a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e

Resubmissions

11/09/2024, 19:15

240911-xyhb5axgpl 8

11/09/2024, 19:12

240911-xwla1ayblb 8

Analysis

max time kernel
67s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
Size

1.0MB
MD5

7c3e5f4c1e0e14f51b6f5a19ba6e1bae
SHA1

73745c924a5f61fe1f9e489bbe6534c5c95c2452
SHA256

a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e
SHA512

e1416d9005285894b68aec509fd86ee5b8c320f80da3db8fdd8bce708fd0cd8fff2ce1c6fb9017c359b9169421be28a646f8179b78e79387da18c86d1eb56a5b
SSDEEP

24576:yJeo26y1eqAyY6fNC1TvD3v8BsOQRsnbP5u:K92NC1TLz0bPs

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 30 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4040	powershell.exe
2288	powershell.exe
4996	powershell.exe
4692	powershell.exe
3880	powershell.exe
2732	powershell.exe
3468	powershell.exe
1388	powershell.exe
4508	powershell.exe
720	powershell.exe
1784	powershell.exe
1196	powershell.exe
3396	powershell.exe
3192	powershell.exe
1668	powershell.exe
3004	powershell.exe
1844	powershell.exe
408	powershell.exe
4572	powershell.exe
2304	powershell.exe
3688	powershell.exe
1988	powershell.exe
4736	powershell.exe
672	powershell.exe
4472	powershell.exe
4872	powershell.exe
2808	powershell.exe
2644	powershell.exe
3368	powershell.exe
720	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 10 IoCs

pid	Process
3680	Setup.exe
224	Setup.exe
1480	Setup.exe
4380	Setup.exe
4396	Setup.exe
2136	Setup.exe
4596	Setup.exe
1752	Setup.exe
212	Setup.exe
4704	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
4564	3680	WerFault.exe	87
3560	224	WerFault.exe	107
2060	1480	WerFault.exe	121
2564	4380	WerFault.exe	133
3404	4396	WerFault.exe	147
2108	2136	WerFault.exe	159
2436	4596	WerFault.exe	171
4416	1752	WerFault.exe	183
1836	212	WerFault.exe	195
4996	4704	WerFault.exe	207

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
1844	powershell.exe
1844	powershell.exe
408	powershell.exe
408	powershell.exe
3880	powershell.exe
3880	powershell.exe
2732	powershell.exe
2732	powershell.exe
2732	powershell.exe
3688	powershell.exe
3688	powershell.exe
3688	powershell.exe
3468	powershell.exe
3468	powershell.exe
4472	powershell.exe
4472	powershell.exe
1388	powershell.exe
1388	powershell.exe
4872	powershell.exe
4872	powershell.exe
4572	powershell.exe
4572	powershell.exe
4508	powershell.exe
4508	powershell.exe
4040	powershell.exe
4040	powershell.exe
2808	powershell.exe
2808	powershell.exe
2288	powershell.exe
2288	powershell.exe
4996	powershell.exe
4996	powershell.exe
1988	powershell.exe
1988	powershell.exe
3368	powershell.exe
3368	powershell.exe
720	powershell.exe
720	powershell.exe
2644	powershell.exe
2644	powershell.exe
672	powershell.exe
672	powershell.exe
3396	powershell.exe
3396	powershell.exe
3192	powershell.exe
3192	powershell.exe
4692	powershell.exe
4692	powershell.exe
2304	powershell.exe
2304	powershell.exe
1784	powershell.exe
1784	powershell.exe
1668	powershell.exe
1668	powershell.exe
3004	powershell.exe
3004	powershell.exe
720	powershell.exe
720	powershell.exe
1196	powershell.exe
1196	powershell.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	720	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	3396	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	720	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3680	Setup.exe
224	Setup.exe
1480	Setup.exe
4380	Setup.exe
4396	Setup.exe
2136	Setup.exe
4596	Setup.exe
1752	Setup.exe
212	Setup.exe
4704	Setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 3680	3836	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	87
PID 3836 wrote to memory of 3680	3836	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	87
PID 3836 wrote to memory of 3680	3836	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	87
PID 3680 wrote to memory of 1996	3680	Setup.exe	89
PID 3680 wrote to memory of 1996	3680	Setup.exe	89
PID 3680 wrote to memory of 1996	3680	Setup.exe	89
PID 1996 wrote to memory of 1844	1996	cmd.exe	91
PID 1996 wrote to memory of 1844	1996	cmd.exe	91
PID 1996 wrote to memory of 1844	1996	cmd.exe	91
PID 3680 wrote to memory of 4548	3680	Setup.exe	97
PID 3680 wrote to memory of 4548	3680	Setup.exe	97
PID 3680 wrote to memory of 4548	3680	Setup.exe	97
PID 4548 wrote to memory of 408	4548	cmd.exe	99
PID 4548 wrote to memory of 408	4548	cmd.exe	99
PID 4548 wrote to memory of 408	4548	cmd.exe	99
PID 3680 wrote to memory of 1796	3680	Setup.exe	100
PID 3680 wrote to memory of 1796	3680	Setup.exe	100
PID 3680 wrote to memory of 1796	3680	Setup.exe	100
PID 1796 wrote to memory of 3880	1796	cmd.exe	102
PID 1796 wrote to memory of 3880	1796	cmd.exe	102
PID 1796 wrote to memory of 3880	1796	cmd.exe	102
PID 3836 wrote to memory of 224	3836	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	107
PID 3836 wrote to memory of 224	3836	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	107
PID 3836 wrote to memory of 224	3836	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	107
PID 224 wrote to memory of 3932	224	Setup.exe	109
PID 224 wrote to memory of 3932	224	Setup.exe	109
PID 224 wrote to memory of 3932	224	Setup.exe	109
PID 224 wrote to memory of 1600	224	Setup.exe	113
PID 224 wrote to memory of 1600	224	Setup.exe	113
PID 224 wrote to memory of 1600	224	Setup.exe	113
PID 1600 wrote to memory of 3688	1600	cmd.exe	115
PID 1600 wrote to memory of 3688	1600	cmd.exe	115
PID 1600 wrote to memory of 3688	1600	cmd.exe	115
PID 224 wrote to memory of 3372	224	Setup.exe	116
PID 224 wrote to memory of 3372	224	Setup.exe	116
PID 224 wrote to memory of 3372	224	Setup.exe	116
PID 3372 wrote to memory of 3468	3372	cmd.exe	118
PID 3372 wrote to memory of 3468	3372	cmd.exe	118
PID 3372 wrote to memory of 3468	3372	cmd.exe	118
PID 3836 wrote to memory of 1480	3836	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	121
PID 3836 wrote to memory of 1480	3836	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	121
PID 3836 wrote to memory of 1480	3836	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	121
PID 1480 wrote to memory of 3976	1480	Setup.exe	122
PID 1480 wrote to memory of 3976	1480	Setup.exe	122
PID 1480 wrote to memory of 3976	1480	Setup.exe	122
PID 3976 wrote to memory of 4472	3976	cmd.exe	124
PID 3976 wrote to memory of 4472	3976	cmd.exe	124
PID 3976 wrote to memory of 4472	3976	cmd.exe	124
PID 1480 wrote to memory of 1288	1480	Setup.exe	125
PID 1480 wrote to memory of 1288	1480	Setup.exe	125
PID 1480 wrote to memory of 1288	1480	Setup.exe	125
PID 1288 wrote to memory of 1388	1288	cmd.exe	127
PID 1288 wrote to memory of 1388	1288	cmd.exe	127
PID 1288 wrote to memory of 1388	1288	cmd.exe	127
PID 1480 wrote to memory of 3640	1480	Setup.exe	128
PID 1480 wrote to memory of 3640	1480	Setup.exe	128
PID 1480 wrote to memory of 3640	1480	Setup.exe	128
PID 3640 wrote to memory of 4872	3640	cmd.exe	130
PID 3640 wrote to memory of 4872	3640	cmd.exe	130
PID 3640 wrote to memory of 4872	3640	cmd.exe	130
PID 3836 wrote to memory of 4380	3836	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	133
PID 3836 wrote to memory of 4380	3836	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	133
PID 3836 wrote to memory of 4380	3836	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	133
PID 4380 wrote to memory of 264	4380	Setup.exe	134

C:\Users\Admin\AppData\Local\Temp\a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
"C:\Users\Admin\AppData\Local\Temp\a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:408
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 840
    3⤵
    - Program crash
    PID:4564
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3932
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1428
    3⤵
    - Program crash
    PID:3560
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1484
    3⤵
    - Program crash
    PID:2060
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:264
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4908
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4840
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1468
    3⤵
    - Program crash
    PID:2564
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1288
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3856
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3808
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1540
    3⤵
    - Program crash
    PID:3404
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1104
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4748
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3368
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4424
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1416
    3⤵
    - Program crash
    PID:2108
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1616
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4520
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4676
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1424
    3⤵
    - Program crash
    PID:2436
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4988
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3192
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2528
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2108
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 744
    3⤵
    - Program crash
    PID:4416
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:216
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3184
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4840
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1524
    3⤵
    - Program crash
    PID:1836
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4492
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3512
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:872
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 1432
    3⤵
    - Program crash
    PID:4996
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3680 -ip 3680
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 224 -ip 224
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1480 -ip 1480
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4380 -ip 4380
1⤵
PID:4848

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4396 -ip 4396
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2136 -ip 2136
1⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4596 -ip 4596
1⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1752 -ip 1752
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 212 -ip 212
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4704 -ip 4704
1⤵
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0de98e0c2eb89658f795fb65354562d4

SHA1
7516ab57c360d9dba5581c272fe8fbda1ab77a19

SHA256
be0d5d47015011edbe09505e2670e275718d66614c1a7ea9a88d6bea9d1db371

SHA512
2a1e4c192e1efca62d35bb5cede7269335536ae966a5bff11a3ed52dd88954ef38025f8a8ce708e4313ee943b1feffc5abbc739bb3df003c52bd4f7610427147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8f9636234d1a9a5b45e1affb69ab0b39

SHA1
a9c94035ba5a21df2b5cc9fbabdaca05001614f1

SHA256
d3ffe7db6bd4dba22eae50412f6c7848c01629bc55ec02393b67f35fd78cf884

SHA512
db439c8303fd7e3f46ef73df4eaf9b61fa92d4c479bb112a9260999cf651fb7524cde202c58e3f39280085c181b68daeba754f53c0e8cd0615ce1b45946c3863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fc17bbe88ff385ce4357d99ec3be1099

SHA1
3b2f2227b7d4e40bfdea4e0fc6bfd660141028b4

SHA256
01bb34b8316d8b6fe3364abc9f659c8b406429de758e125e50ce72c226122f6a

SHA512
da5e58023fee557ab272026311ac895249853129b983bf12a763b551c79c0ba80348bee249998300f3a788fea05468d6c30fc28196c7a7768f5ca3dae1b74109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
75738fe87602a6b0285eaab68f28a44b

SHA1
faa593fc36e22857fd0214ad78ec51c444d26357

SHA256
00806ea9c5cbdb87a8baadc2fc247c129e87821b3aca99b66733f6a841c2bfe3

SHA512
9a0bb1e8a11661f94343aafdb7e6a9a67ab0a53a54c45f646c9dfa61d34cf37e676e34a6640195d81e0085261e0b0179c3e6a16f19e10bdfd7f05e323df01fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a52f2d1315a21d92d3b931704e7b8b6e

SHA1
882b0895d188387b8ff8165ac3ab6f553244925c

SHA256
53db0569dfb60cd326a58f616caa4ed1cb32a76db89e6c80817a09969a2ee984

SHA512
0b6ac74d012e553b77984bf4b9ca5670c5ebb2b4a507ce46e273e0c49707b50a0dde1874e80ad23d3b5e35fc538f8846b1f0cc7679f0be8b7b9bc3dc6b24058b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
26170901db786eab18fb37e84398d4f4

SHA1
3fdf5d39b6dd1d52096e171ceea8386590106e17

SHA256
a2b5b04de91e338dbc19cc6d08c9c06a49c486fa905830d0cf54fb9b336d2182

SHA512
d8c4adca272ea7ce32e5c034ee33e66f62f5534aa5a54cbd80bbbef141376d0a59463d8c33bc27f714548bdd74290b8ba3e37a1b24b73e32cbaa2d2ef9c4bf41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c310b90fad74a8584316a56ba96325b0

SHA1
aeda9ef9de4ce09740bfa88af095f7ab563df099

SHA256
708239b6c0ca1662f888c9d3c0c29ed4ecefa6e3ae04301f9360284f3611ab73

SHA512
804e67399185f08e13a975c674c81e6aaf9ec687adebdb87ab703d7eb1f97f758d1380a6af76484d953d5f61720fd7b4ff2adc9bb314a510dd7c1765335cb59a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e782086f12f72cb5cf9a8437b9f66bae

SHA1
5df2ecc5af5a2acc62e4269a13451be623b79d0a

SHA256
b93a4f01ef25b80cb15ad15e3bf0a92089a1d102999ab5717ad103c9735560c7

SHA512
555ac457b6daf342530e7e31f2444db560ccda906ee46176b3fbc5e8c870f88a770188a3df5415705d48c902fda43bfdeec67e90b62384afcc54be67039131aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
99e3e264ade95011e590c4f812355fea

SHA1
6465c5092b5b3a2459201ddc208b7f2fc9ca59b0

SHA256
02be6836ac3352563405177997ae5b3e4d821d3005a357b6e555324b8398a88a

SHA512
3b90a65642595ba901dc09189a692c4b4f55c711c2d58fe6b1d5764d03337aed8f3fb24f0cd9a1704e170ffe8203c81951b1902b235f6425bff6d9ef494d5f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b9f01494d21885e8241f9060ce0c41c7

SHA1
33e17cded67da70584f3abcbc8f83be1440ca29e

SHA256
779a0d90e039f37e6bc9d1a8147e54d1befc612cd3044c9e57de2dbf2e3a4c36

SHA512
0a28ddafb9f946b128b5cf3b9845138f01bef54683034abd33a62c001853c6d5cf36be2eafc5a13885de8ce6dea94f1701156409b1b5386a99a83777078edd32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1ce1e8903ee905ad7dcc146e4e2d187a

SHA1
b71a77f32a3b24e8f122d367cbab1705be2ea826

SHA256
e5761c6452d89cae00946758c82af163a35f7f2f7d72d1bf78ca1ebcf0b5f603

SHA512
e084d3ecf76726e055e2feca89adac6d38313f972f4d3e09d8d8dcfa2c1b15dfbc526f3435328b90b33a3048f676b4e403f0968ab445592ca5b5716e3121cd02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8e46d26ce06227723bdebc8d4a7257d7

SHA1
8958faf8a481c52e82766f12fff105ded3311db3

SHA256
16a320169e6ac7c6d2626746b24c0800d6650cad24685acdf3a794676f10bb38

SHA512
cadc33f6e5ccbf33f6418ae2cf799424b91cde27fba89fced632deee30d8d46cc0f241129a75c9b3d38e0bf472d4b5b8ae93940e5c34391bd6a5c7aa96f90dcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
328af62a226763cd8b264bbb0129f783

SHA1
21482fd25395c8eb095d9e8d2324623fab862f4b

SHA256
943918e6137b8f12b57ff95a13b6cf1e23e5e20664b4d24a9397a9d1212c426c

SHA512
c2c6cab01a83348ca6885dc611613588c3d093716565c732a92c913e202bf5c76e742b011b78a1a98ac6e442880dd699e48ba7e16c2617ebdd1fb0874cbcbf02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
06279109d20cf4f058ad708ace0e2320

SHA1
a4260cac79572cdc41718fe9535cf0a7e83aaeb4

SHA256
ae986332a64274c52d2c07bb28e17dbbbe4722e1315cf8430cf2a15692a19637

SHA512
d6af10103963228918aab232531c8b28b880dee83a19a0fb40edd77fc31461fd367efb9d2d3d144af1e2fa10a624afcda919e2051de4a7bb4dd50d88b36b2322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cad233bad43d4cbf9eefe98174e85826

SHA1
36ece5f74ce9d88949d01d6f70a2f6feea51a330

SHA256
229b545d1b4745b273796ea110c669705e3daf9ccbe94c559f5c70adf651037f

SHA512
1748e753ad5f49bceac2a50804e2911d4b81a3b009615db093d0e2ede96adbe2a2efae8b3e3d06ae3dec09347213a51d958d2177f61617bb8d8a208027f9d4e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1f342c23e3252269f7d01e47dce94524

SHA1
c8fa08b25603e3b7854c3125e0c0d676d4d914e7

SHA256
7dbe476c0b7327115a61d33f01f6ffb0f1f0d56b854aa1b75d1a719fddb05c05

SHA512
aafbbd6c2e749939f1668525b4abc1b2f56398ea938d4149729448dc9c821b648a8f44709e55db3e1671997c73d0ce95914b81b0a4c742568aa9f43bebdfb611

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
54ccb09e83033cbb554f91dff101b803

SHA1
34b5a2d82ac1e14aeb6aee792b4474015891c33f

SHA256
9ccc93b88da304dedc8648911e183a75c174ca09ead1cb2e4911371f54fcfa9f

SHA512
a8de5a6dd9bef132bb14e830a0642dcf1864e78294360eb056e45ab788a4849746c3bfb92bb9b703ba56782fbc1aa986c29fdf9f26f00705087ff30137b3173b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7e19ae0fb3e527f6674983027aa38f80

SHA1
2551aef3ae4b4d1eadf4270075ba015f48bfee63

SHA256
9a46dc080593f35c738cffbab9974e93138e2d32b2ee5503e4bb1884c6017f79

SHA512
ea634918b429a18360db9fbdfc097c2a60c537c1f0d254f9cf5f47e865ecc94213c28669e45d0be99820d2fb9daa932ccce007116aa805e30670ab8626ff8df5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
aa5c5d5786c7fa629d04b81468243e43

SHA1
c7b3d35e7852def2e050e6c1c10ce52a9a04f6cb

SHA256
dcd84e096df22a10adf87fd91c42d6d2af1b4ec34ab6fa5740165c453c9d87f9

SHA512
1e571033370b61950372b268ac5223095523ed86d0a077e838a1f892c6fb870efae625450a0f37222e337687478aec9ef37da4a7c9350a68c91f5927538f6272

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
739a86a01cbd96ee7c3f9c6f2a411f39

SHA1
00803776eda76241fbc98cecad5ff43bc5435235

SHA256
e63815082f92876f0a8dcfe06e49ada6c069b1b51f0923beb3f84d61fbfb69a5

SHA512
2e66d33a8679870be9f4992864bbf77bea2e178ab562512e4b3eca28b9d8ce0f6721e0d1c17673d86fcb8eac21019128db93a7f115b62ea5eff95a7e2739be01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
93be5da021ece9db10f8bba749e018c3

SHA1
f02db69ec708992b12c0c074c7d5d2cf4509d708

SHA256
757413f91141f26f0f537f699ca96efc2ed8ab8a5e10f953acc3ac8c96827642

SHA512
89bb6561587c4e568d586fd3e50f8cc8324e20afaedcf8a230f89aa826abfaa1a617e55bc8d9a3b4424329bcc1d70990202fd727627e14c899c9f332296e900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4bdc8efacd01aef8c46d417b30375288

SHA1
6f55394ed16f1f5c9f2b569bb29d002f856dcdb6

SHA256
f65e63c07c3705e2d621dba845bb9ec391c93ebdb7965219048075dbfad4d0a5

SHA512
44f0de0f54eca63af69f09979624517385f095ca571b9d9c45349795f75e198c09139e0f2d58a5b1a0b2f424731b5b59f189807f0a456eeb9d5c3ce32dda6e90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f7bcf0f1fbf327efa5d075cf37754724

SHA1
508708a6667166c6477a53853bb65c05f9865dbb

SHA256
35f8b3ed55e05697a0f65a18625b862af016db7b63b4193da2c9aac270b1728c

SHA512
e17c901c09f22f46673dba339f8317ec811f6858d4e5bab838deb1768032d1ef2da3423beaff7ef40111e5e575c1de9935ceefa2b98390660f423e1dc80c88d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3eac8493e3c0957b17fae3587ca9aee0

SHA1
bf2ed1a07721e0095d5ad853def6b8604c2e06c8

SHA256
3f5e636fbc8020c3d8fd7e486594625954c48bacf49b3f1c73a5fe44f090bb54

SHA512
1d35186eafc96dcb5133d60b508875a9639a60637f618e6c33bcad79867513b791f1c09646ab3f3b7c3061c544f703481fd73c1aa8e2d83b46714a04dc1b90ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
207b304cbdf63a93b3eb2e5c4e4777f1

SHA1
25655e6efd818141f7215e089cb8d5fbaac43235

SHA256
b92d02fe3057df1654594275b3d6727827f43d53c5dfca78b47c42255beca00f

SHA512
a0f54ef381e39474de964f56466ae4b8532935fb5419a37230caa2db26d1b1a26f9c36271c833a27000cc4883b9a102687c8619c7dbcfc75609c0375c5625688

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ba3f8e61a6973f72c5045e8f88278a2e

SHA1
112e20a68e7e061cfdb6bd71914900ac2841f6dc

SHA256
ad0ab8f6f1656112807f1977f2f37a406ce5b953c773f7419e6fba97584fe4d4

SHA512
124f66104e92a922845c8d8768693761bb47dd80fcbf76dcabb0f60ad90fc55df787798d6b37cad4e9849393a606d8cf684bb977a90cf6159ed72191673cd6ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0a2d5d4470e54f2b341341804fd4d051

SHA1
358e0899d081b5381e685afce3688cc94482ab08

SHA256
b98e8aeff6b1d7a4e416aafd79a3c75c4da6c6ba4e36d5b6b6019ed4a474cb07

SHA512
8eca07d0462e279428557cb31da64cedbe5f7394d1f87bfece35e00be7331d8f990a8283534b1d24e7beb1262559dc3e1fdc916de009ce8085c93a9e129913d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
92d0ceeb9531a4ff18188ab3ede8fa2e

SHA1
558c5982bfde98b2265fc60a298acda232009a68

SHA256
350198346577b5de626f27f580baffcd4e303c29b720bfb7557285988e917bb5

SHA512
d76f90acf5d0812b8f277240442aa23fbd844f65d0215209f21f5d23174e8729c65c928685bb0c5b826b6501ba9740082bffcaec453883f5e8493bd61b9b962a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5de14ee1c10d72033f1ddc21ab02bca8

SHA1
32480378338d22a74f83e7b6760461c98376f447

SHA256
428f5111ab89d395bd1b564b8405634d2142e62b7572d465a7264613796cb957

SHA512
75c7eeb5e056e094bbeb6e92e07d27251d64216fe3f11f78ebe01e41ab27bb0750abcd41eb1788f2a32b960188c6ff649383a2fbfbaf3c1bd9249b8b4d785e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
888KB

MD5
ae9bb8668b8afd40c9305886c6904399

SHA1
810113c11e98789cb607b897a5f144937083d692

SHA256
f80a3287b4e3de00f4b957a0f4e05b9f0aa181268dd041e94610cdac38246718

SHA512
3ac907f4defe0d8b8c37ffee305c13d4340667e2822ff748391121f775732b1d36d73dfd41bec18032ff113a80cad18bc319a0153541af2d8969b2a5aa174623

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wsbia5as.i3o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/408-65-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/408-54-0x00000000058D0000-0x0000000005C24000-memory.dmp

Filesize
3.3MB

Download
memory/672-452-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/720-409-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/720-623-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/1196-643-0x0000000005650000-0x00000000059A4000-memory.dmp

Filesize
3.3MB

Download
memory/1196-645-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/1388-196-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/1668-580-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/1784-559-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/1844-48-0x0000000007C10000-0x0000000007C2A000-memory.dmp

Filesize
104KB

Download
memory/1844-41-0x0000000007F30000-0x00000000085AA000-memory.dmp

Filesize
6.5MB

Download
memory/1844-11-0x0000000073A10000-0x00000000741C0000-memory.dmp

Filesize
7.7MB

Download
memory/1844-12-0x0000000073A10000-0x00000000741C0000-memory.dmp

Filesize
7.7MB

Download
memory/1844-13-0x00000000054C0000-0x00000000054E2000-memory.dmp

Filesize
136KB

Download
memory/1844-14-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/1844-9-0x0000000004FE0000-0x0000000005016000-memory.dmp

Filesize
216KB

Download
memory/1844-15-0x0000000005DD0000-0x0000000005E36000-memory.dmp

Filesize
408KB

Download
memory/1844-52-0x0000000073A10000-0x00000000741C0000-memory.dmp

Filesize
7.7MB

Download
memory/1844-8-0x0000000073A1E000-0x0000000073A1F000-memory.dmp

Filesize
4KB

Download
memory/1844-49-0x0000000007BF0000-0x0000000007BF8000-memory.dmp

Filesize
32KB

Download
memory/1844-47-0x0000000007B10000-0x0000000007B24000-memory.dmp

Filesize
80KB

Download
memory/1844-10-0x00000000057A0000-0x0000000005DC8000-memory.dmp

Filesize
6.2MB

Download
memory/1844-39-0x0000000006B60000-0x0000000006B7E000-memory.dmp

Filesize
120KB

Download
memory/1844-25-0x0000000005F40000-0x0000000006294000-memory.dmp

Filesize
3.3MB

Download
memory/1844-40-0x0000000007800000-0x00000000078A3000-memory.dmp

Filesize
652KB

Download
memory/1844-46-0x0000000007B00000-0x0000000007B0E000-memory.dmp

Filesize
56KB

Download
memory/1844-27-0x00000000065E0000-0x000000000662C000-memory.dmp

Filesize
304KB

Download
memory/1844-45-0x0000000007AD0000-0x0000000007AE1000-memory.dmp

Filesize
68KB

Download
memory/1844-29-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/1844-44-0x0000000007B50000-0x0000000007BE6000-memory.dmp

Filesize
600KB

Download
memory/1844-28-0x00000000077C0000-0x00000000077F2000-memory.dmp

Filesize
200KB

Download
memory/1844-43-0x0000000007940000-0x000000000794A000-memory.dmp

Filesize
40KB

Download
memory/1844-42-0x00000000078D0000-0x00000000078EA000-memory.dmp

Filesize
104KB

Download
memory/1844-26-0x00000000065B0000-0x00000000065CE000-memory.dmp

Filesize
120KB

Download
memory/1988-367-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/2288-324-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/2304-537-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/2644-431-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/2732-109-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/2732-107-0x00000000056B0000-0x0000000005A04000-memory.dmp

Filesize
3.3MB

Download
memory/2808-303-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/3004-601-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/3192-495-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/3368-388-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/3396-473-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/3468-153-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/3468-147-0x0000000005C50000-0x0000000005FA4000-memory.dmp

Filesize
3.3MB

Download
memory/3688-131-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/3688-129-0x0000000005D10000-0x0000000006064000-memory.dmp

Filesize
3.3MB

Download
memory/3880-86-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/4040-281-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/4472-175-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/4508-260-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/4572-239-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/4692-516-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/4736-666-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/4872-217-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/4996-345-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download