Overview

overview

10

Static

static

10

Solara.exe

windows7-x64

10

Solara.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30-08-2024 18:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Solara.exe

  • Size

    1005KB

  • MD5

    d1a6835f7934684efb8df6b6f2d8a9df

  • SHA1

    56f4e81d4663181f139e5b7b165e41611cbcc472

  • SHA256

    2b0521e21f41e110682b1871824451a9826a4ff2f5691d4e25186b36b0294146

  • SHA512

    c9e0557c3251c7a5d805c6e4047cee99949dab9a702e4e076e4ec0d9f0969b0210f4ca29c36ea7b4e15c43a70c7c076c0718df1b72bac057b2af7f3605f5908d

  • SSDEEP

    12288:xE5dY26i2vTGY1Dg6x7L1uq2/OBPQu43D8fPVle8IoaBcHl8ANTSwAlZw:x2r2yAPC8eRBcHl8gTSHXw

Score
10/10
44caliberxwormcredential_accessdiscoveryexecutionpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1244807698026070016/Tfzk-_b80yPKERHasgSCWK64Pdjux3P8VTHXs1cSWpKcLSUecUTjKHtLyEEhA8jsiCW-

Extracted

Family

xworm

C2

grand-herbal.gl.at.ply.gg:53590

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Windows32.exe

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Detect Xworm Payload 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 44 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha — êîïèÿ.exe
      "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha — êîïèÿ.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2092 -s 1196
        3⤵
          PID:2896
      • C:\Users\Admin\AppData\Local\Temp\CheatHoursEatsArtTool.exe
        "C:\Users\Admin\AppData\Local\Temp\CheatHoursEatsArtTool.exe"
        2⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2356
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CheatHoursEatsArtTool.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1916
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CheatHoursEatsArtTool.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1248
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows32.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1016
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows32.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1524
      • C:\Users\Admin\AppData\Local\Temp\Client.exe
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        2⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Windows\system32\CMD.exe
          "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "USER OOBE BROKER" /tr "C:\Windows\Sub\xdwdClient.exe" & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2464
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "USER OOBE BROKER" /tr "C:\Windows\Sub\xdwdClient.exe"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2992
        • C:\Windows\system32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1268
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2016
        • C:\Windows\system32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows32" /tr "C:\Windows\Sub\xdwdWatchDog.exe" /RL HIGHEST & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2000
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo 5 /tn "Windows32" /tr "C:\Windows\Sub\xdwdWatchDog.exe" /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            • Suspicious behavior: EnumeratesProcesses
            PID:1456
        • C:\Windows\system32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:612
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            • Suspicious behavior: EnumeratesProcesses
            PID:2220
        • C:\Windows\system32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2396
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            • Suspicious behavior: EnumeratesProcesses
            PID:2972
        • C:\Windows\system32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2052
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            • Suspicious behavior: EnumeratesProcesses
            PID:2096
        • C:\Windows\system32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
          3⤵
            PID:2484
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
              4⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2636
          • C:\Windows\system32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
            3⤵
              PID:1972
              • C:\Windows\system32\schtasks.exe
                SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                4⤵
                • Scheduled Task/Job: Scheduled Task
                PID:2512
            • C:\Windows\system32\CMD.exe
              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
              3⤵
                PID:1828
                • C:\Windows\system32\schtasks.exe
                  SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                  4⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:1604
              • C:\Windows\system32\CMD.exe
                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                3⤵
                  PID:1900
                  • C:\Windows\system32\schtasks.exe
                    SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                    4⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2148
                • C:\Windows\system32\CMD.exe
                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                  3⤵
                    PID:960
                    • C:\Windows\system32\schtasks.exe
                      SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                      4⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:2464
                  • C:\Windows\system32\CMD.exe
                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                    3⤵
                      PID:792
                      • C:\Windows\system32\schtasks.exe
                        SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                        4⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:1688
                    • C:\Windows\system32\CMD.exe
                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                      3⤵
                        PID:1076
                        • C:\Windows\system32\schtasks.exe
                          SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                          4⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:1772
                      • C:\Windows\system32\CMD.exe
                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                        3⤵
                          PID:1412
                          • C:\Windows\system32\schtasks.exe
                            SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                            4⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:1556
                        • C:\Windows\system32\CMD.exe
                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                          3⤵
                            PID:2008
                            • C:\Windows\system32\schtasks.exe
                              SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                              4⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:2104
                          • C:\Windows\system32\CMD.exe
                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                            3⤵
                              PID:2832
                              • C:\Windows\system32\schtasks.exe
                                SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                4⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:2684
                            • C:\Windows\system32\CMD.exe
                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                              3⤵
                                PID:1664
                                • C:\Windows\system32\schtasks.exe
                                  SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                  4⤵
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1200
                              • C:\Windows\system32\CMD.exe
                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                3⤵
                                  PID:2032
                                  • C:\Windows\system32\schtasks.exe
                                    SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                    4⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2680
                                • C:\Windows\system32\CMD.exe
                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                  3⤵
                                    PID:2200
                                    • C:\Windows\system32\schtasks.exe
                                      SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                      4⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2232
                                  • C:\Windows\system32\CMD.exe
                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                    3⤵
                                      PID:1860
                                      • C:\Windows\system32\schtasks.exe
                                        SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                        4⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1528
                                    • C:\Windows\system32\CMD.exe
                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                      3⤵
                                        PID:1452
                                        • C:\Windows\system32\schtasks.exe
                                          SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                          4⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:296
                                      • C:\Windows\system32\CMD.exe
                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                        3⤵
                                          PID:844
                                          • C:\Windows\system32\schtasks.exe
                                            SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                            4⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2380
                                        • C:\Windows\system32\CMD.exe
                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                          3⤵
                                            PID:1556
                                            • C:\Windows\system32\schtasks.exe
                                              SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                              4⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1412
                                          • C:\Windows\system32\CMD.exe
                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                            3⤵
                                              PID:2408
                                              • C:\Windows\system32\schtasks.exe
                                                SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                4⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2824
                                            • C:\Windows\system32\CMD.exe
                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                              3⤵
                                                PID:2484
                                                • C:\Windows\system32\schtasks.exe
                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                  4⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:876
                                              • C:\Windows\system32\CMD.exe
                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                                3⤵
                                                  PID:1612
                                                  • C:\Windows\system32\schtasks.exe
                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                    4⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1440
                                                • C:\Windows\system32\CMD.exe
                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                                  3⤵
                                                    PID:2844
                                                    • C:\Windows\system32\schtasks.exe
                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                      4⤵
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2312
                                                  • C:\Windows\system32\CMD.exe
                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                                    3⤵
                                                      PID:2996
                                                      • C:\Windows\system32\schtasks.exe
                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                        4⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1212
                                                    • C:\Windows\system32\CMD.exe
                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                                      3⤵
                                                        PID:1608
                                                        • C:\Windows\system32\schtasks.exe
                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                          4⤵
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1856
                                                      • C:\Windows\system32\CMD.exe
                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                                        3⤵
                                                          PID:2492
                                                          • C:\Windows\system32\schtasks.exe
                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                            4⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:520
                                                        • C:\Windows\system32\CMD.exe
                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                                          3⤵
                                                            PID:1112
                                                            • C:\Windows\system32\schtasks.exe
                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                              4⤵
                                                              • Scheduled Task/Job: Scheduled Task
                                                              PID:1772
                                                          • C:\Windows\system32\CMD.exe
                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                                            3⤵
                                                              PID:2144
                                                              • C:\Windows\system32\schtasks.exe
                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                                4⤵
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:2960
                                                            • C:\Windows\system32\CMD.exe
                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                                              3⤵
                                                                PID:2116
                                                                • C:\Windows\system32\schtasks.exe
                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                                  4⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2416
                                                              • C:\Windows\system32\CMD.exe
                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                                                3⤵
                                                                  PID:2648
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                                    4⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2684
                                                                • C:\Windows\system32\CMD.exe
                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                                                  3⤵
                                                                    PID:828
                                                                    • C:\Windows\system32\schtasks.exe
                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                                      4⤵
                                                                      • Scheduled Task/Job: Scheduled Task
                                                                      PID:1080
                                                                  • C:\Windows\system32\CMD.exe
                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                                                    3⤵
                                                                      PID:1612
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                                        4⤵
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:1028
                                                                    • C:\Windows\system32\CMD.exe
                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                                                      3⤵
                                                                        PID:2308
                                                                        • C:\Windows\system32\schtasks.exe
                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                                          4⤵
                                                                          • Scheduled Task/Job: Scheduled Task
                                                                          PID:2784
                                                                      • C:\Windows\system32\CMD.exe
                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                                                        3⤵
                                                                          PID:2928
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                                            4⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:2324
                                                                        • C:\Windows\system32\CMD.exe
                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                                                          3⤵
                                                                            PID:2188
                                                                            • C:\Windows\system32\schtasks.exe
                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                                              4⤵
                                                                              • Scheduled Task/Job: Scheduled Task
                                                                              PID:3060
                                                                          • C:\Windows\system32\CMD.exe
                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                                                            3⤵
                                                                              PID:1568
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                                                4⤵
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:1496
                                                                            • C:\Windows\system32\CMD.exe
                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                                                              3⤵
                                                                                PID:3028
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                                                  4⤵
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2272
                                                                              • C:\Windows\system32\CMD.exe
                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                                                                3⤵
                                                                                  PID:2396
                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                                                    4⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:576
                                                                                • C:\Windows\system32\CMD.exe
                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                                                                  3⤵
                                                                                    PID:2080
                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                                                      4⤵
                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                      PID:2412
                                                                                  • C:\Windows\system32\CMD.exe
                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit
                                                                                    3⤵
                                                                                      PID:3052
                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST
                                                                                        4⤵
                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                        PID:2540

                                                                                Network

                                                                                MITRE ATT&CK Enterprise v15

                                                                                Reconnaissance

                                                                                Resource Development

                                                                                Initial Access

                                                                                Execution

                                                                                Command and Scripting Interpreter

                                                                                1
                                                                                T1059

                                                                                PowerShell

                                                                                1
                                                                                T1059.001

                                                                                Scheduled Task/Job

                                                                                1
                                                                                T1053

                                                                                Scheduled Task

                                                                                1
                                                                                T1053.005

                                                                                Persistence

                                                                                Boot or Logon Autostart Execution

                                                                                2
                                                                                T1547

                                                                                Registry Run Keys / Startup Folder

                                                                                1
                                                                                T1547.001

                                                                                Winlogon Helper DLL

                                                                                1
                                                                                T1547.004

                                                                                Event Triggered Execution

                                                                                1
                                                                                T1546

                                                                                AppInit DLLs

                                                                                1
                                                                                T1546.010

                                                                                Scheduled Task/Job

                                                                                1
                                                                                T1053

                                                                                Scheduled Task

                                                                                1
                                                                                T1053.005

                                                                                Privilege Escalation

                                                                                Boot or Logon Autostart Execution

                                                                                2
                                                                                T1547

                                                                                Registry Run Keys / Startup Folder

                                                                                1
                                                                                T1547.001

                                                                                Winlogon Helper DLL

                                                                                1
                                                                                T1547.004

                                                                                Event Triggered Execution

                                                                                1
                                                                                T1546

                                                                                AppInit DLLs

                                                                                1
                                                                                T1546.010

                                                                                Scheduled Task/Job

                                                                                1
                                                                                T1053

                                                                                Scheduled Task

                                                                                1
                                                                                T1053.005

                                                                                Defense Evasion

                                                                                Modify Registry

                                                                                2
                                                                                T1112

                                                                                Credential Access

                                                                                Credentials from Password Stores

                                                                                1
                                                                                T1555

                                                                                Credentials from Web Browsers

                                                                                1
                                                                                T1555.003

                                                                                Unsecured Credentials

                                                                                2
                                                                                T1552

                                                                                Credentials In Files

                                                                                2
                                                                                T1552.001

                                                                                Discovery

                                                                                Query Registry

                                                                                1
                                                                                T1012

                                                                                System Information Discovery

                                                                                1
                                                                                T1082

                                                                                System Location Discovery

                                                                                1
                                                                                T1614

                                                                                System Language Discovery

                                                                                1
                                                                                T1614.001

                                                                                Lateral Movement

                                                                                Collection

                                                                                Data from Local System

                                                                                2
                                                                                T1005

                                                                                Command and Control

                                                                                Exfiltration

                                                                                Impact

                                                                                Replay Monitor

                                                                                Loading Replay Monitor...

                                                                                Downloads

                                                                                • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                  Filesize

                                                                                  622KB

                                                                                  MD5

                                                                                  0c60ae033287897dee241499959d6f9b

                                                                                  SHA1

                                                                                  1aa25223f25e9bde0a7972e00de2e4156d9a2644

                                                                                  SHA256

                                                                                  d89ffad749623a054365e9ed891a4518baa785b639e334e6064c7a2d510e5705

                                                                                  SHA512

                                                                                  cf0e2e22a3126c37a78a0037508a89d5365c50959237a426ffe49b85077e15642fe9b51dc4b63efab9d2c7958d57da5dd6467b2c548a26321f12104ca71766f5

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                                                                  Filesize

                                                                                  7KB

                                                                                  MD5

                                                                                  ac8fdd27bb6babd9568bc51d67fdbbf4

                                                                                  SHA1

                                                                                  2f0190e06c1327d41bc8cffb9fbfc874a3f693cf

                                                                                  SHA256

                                                                                  e3a801a259496324efb87ed55da15b8411df217072cc1b7a46c6e4e02305f133

                                                                                  SHA512

                                                                                  a9020cf0da804cae0fb5a4548a8540b4dfcbf031f3acae2612986476d5bcce8d74d51ecd4cfa81850a31265c50f155e6f8d6ece3212c3fe3650b59330646f713

                                                                                  Download Submit

                                                                                • C:\Windows\xdwd.dll
                                                                                  Filesize

                                                                                  136KB

                                                                                  MD5

                                                                                  16e5a492c9c6ae34c59683be9c51fa31

                                                                                  SHA1

                                                                                  97031b41f5c56f371c28ae0d62a2df7d585adaba

                                                                                  SHA256

                                                                                  35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

                                                                                  SHA512

                                                                                  20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

                                                                                  Download Submit

                                                                                • \??\PIPE\srvsvc
                                                                                  MD5

                                                                                  d41d8cd98f00b204e9800998ecf8427e

                                                                                  SHA1

                                                                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                  SHA256

                                                                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                  SHA512

                                                                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                  Download Submit

                                                                                • \Users\Admin\AppData\Local\Temp\CheatHoursEatsArtTool.exe
                                                                                  Filesize

                                                                                  68KB

                                                                                  MD5

                                                                                  c7b96361f8ba66866dc0163b3e9c5b95

                                                                                  SHA1

                                                                                  f3281a8ae74fe88a204c4ccc06b15f9aa8883b81

                                                                                  SHA256

                                                                                  35c7b404d93b655e448ce97ea69022e79f2c61cda09810323405f7050b11f42a

                                                                                  SHA512

                                                                                  d9f49b8a8d8e92e7c6b6cd291f0eb53d81a8708711609f3fd2efdae8e378b4356003c21081d980f34b4332c0e8a04bd38783d1ef966dd8232f386ab748aef404

                                                                                  Download Submit

                                                                                • \Users\Admin\AppData\Local\Temp\Nursultan Alpha — êîïèÿ.exe
                                                                                  Filesize

                                                                                  303KB

                                                                                  MD5

                                                                                  0411aedeb5cb378230fc4736877290ff

                                                                                  SHA1

                                                                                  cbfd99434251f2aceb5e5a9f998a4a170878169a

                                                                                  SHA256

                                                                                  abf52b82f58ff179a83ab0c0dd6762a5512a7d25c126fccb58f8b4628c661b10

                                                                                  SHA512

                                                                                  71c671f4c043aca897b2041ce3709a59cbc2900096d5625081bb029f070f7129d309d8e38ee6cd11b7268e6fbf9a444ee600177ac72c962d849932d9234ff64e

                                                                                  Download Submit

                                                                                • memory/296-609-0x000007FEF7D40000-0x000007FEF7D62000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/520-858-0x000007FEF6EB0000-0x000007FEF6ED2000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/612-128-0x000007FEEF3B0000-0x000007FEEF3D2000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/792-357-0x000007FEF1F10000-0x000007FEF1F32000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/844-633-0x000007FEF6EB0000-0x000007FEF6ED2000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/876-723-0x000007FEF7D40000-0x000007FEF7D62000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/960-319-0x000007FEF6A00000-0x000007FEF6A22000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1076-380-0x000007FEF6A00000-0x000007FEF6A22000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1112-893-0x000007FEF7D40000-0x000007FEF7D62000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1200-496-0x000007FEF6A00000-0x000007FEF6A22000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1212-802-0x000007FEF6EB0000-0x000007FEF6ED2000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1248-57-0x00000000027B0000-0x00000000027B8000-memory.dmp

                                                                                  Filesize

                                                                                  32KB

                                                                                  Download

                                                                                • memory/1248-56-0x000000001B500000-0x000000001B7E2000-memory.dmp

                                                                                  Filesize

                                                                                  2.9MB

                                                                                  Download

                                                                                • memory/1412-660-0x000007FEF7D40000-0x000007FEF7D62000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1412-413-0x000007FEF1F10000-0x000007FEF1F32000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1440-746-0x000007FEF6EB0000-0x000007FEF6ED2000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1452-611-0x000007FEF7D40000-0x000007FEF7D62000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1456-119-0x000007FEF1F10000-0x000007FEF1F32000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1528-576-0x000007FEF6EB0000-0x000007FEF6ED2000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1556-662-0x000007FEF7D40000-0x000007FEF7D62000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1556-412-0x000007FEF1F10000-0x000007FEF1F32000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1604-272-0x000007FEF6A00000-0x000007FEF6A22000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1608-836-0x000007FEF7D40000-0x000007FEF7D62000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1612-747-0x000007FEF6EB0000-0x000007FEF6ED2000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1664-497-0x000007FEF6A00000-0x000007FEF6A22000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1688-352-0x000007FEF1F10000-0x000007FEF1F32000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1772-891-0x000007FEF7D40000-0x000007FEF7D62000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1772-379-0x000007FEF6A00000-0x000007FEF6A22000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1828-273-0x000007FEF6A00000-0x000007FEF6A22000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1856-831-0x000007FEF7D40000-0x000007FEF7D62000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1860-577-0x000007FEF6EB0000-0x000007FEF6ED2000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1900-296-0x000007FEF1F10000-0x000007FEF1F32000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/1916-50-0x0000000001D90000-0x0000000001D98000-memory.dmp

                                                                                  Filesize

                                                                                  32KB

                                                                                  Download

                                                                                • memory/1916-49-0x000000001B590000-0x000000001B872000-memory.dmp

                                                                                  Filesize

                                                                                  2.9MB

                                                                                  Download

                                                                                • memory/1972-240-0x000007FEF1F10000-0x000007FEF1F32000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2008-441-0x000007FEF6A00000-0x000007FEF6A22000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2032-521-0x000007FEF1F10000-0x000007FEF1F32000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2052-184-0x000007FEF1F10000-0x000007FEF1F32000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2092-24-0x0000000001240000-0x0000000001292000-memory.dmp

                                                                                  Filesize

                                                                                  328KB

                                                                                  Download

                                                                                • memory/2096-183-0x000007FEF1F10000-0x000007FEF1F32000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2104-440-0x000007FEF6A00000-0x000007FEF6A22000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2116-948-0x000007FEF7D40000-0x000007FEF7D62000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2144-916-0x000007FEF6EB0000-0x000007FEF6ED2000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2148-295-0x000007FEF1F10000-0x000007FEF1F32000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2200-549-0x000007FEF7D40000-0x000007FEF7D62000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2220-127-0x000007FEEF3B0000-0x000007FEEF3D2000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2232-548-0x000007FEF7D40000-0x000007FEF7D62000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2312-777-0x000007FEF7D40000-0x000007FEF7D62000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2356-23-0x00000000013B0000-0x00000000013C8000-memory.dmp

                                                                                  Filesize

                                                                                  96KB

                                                                                  Download

                                                                                • memory/2380-632-0x000007FEF6EB0000-0x000007FEF6ED2000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2396-161-0x000007FEF6A00000-0x000007FEF6A22000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2408-690-0x000007FEF6EB0000-0x000007FEF6ED2000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2416-20-0x0000000000400000-0x0000000000503000-memory.dmp

                                                                                  Filesize

                                                                                  1.0MB

                                                                                  Download

                                                                                • memory/2416-947-0x000007FEF7D40000-0x000007FEF7D62000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2464-318-0x000007FEF6A00000-0x000007FEF6A22000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2484-725-0x000007FEF7D40000-0x000007FEF7D62000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2484-217-0x000007FEF6A00000-0x000007FEF6A22000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2492-859-0x000007FEF6EB0000-0x000007FEF6ED2000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2512-239-0x000007FEF1F10000-0x000007FEF1F32000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2636-216-0x000007FEF6A00000-0x000007FEF6A22000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2648-971-0x000007FEF6EB0000-0x000007FEF6ED2000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2680-520-0x000007FEF1F10000-0x000007FEF1F32000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2684-463-0x000007FEF1F10000-0x000007FEF1F32000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2684-970-0x000007FEF6EB0000-0x000007FEF6ED2000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2824-689-0x000007FEF6EB0000-0x000007FEF6ED2000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2832-464-0x000007FEF1F10000-0x000007FEF1F32000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2844-780-0x000007FEF7D40000-0x000007FEF7D62000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2916-25-0x00000000010A0000-0x0000000001140000-memory.dmp

                                                                                  Filesize

                                                                                  640KB

                                                                                  Download

                                                                                • memory/2960-915-0x000007FEF6EB0000-0x000007FEF6ED2000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2972-160-0x000007FEF6A00000-0x000007FEF6A22000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download

                                                                                • memory/2996-803-0x000007FEF6EB0000-0x000007FEF6ED2000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                  Download