1216
                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\np3t35wr\np3t35wr.cmdline"
                                                      5⤵
                                                      • Drops file in System32 directory
                                                      PID:5896
                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8855.tmp" "c:\Windows\System32\CSC2A8C58511EB844FF85F19FD22CD7530.TMP"
                                                        6⤵
                                                          PID:5932
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TiWorker.exe'
                                                        5⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3824
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\skins\services.exe'
                                                        5⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2308
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SurrogateFontsavesMonitor\RuntimeBroker.exe'
                                                        5⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1428
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'
                                                        5⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3628
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\wininit.exe'
                                                        5⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1584
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SurrogateFontsavesMonitor\ProviderInto.exe'
                                                        5⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:6056
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVUBMxsXhn.bat"
                                                        5⤵
                                                          PID:5724
                                                          • C:\Windows\system32\chcp.com
                                                            chcp 65001
                                                            6⤵
                                                              PID:5224
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              6⤵
                                                                PID:3952
                                                              • C:\Program Files\VideoLAN\VLC\skins\services.exe
                                                                "C:\Program Files\VideoLAN\VLC\skins\services.exe"
                                                                6⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:5332
                                                    • C:\Windows\system32\taskmgr.exe
                                                      "C:\Windows\system32\taskmgr.exe" /4
                                                      1⤵
                                                      • Checks SCSI registry key(s)
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of FindShellTrayWindow
                                                      • Suspicious use of SendNotifyMessage
                                                      PID:4312
                                                    • C:\Program Files\7-Zip\7zG.exe
                                                      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SolaraBootstrapper\SolaraBootstrapper\" -spe -an -ai#7zMap14009:136:7zEvent10472
                                                      1⤵
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:5448
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "TiWorkerT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TiWorker.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:5592
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "TiWorker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TiWorker.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:5628
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "TiWorkerT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TiWorker.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:5648
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\skins\services.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:5368
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\services.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3464
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\skins\services.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4464
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\SurrogateFontsavesMonitor\RuntimeBroker.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:5956
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\SurrogateFontsavesMonitor\RuntimeBroker.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4364
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\SurrogateFontsavesMonitor\RuntimeBroker.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2264
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2156
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:5976
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4748
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\wininit.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3524
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\wininit.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2532
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\wininit.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2480
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "ProviderIntoP" /sc MINUTE /mo 6 /tr "'C:\SurrogateFontsavesMonitor\ProviderInto.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4412
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "ProviderInto" /sc ONLOGON /tr "'C:\SurrogateFontsavesMonitor\ProviderInto.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2004
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "ProviderIntoP" /sc MINUTE /mo 7 /tr "'C:\SurrogateFontsavesMonitor\ProviderInto.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4504
                                                    • C:\Windows\System32\NOTEPAD.EXE
                                                      "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\SolaraBootstrapper\SolaraBootstrapper\DKJr3MNjVDR1qneh6ELWUMeDWcnK8FGizjUQ7CRm3l0LL5J0EDSITahYbF.bat
                                                      1⤵
                                                      • Opens file in notepad (likely ransom note)
                                                      PID:5532
                                                    • C:\Windows\System32\Notepad.exe
                                                      "C:\Windows\System32\Notepad.exe" C:\Users\Admin\Downloads\SolaraBootstrapper\SolaraBootstrapper\t5yJBPVpMtfS5Dt2mh2uGFn.vbe
                                                      1⤵
                                                      • Opens file in notepad (likely ransom note)
                                                      PID:5628

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\SurrogateFontsavesMonitor\DKJr3MNjVDR1qneh6ELWUMeDWcnK8FGizjUQ7CRm3l0LL5J0EDSITahYbF.bat

                                                      Filesize

                                                      88B

                                                      MD5

                                                      b218180bed2af04d85507f0fbc168c9e

                                                      SHA1

                                                      a269e4b3a5e3529d6360fc042b9e59a48b82ce50

                                                      SHA256

                                                      39db898fef28721b8ff5ef62c06e0ea1e356247eb52d402b19093cf20a8be15b

                                                      SHA512

                                                      769b9675172c9e8c1cb820e85bf71a18a3f3999d6f3f85a66fd76a721c6cf69d6c0d3965f26d0d48e5007ed137a62fa2917b771896db2bc08e468c24b49eb4c8

                                                    • C:\SurrogateFontsavesMonitor\ProviderInto.exe

                                                      Filesize

                                                      1.8MB

                                                      MD5

                                                      ee848b0fdaa811eba94c2b625126fc32

                                                      SHA1

                                                      b82f5fe11abfcbaf665c64e0bf8f780f968919c5

                                                      SHA256

                                                      2e87fe4c6529e9ad5f615fe3dae33a8858dc9f6ada7b7fda6d6a2791128f0e70

                                                      SHA512

                                                      a9ccd913877609fc153b5749f1bc9058cd046add51b345e59ec34defcbdc63af9e687953da617e92f09ce713ade3e57a712d714f4856b64547cf3427085c38a7

                                                    • C:\SurrogateFontsavesMonitor\t5yJBPVpMtfS5Dt2mh2uGFn.vbe

                                                      Filesize

                                                      262B

                                                      MD5

                                                      f9219e38a39666704836adfff5f13122

                                                      SHA1

                                                      15874c2fb0511dabc8e942239fee9155fb05e823

                                                      SHA256

                                                      6ea2af03758dec0a423186cf0ef4546a94f41c6e11769a4aba0c2b5c9b8a7092

                                                      SHA512

                                                      f9b5ad2bb5aafbddf83536d4df9e23541755621709b4b1a6658f61fc0ef776e9da3ce9346472dad198360b871a8e8a10b47e8a464d68d68a3b90c47cb684d1bd

                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                      Filesize

                                                      2KB

                                                      MD5

                                                      d85ba6ff808d9e5444a4b369f5bc2730

                                                      SHA1

                                                      31aa9d96590fff6981b315e0b391b575e4c0804a

                                                      SHA256

                                                      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                      SHA512

                                                      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                      Filesize

                                                      152B

                                                      MD5

                                                      ecf7ca53c80b5245e35839009d12f866

                                                      SHA1

                                                      a7af77cf31d410708ebd35a232a80bddfb0615bb

                                                      SHA256

                                                      882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

                                                      SHA512

                                                      706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                      Filesize

                                                      152B

                                                      MD5

                                                      4dd2754d1bea40445984d65abee82b21

                                                      SHA1

                                                      4b6a5658bae9a784a370a115fbb4a12e92bd3390

                                                      SHA256

                                                      183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

                                                      SHA512

                                                      92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      b09e4ad42d2d561b9e02b663b7eb297d

                                                      SHA1

                                                      539c75d43b55f0a44fcf4f73d4e380e247323c55

                                                      SHA256

                                                      d61581d12602a7fbc36aefdb6350be187db0b9ef2bc17250bf9be2f8d8c8eb44

                                                      SHA512

                                                      299431718d380b2cab5a739fa3e9f5ccab14e368d53daeb677573223d0ee10fa8acf7732098d57af843ef9131c0cc51ae886f3b39916bc080ad1fdd61209c4a7

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      049ea397331c1b9d84a4293d451d55bf

                                                      SHA1

                                                      3a8e88eb7d3f11a6d97fa547603afbc2966cd216

                                                      SHA256

                                                      e910542b94540158458656e53e02943f487943e800e6f9abe943b150fdb2570b

                                                      SHA512

                                                      eb120c694c2394dda75aaa1ffa5160abc12fee91473b738317aabeb502eb5a480153d76b7fd8e2c6bb63471fc4b9f1ba2ae7b29edbf8dbfc7af2b05fa7d53185

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                      Filesize

                                                      6KB

                                                      MD5

                                                      c75f42f3f1225b08d91a43f84b7887ab

                                                      SHA1

                                                      a30f46b13f4528d5259c3ec5b28bfe7a1dcf842f

                                                      SHA256

                                                      7b130500d4afb32ee79e734089a7e015ce35d86ca65077219f984b92b762f862

                                                      SHA512

                                                      1f6e67072a1ddb915592be2b82b1bcab9fa24eaef836170532bd69b5d27ae0edc46a7c1784a0210d9338f255c48a768cea534180d378aeec959351ed1d6b2200

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                      Filesize

                                                      7KB

                                                      MD5

                                                      7e3dae9340717d034ec34afd4161f90b

                                                      SHA1

                                                      a083e7e4cfccdf5127d05c43a9e1b0edf07a0564

                                                      SHA256

                                                      7bbb871649a5ee18d2c794b10386ef84c0123118dff335414c4d791cf865e408

                                                      SHA512

                                                      00dad7f2bb85d0a02d059713e197ab709888900e61df240704208bdd8ad6465e5001d0769bca53a5012347df96c38721b14e1d48fae3fa86e76ceba5142b5252

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                      Filesize

                                                      7KB

                                                      MD5

                                                      e136068e8ecb1e34865bda6e35c494f3

                                                      SHA1

                                                      a07a95ac5416fa3650b0b20d8625847f8403b6a9

                                                      SHA256

                                                      21590e2b75060c6d416c9c9d604ebac1aca85281be8770913cbe9c4d63706dc9

                                                      SHA512

                                                      2daafff741a34e626e4fee65542b7c77f9532a23ac24d2b244728218f204620423cb7bcbe1779db9e78aa988d3641eb0d4d16d6f3b8d69730035dd4848055c48

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                      Filesize

                                                      6KB

                                                      MD5

                                                      ed6bb8e6c6f7190a94a7de7626857b24

                                                      SHA1

                                                      d1f002942a18480efc073ff40c3ff5cf01bff9a2

                                                      SHA256

                                                      366ebda4d795bab4de2aef20f001dfcc557ad57cf924907470323386b1ff08b2

                                                      SHA512

                                                      44bf0f14cd4972d6bef7d3544db5235cf8438ad4fa29a58a95e889ef175c0c5b5e437a3e8ac68706ddec796f8f893323c222831075fdd0d926e3063c10e49339

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                      Filesize

                                                      16B

                                                      MD5

                                                      6752a1d65b201c13b62ea44016eb221f

                                                      SHA1

                                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                      SHA256

                                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                      SHA512

                                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                      Filesize

                                                      11KB

                                                      MD5

                                                      47be4bbb76a01de2b248c64d422262ff

                                                      SHA1

                                                      274e031331af3daad0498fc3f1bf97668cfb4e42

                                                      SHA256

                                                      6d79c273efe4bb9835ffe1ee134903821dbae900eb23452a0ea9516670fd212f

                                                      SHA512

                                                      94de561592935552eb4c91f10c0b26beb005ae63ed707742dbacce86748186c3fa9c72b3e54052164840a7e524d1462442366042c7490a46366caccdc05e89f9

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                      Filesize

                                                      11KB

                                                      MD5

                                                      e6b5b2049d646a54c01a40f6ed9321ad

                                                      SHA1

                                                      60fc63e2f189c4d89b1009888a316c336cc09806

                                                      SHA256

                                                      dbda0b14876597d6688888440d936ed9ffb66e2cccf74c5e9ffca5740df10004

                                                      SHA512

                                                      3b86fa6a949a5a03129910977d049ec2e56c8235251dccdc47aca32ab1b5c219dd2e786a48bd773aa54add4aadfd60c78c72221cf5c862f4e98f7586d639b129

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Filesize

                                                      944B

                                                      MD5

                                                      77d622bb1a5b250869a3238b9bc1402b

                                                      SHA1

                                                      d47f4003c2554b9dfc4c16f22460b331886b191b

                                                      SHA256

                                                      f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                                      SHA512

                                                      d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Filesize

                                                      104B

                                                      MD5

                                                      c3d5e9a6b46c457a2e9ed4776da216b9

                                                      SHA1

                                                      d5f96d4fe38478a64696e91be9e479c4ac8c3b26

                                                      SHA256

                                                      35d14b81697459efe199eddc1c5715d34e253b4f15d99e10589e6fc680866f24

                                                      SHA512

                                                      4c375c0bf406546774fb0ce31597727dffd5b799b09446dd7a90845aafa0419f25793d370b259a78ce13378cee22f55e76c3fcec9ec2fc682e6c15f1ac9325a1

                                                    • C:\Users\Admin\AppData\Local\Temp\RES8855.tmp

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      a563c642d6d40d17b5a5366f09e3ef6d

                                                      SHA1

                                                      2cf0b81912e76ee7e9458ae5ce8c50b7b88337a6

                                                      SHA256

                                                      7faf2585f89e0606cb5eb3bb16d9c58fada759a5187fdde4a77f404f2a328e04

                                                      SHA512

                                                      d2e287456fe4ebca5ea317b115236b6f55c33d2f8cd29d48c064354ac3fd49e13fc2f66a5a59be92dde76247d44dd085e9fdfd8813d1f2fe1d0ae13e68758657

                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_glji2sdm.nlt.ps1

                                                      Filesize

                                                      60B

                                                      MD5

                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                      SHA1

                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                      SHA256

                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                      SHA512

                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                    • C:\Users\Admin\AppData\Local\Temp\uVUBMxsXhn.bat

                                                      Filesize

                                                      224B

                                                      MD5

                                                      0ca7d32c4a5ed9c4d7440ed716edffef

                                                      SHA1

                                                      aa3cf6f751ad34981c853818e144a61d038dd210

                                                      SHA256

                                                      02b8dc6bdd1572d03f5e32b238c293e19e0319ae45bf710da2e2a4334fcfe6d9

                                                      SHA512

                                                      ccb7bbe2e4c0551564474ea75c2d91171a3c00a26195c179d5f068fe0cbf60fceba5c4116dcbfa4fd1f58224f52f07b09750ad56ab5f9957ba46b1193f9eca84

                                                    • C:\Users\Admin\Downloads\SolaraBootstrapper.rar

                                                      Filesize

                                                      1.6MB

                                                      MD5

                                                      7cd7c7f07ba796cf223fb66e288ec73a

                                                      SHA1

                                                      634aa76bb9c09df693601cbb3239da497fbc2c47

                                                      SHA256

                                                      faa5ea1d26079085f5b5f627d1f8e09fc7f350df3db76b28c5f855efd3150e6c

                                                      SHA512

                                                      d57d866c03682af547ed91303ae0a0d0af56e73cb6f601e10dbd358bbc30663aea58319a7b7aa8752887148132f22e1ee413783759d0a58de0e891ee3537a37f

                                                    • C:\Users\Admin\Downloads\SolaraBootstrapper\SolaraBootstrapper.exe

                                                      Filesize

                                                      2.1MB

                                                      MD5

                                                      105991ce02358995ea190b0ab9119d02

                                                      SHA1

                                                      0335dd31909e4dcd04be7d365e4ad7dac5520a8e

                                                      SHA256

                                                      5367822efad1a46cfd82e82731e2d6841fb9be7bd7862f9993d7b7c85d045e67

                                                      SHA512

                                                      7d3cee2772cdffc16cf84151b23958d5ff2c94aa25b83275623254b87d925fc109bbc88f9fb9037b3e913d16f4c3d0505d845debe9664370c358a2b3f168d028

                                                    • C:\windows\system32\h920ln.exe

                                                      Filesize

                                                      4KB

                                                      MD5

                                                      d6e8d40dea2f1294bd6a69dd33fc2d5e

                                                      SHA1

                                                      9cc3ea5b85eb704884d3e6240ac7cbfa09931f6d

                                                      SHA256

                                                      cddcc18dc13728fc9efe21f4582986f673d85e599f33e668044ff3561aaa3b51

                                                      SHA512

                                                      590b7fdedf12d003b3dc600eb231cdc3fbaf4469829f91bbafb4c90246559799b9456f71b8679e3847f46d565357a14219cb6f16e39c8c904f3ae7f9f8981b96

                                                    • \??\c:\Users\Admin\AppData\Local\Temp\np3t35wr\np3t35wr.0.cs

                                                      Filesize

                                                      366B

                                                      MD5

                                                      ea3f67482c8c086f455885010acbf653

                                                      SHA1

                                                      2b885603892c632065fe0131eb857bcdbf3e4162

                                                      SHA256

                                                      b1dbea7730031fb96eb76e037d7a93689ee8de7e2b5dc0bde4982f5d06b4e7e8

                                                      SHA512

                                                      324cd127dad1c0c59de390b5b1a5f40a3da09ac3e425517bbf6fe225a3de351f00c34c9a307bbde33decd53427eaf66c737369812044244145156223f8c372a0

                                                    • \??\c:\Users\Admin\AppData\Local\Temp\np3t35wr\np3t35wr.cmdline

                                                      Filesize

                                                      235B

                                                      MD5

                                                      71269e923c78c8975542806a6e844b52

                                                      SHA1

                                                      91ea46a4c516be9433fb3cac6adb60ea2cbf8642

                                                      SHA256

                                                      f3a8987d0373b9f7659eb7cbb7ca3c4c9a9ba0ffcaf2f129eee079a6d3b92b54

                                                      SHA512

                                                      18f03b6063f98c2acc296ee4ac1515994f329ef67baf26d80bbb7ea5a0174f3660808c18318a9aa0e7c2061c0350b9ff7deecb91f5a39b62c86c48a1d60abdad

                                                    • \??\c:\Windows\System32\CSC2A8C58511EB844FF85F19FD22CD7530.TMP

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      acf0a5c902f3dd3bd7790cdb4484d7b3

                                                      SHA1

                                                      cdebcde6ce451177576b39f24e62b134678daf75

                                                      SHA256

                                                      30a40cd52450f1fc314048db7431d96464002bfa5a204d1969c6b563c4715622

                                                      SHA512

                                                      9559b21b7acb3ed32bba7556a7c68b034a2e9f784bd818d5731cff6c54d81f954d5babf71d2264a82fe463f1314e36e0e227a63a63cc68a00c3fe6d3b2a66fe8

                                                    • memory/1216-387-0x0000000002970000-0x000000000297C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/1216-378-0x0000000001160000-0x000000000116E000-memory.dmp

                                                      Filesize

                                                      56KB

                                                    • memory/1216-380-0x000000001B3B0000-0x000000001B3CC000-memory.dmp

                                                      Filesize

                                                      112KB

                                                    • memory/1216-381-0x000000001B870000-0x000000001B8C0000-memory.dmp

                                                      Filesize

                                                      320KB

                                                    • memory/1216-383-0x000000001B3D0000-0x000000001B3E8000-memory.dmp

                                                      Filesize

                                                      96KB

                                                    • memory/1216-385-0x0000000002960000-0x0000000002968000-memory.dmp

                                                      Filesize

                                                      32KB

                                                    • memory/1216-376-0x00000000006A0000-0x000000000087E000-memory.dmp

                                                      Filesize

                                                      1.9MB

                                                    • memory/2308-425-0x0000025C711F0000-0x0000025C71212000-memory.dmp

                                                      Filesize

                                                      136KB

                                                    • memory/4312-361-0x000002A158750000-0x000002A158751000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/4312-360-0x000002A158750000-0x000002A158751000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/4312-362-0x000002A158750000-0x000002A158751000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/4312-363-0x000002A158750000-0x000002A158751000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/4312-359-0x000002A158750000-0x000002A158751000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/4312-364-0x000002A158750000-0x000002A158751000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/4312-365-0x000002A158750000-0x000002A158751000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/4312-353-0x000002A158750000-0x000002A158751000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/4312-354-0x000002A158750000-0x000002A158751000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/4312-355-0x000002A158750000-0x000002A158751000-memory.dmp

                                                      Filesize

                                                      4KB