Overview

overview

10

Static

static

3

4363463463...63.exe

windows7-x64

10

4363463463...63.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2024 19:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4363463463464363463463463.exe

  • Size

    10KB

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score
10/10
gurcuphorphiexquasarxmrigoffice04discoveryevasionexecutionloaderminerpersistencespywarestealertrojanworm

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.43.241:4782

Mutex

0517af80-95f0-4a6d-a904-5b7ee8faa157

Attributes
  • encryption_key

    6095BF6D5D58D02597F98370DFD1CCEB782F1EDD

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svhost

  • subdirectory

    SubDir

Extracted

Family

phorphiex

C2

http://185.215.113.84

Extracted

Family

gurcu

C2

https://api.telegram.org/bot962023231:AAG4by19NbHDMl2hPuMLesCOvrR264-4hSg/sendMessag

Signatures

  • Gurcu family
    gurcu
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Phorphiex family
    phorphiex
  • Phorphiex payload 2 IoCs
  • Phorphiex, Phorpiex

    Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 9 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 17 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3420
      • C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
        "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
        2⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4840
        • C:\Users\Admin\AppData\Local\Temp\Files\a.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\a.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1616
          • C:\Windows\sysvplervcs.exe
            C:\Windows\sysvplervcs.exe
            4⤵
            • Modifies security service
            • Windows security bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2900
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2508
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4356
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4160
              • C:\Windows\SysWOW64\sc.exe
                sc stop UsoSvc
                6⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:380
              • C:\Windows\SysWOW64\sc.exe
                sc stop WaaSMedicSvc
                6⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:4084
              • C:\Windows\SysWOW64\sc.exe
                sc stop wuauserv
                6⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:3532
              • C:\Windows\SysWOW64\sc.exe
                sc stop DoSvc
                6⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:3788
              • C:\Windows\SysWOW64\sc.exe
                sc stop BITS /wait
                6⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:3340
            • C:\Users\Admin\AppData\Local\Temp\3128012031.exe
              C:\Users\Admin\AppData\Local\Temp\3128012031.exe
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4852
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
                6⤵
                  PID:2996
                  • C:\Windows\system32\reg.exe
                    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
                    7⤵
                      PID:4752
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
                    6⤵
                      PID:2968
                      • C:\Windows\system32\schtasks.exe
                        schtasks /delete /f /tn "Windows Upgrade Manager"
                        7⤵
                          PID:60
                    • C:\Users\Admin\AppData\Local\Temp\268503295.exe
                      C:\Users\Admin\AppData\Local\Temp\268503295.exe
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3076
                    • C:\Users\Admin\AppData\Local\Temp\343428296.exe
                      C:\Users\Admin\AppData\Local\Temp\343428296.exe
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3248
                      • C:\Users\Admin\AppData\Local\Temp\2320621725.exe
                        C:\Users\Admin\AppData\Local\Temp\2320621725.exe
                        6⤵
                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2344
                    • C:\Users\Admin\AppData\Local\Temp\1527319664.exe
                      C:\Users\Admin\AppData\Local\Temp\1527319664.exe
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3464
                • C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe
                  "C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe"
                  3⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2664
                  • C:\Windows\sysppvrdnvs.exe
                    C:\Windows\sysppvrdnvs.exe
                    4⤵
                    • Modifies security service
                    • Windows security bypass
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Windows security modification
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: SetClipboardViewer
                    • Suspicious use of WriteProcessMemory
                    PID:4344
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                      5⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:4624
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1588
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
                      5⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:4776
                      • C:\Windows\SysWOW64\sc.exe
                        sc stop UsoSvc
                        6⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:3464
                      • C:\Windows\SysWOW64\sc.exe
                        sc stop WaaSMedicSvc
                        6⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:3904
                      • C:\Windows\SysWOW64\sc.exe
                        sc stop wuauserv
                        6⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:4812
                      • C:\Windows\SysWOW64\sc.exe
                        sc stop DoSvc
                        6⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:4260
                      • C:\Windows\SysWOW64\sc.exe
                        sc stop BITS /wait
                        6⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:3692
                • C:\Users\Admin\AppData\Local\Temp\Files\discord.exe
                  "C:\Users\Admin\AppData\Local\Temp\Files\discord.exe"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4580
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                    4⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2396
                  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:4172
                    • C:\Windows\SYSTEM32\schtasks.exe
                      "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                      5⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:4732
                • C:\Users\Admin\AppData\Local\Temp\Files\svhostc.exe
                  "C:\Users\Admin\AppData\Local\Temp\Files\svhostc.exe"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  PID:1812
                  • C:\Users\Admin\AppData\Local\Temp\Files\svhostc.exe
                    "C:\Users\Admin\AppData\Local\Temp\Files\svhostc.exe"
                    4⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • System Location Discovery: System Language Discovery
                    PID:4324
                • C:\Users\Admin\AppData\Local\Temp\Files\major.exe
                  "C:\Users\Admin\AppData\Local\Temp\Files\major.exe"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3256
                • C:\Users\Admin\AppData\Local\Temp\Files\jet.exe
                  "C:\Users\Admin\AppData\Local\Temp\Files\jet.exe"
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in Program Files directory
                  • System Location Discovery: System Language Discovery
                  PID:4584
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.funletters.net/readme.htm
                    4⤵
                    • Enumerates system info in registry
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:2692
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8143846f8,0x7ff814384708,0x7ff814384718
                      5⤵
                        PID:452
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,12801162883592728472,17985787077377204518,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
                        5⤵
                          PID:3944
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,12801162883592728472,17985787077377204518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
                          5⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4008
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,12801162883592728472,17985787077377204518,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:8
                          5⤵
                            PID:448
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12801162883592728472,17985787077377204518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
                            5⤵
                              PID:540
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12801162883592728472,17985787077377204518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
                              5⤵
                                PID:3256
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12801162883592728472,17985787077377204518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
                                5⤵
                                  PID:4548
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12801162883592728472,17985787077377204518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
                                  5⤵
                                    PID:1588
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,12801162883592728472,17985787077377204518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8
                                    5⤵
                                      PID:4944
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,12801162883592728472,17985787077377204518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8
                                      5⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:1308
                                • C:\Users\Admin\AppData\Local\Temp\Files\hashed.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Files\hashed.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:824
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
                                2⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3788
                              • C:\Windows\System32\schtasks.exe
                                C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
                                2⤵
                                  PID:3920
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
                                  2⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:456
                                • C:\Windows\System32\conhost.exe
                                  C:\Windows\System32\conhost.exe
                                  2⤵
                                    PID:1232
                                  • C:\Windows\System32\dwm.exe
                                    C:\Windows\System32\dwm.exe
                                    2⤵
                                      PID:5016
                                  • C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
                                    "C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
                                    1⤵
                                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:4240
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:4240
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:3264

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Reconnaissance

                                      Resource Development

                                      Initial Access

                                      Execution

                                      Command and Scripting Interpreter

                                      1
                                      T1059

                                      PowerShell

                                      1
                                      T1059.001

                                      Scheduled Task/Job

                                      1
                                      T1053

                                      Scheduled Task

                                      1
                                      T1053.005

                                      System Services

                                      1
                                      T1569

                                      Service Execution

                                      1
                                      T1569.002

                                      Persistence

                                      Boot or Logon Autostart Execution

                                      1
                                      T1547

                                      Registry Run Keys / Startup Folder

                                      1
                                      T1547.001

                                      Create or Modify System Process

                                      2
                                      T1543

                                      Windows Service

                                      2
                                      T1543.003

                                      Scheduled Task/Job

                                      1
                                      T1053

                                      Scheduled Task

                                      1
                                      T1053.005

                                      Privilege Escalation

                                      Boot or Logon Autostart Execution

                                      1
                                      T1547

                                      Registry Run Keys / Startup Folder

                                      1
                                      T1547.001

                                      Create or Modify System Process

                                      2
                                      T1543

                                      Windows Service

                                      2
                                      T1543.003

                                      Scheduled Task/Job

                                      1
                                      T1053

                                      Scheduled Task

                                      1
                                      T1053.005

                                      Defense Evasion

                                      Impair Defenses

                                      3
                                      T1562

                                      Disable or Modify Tools

                                      2
                                      T1562.001

                                      Modify Registry

                                      4
                                      T1112

                                      Credential Access

                                      Discovery

                                      Browser Information Discovery

                                      1
                                      T1217

                                      Query Registry

                                      3
                                      T1012

                                      System Information Discovery

                                      3
                                      T1082

                                      System Location Discovery

                                      1
                                      T1614

                                      System Language Discovery

                                      1
                                      T1614.001

                                      Lateral Movement

                                      Collection

                                      Command and Control

                                      Web Service

                                      1
                                      T1102

                                      Exfiltration

                                      Impact

                                      Service Stop

                                      1
                                      T1489

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                        Filesize

                                        3KB

                                        MD5

                                        fee026663fcb662152188784794028ee

                                        SHA1

                                        3c02a26a9cb16648fad85c6477b68ced3cb0cb45

                                        SHA256

                                        dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b

                                        SHA512

                                        7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                        Filesize

                                        2KB

                                        MD5

                                        968cb9309758126772781b83adb8a28f

                                        SHA1

                                        8da30e71accf186b2ba11da1797cf67f8f78b47c

                                        SHA256

                                        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                        SHA512

                                        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                        Filesize

                                        152B

                                        MD5

                                        a0486d6f8406d852dd805b66ff467692

                                        SHA1

                                        77ba1f63142e86b21c951b808f4bc5d8ed89b571

                                        SHA256

                                        c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

                                        SHA512

                                        065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                        Filesize

                                        152B

                                        MD5

                                        dc058ebc0f8181946a312f0be99ed79c

                                        SHA1

                                        0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

                                        SHA256

                                        378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

                                        SHA512

                                        36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        5KB

                                        MD5

                                        9a7642fb3e0fc01ecfe8ee17520e12c6

                                        SHA1

                                        ac27a49ab5066ef7bc5de2506f7d1dcf07d6b7df

                                        SHA256

                                        50aabc17b22a07025de31adc879457aff39dbc1aa0cac1982f3a38934222b6ac

                                        SHA512

                                        304da124d80d91da0b13f67265a6ff40e90056b445a30678280446dcfdc2e62b1ca8afcfd8434ee8b2a3c29b370946e6a9a16f6bedd4266bec393a4f166c02fc

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                        Filesize

                                        16B

                                        MD5

                                        6752a1d65b201c13b62ea44016eb221f

                                        SHA1

                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                        SHA256

                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                        SHA512

                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        1KB

                                        MD5

                                        d95b08252ed624f6d91b46523f110f29

                                        SHA1

                                        17577997bc1fb5d3fbe59be84013165534415dc3

                                        SHA256

                                        342ce7c39bf9992d31d4b61ef138b2b084c96c74736ed00bb19aae49be16ca02

                                        SHA512

                                        0c4288176d56f4ee6d8f08f568fba07ad859f50a395c39d2afd3baf55d3d29ca065a1ce305d1bd790477c35977c0ffa230543e805622f80a77bcee71b24eb257

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        18KB

                                        MD5

                                        0b7a6bcc836660d7d84d2602e864de68

                                        SHA1

                                        144ead208e00b1114c2e2358bf7be3cc1324a22e

                                        SHA256

                                        719e424097ae41dcc47bb8210bb379bcfa95aa249c6df234560422297417235a

                                        SHA512

                                        3fede5a8fe457788b7ecfca890a8241d19fa31222ed000edb5e21eb9e3599084e629a441169abb4b1e0a592849fc8d7e8b37e6733709eb684f4c4e689989c99c

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\1466722408.exe
                                        Filesize

                                        108KB

                                        MD5

                                        1fcb78fb6cf9720e9d9494c42142d885

                                        SHA1

                                        fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

                                        SHA256

                                        84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

                                        SHA512

                                        cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\1527319664.exe
                                        Filesize

                                        13KB

                                        MD5

                                        5a0d146f7a911e98da8cc3c6de8acabf

                                        SHA1

                                        4ec56b14a08c897a5e9e85f5545b6c976a0be3c1

                                        SHA256

                                        bf61e77b7c49ce3346a28d8bc084c210618ea6ec5f3cfa9ae8f4aa4d64e145f1

                                        SHA512

                                        6d1526a5f467535d51b7f9b3a7af2d54512526e2523e3048082277b83b6e1a1f0d7e3c617405898f240ae84a16163bc47886d8541a016b31c51dfadf9da713e1

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\2320621725.exe
                                        Filesize

                                        5.6MB

                                        MD5

                                        13b26b2c7048a92d6a843c1302618fad

                                        SHA1

                                        89c2dfc01ac12ef2704c7669844ec69f1700c1ca

                                        SHA256

                                        1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

                                        SHA512

                                        d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\268503295.exe
                                        Filesize

                                        15KB

                                        MD5

                                        0c37ee292fec32dba0420e6c94224e28

                                        SHA1

                                        012cbdddaddab319a4b3ae2968b42950e929c46b

                                        SHA256

                                        981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1

                                        SHA512

                                        2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\3128012031.exe
                                        Filesize

                                        8KB

                                        MD5

                                        cb8420e681f68db1bad5ed24e7b22114

                                        SHA1

                                        416fc65d538d3622f5ca71c667a11df88a927c31

                                        SHA256

                                        5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

                                        SHA512

                                        baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\343428296.exe
                                        Filesize

                                        10KB

                                        MD5

                                        96509ab828867d81c1693b614b22f41d

                                        SHA1

                                        c5f82005dbda43cedd86708cc5fc3635a781a67e

                                        SHA256

                                        a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

                                        SHA512

                                        ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\Files\a.exe
                                        Filesize

                                        96KB

                                        MD5

                                        930c41bc0c20865af61a95bcf0c3b289

                                        SHA1

                                        cecf37c3b6c76d9a79dd2a97cfc518621a6ac924

                                        SHA256

                                        1f2e9724dfb091059ae16c305601e21d64b5308df76ddef6b394573e576ef1ff

                                        SHA512

                                        fa1f33c71da608b3980038981220fcebee0b0cc44331e52f5198dd2761c97631ee8286756c2cc16245a1370c83bb53cc8ea8ef64e0fcdd30af51f023973986b2

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\Files\discord.exe
                                        Filesize

                                        3.1MB

                                        MD5

                                        6a0bb84dcd837e83638f4292180bf5ab

                                        SHA1

                                        20e31ccffe1ac806e75ea839ea90b4c91e4322c5

                                        SHA256

                                        e119fe767f3d10a387df1951d4b356384c5a9d0441b4034ddf7293c389a410b4

                                        SHA512

                                        d0d61815c1ca73e4d1b8d5c3ea61e0572bfa9f6e984247b8e66c22e5591d61f766c6476c2686ce611917a56f2d4d8b8ddb4efcdbed707855e4190a2404eedcc5

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\Files\hashed.exe
                                        Filesize

                                        6.4MB

                                        MD5

                                        99848d0ddfc95e855c62d8932845ae6f

                                        SHA1

                                        fc08e3d98922bc5de0c89968512c3fd778ba5e4b

                                        SHA256

                                        79d833993d87d2a09f6ba97c17af49e30483e7d934950c00c762ef5dc3893b84

                                        SHA512

                                        cf4194368335e63a42408f89102d85cd5f9ca8bb640970ee92ac4e95118b9cfc31a7c3a36b8bcdd84431648328c40c9b44333eb62fd639b1960d783ffd5e217d

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\Files\jet.exe
                                        Filesize

                                        75KB

                                        MD5

                                        1cd1defd8e963254a5f0d84aec85a75e

                                        SHA1

                                        fb0f7f965f0336e166fcd60d4fc9844e2a6c27df

                                        SHA256

                                        5cc691ddb8accd10a0eeaddc6d6f3853e2dac335e452140c26dd02ba312cd1a8

                                        SHA512

                                        810b964bba69abe66994d7e6bd6c0774c9f8e23a9fafd783255186ce3709fcfca0c1ffa600de0149eda58a46c27f5d1f5c8c08a78b138407911b9c05edacfaee

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\Files\major.exe
                                        Filesize

                                        1.6MB

                                        MD5

                                        fa3d03c319a7597712eeff1338dabf92

                                        SHA1

                                        f055ba8a644f68989edc21357c0b17fdf0ead77f

                                        SHA256

                                        a08db4c7b7bacc2bacd1e9a0ac7fbb91306bf83c279582f5ac3570a90e8b0f87

                                        SHA512

                                        80226bb11d56e4dc2dbc4fc6aade47db4ca4c539b25ee70b81465e984df0287d5efcadb6ec8bfc418228c61bd164447d62c4444030d31655aaeed342e2507ea1

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe
                                        Filesize

                                        83KB

                                        MD5

                                        06560b5e92d704395bc6dae58bc7e794

                                        SHA1

                                        fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

                                        SHA256

                                        9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

                                        SHA512

                                        b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\Files\svhostc.exe
                                        Filesize

                                        421KB

                                        MD5

                                        ae3dd2f4488753b690ca17d555147aba

                                        SHA1

                                        0405a77b556133c1fd1986acad16944fd75c7e2b

                                        SHA256

                                        77bdb3c46654446f1edffd1a388e3f64d8ca4dc24acd9575b95e94c26b8b43fe

                                        SHA512

                                        d9309d10e85a6850ae47cf69525f6b1f31caa7de112429a73cd8d5845bfc39464861de676febbe4eabeba438e37958fd051358f55967e78a84a50e8db40729b6

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\GS5BC2.tmp
                                        Filesize

                                        44KB

                                        MD5

                                        7d46ea623eba5073b7e3a2834fe58cc9

                                        SHA1

                                        29ad585cdf812c92a7f07ab2e124a0d2721fe727

                                        SHA256

                                        4ebf13835a117a2551d80352ca532f6596e6f2729e41b3de7015db558429dea5

                                        SHA512

                                        a1e5724d035debf31b1b1be45e3dc8432428b7893d2bfc8611571abbf3bcd9f08cb36f585671a8a2baa6bcf7f4b4fe39ba60417631897b4e4154561b396947ca

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vheilg0k.acg.ps1
                                        Filesize

                                        60B

                                        MD5

                                        d17fe0a3f47be24a6453e9ef58c94641

                                        SHA1

                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                        SHA256

                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                        SHA512

                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\gs5C02.tmp
                                        Filesize

                                        24KB

                                        MD5

                                        e667dc95fc4777dfe2922456ccab51e8

                                        SHA1

                                        63677076ce04a2c46125b2b851a6754aa71de833

                                        SHA256

                                        2f15f2ccdc2f8e6e2f5a2969e97755590f0bea72f03d60a59af8f9dd0284d15f

                                        SHA512

                                        c559c48058db84b1fb0216a0b176d1ef774e47558f32e0219ef12f48e787dde1367074c235d855b20e5934553ba023dc3b18764b2a7bef11d72891d2ed9cadef

                                        Download Submit

                                      • C:\Users\Admin\tbtnds.dat
                                        Filesize

                                        3KB

                                        MD5

                                        5b4d9e46a6ebfdaeadf00cb9cdd45cad

                                        SHA1

                                        4b9df7884c41b80b25a66e14c3366d456296194d

                                        SHA256

                                        138e46d482b27b223fb1283783065c39d58b021a7ebf1a3930d40863e5c2140d

                                        SHA512

                                        47e1a8ce0f586d715a9ac3f6bb8b34d926c30990a802466454e45cbeccd11a9de62632331865013284bc462e5cf5b71dca6e9c5b9b48837e7e69f4a9a9ebe0ba

                                        Download Submit

                                      • memory/1232-224-0x00007FF67B200000-0x00007FF67B229000-memory.dmp

                                        Filesize

                                        164KB

                                        Download

                                      • memory/1232-227-0x00007FF67B200000-0x00007FF67B229000-memory.dmp

                                        Filesize

                                        164KB

                                        Download

                                      • memory/1588-85-0x00000000079C0000-0x00000000079D4000-memory.dmp

                                        Filesize

                                        80KB

                                        Download

                                      • memory/1588-87-0x0000000007A90000-0x0000000007A98000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/1588-86-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

                                        Filesize

                                        104KB

                                        Download

                                      • memory/1588-71-0x000000006FAC0000-0x000000006FB0C000-memory.dmp

                                        Filesize

                                        304KB

                                        Download

                                      • memory/2344-202-0x00007FF6E2600000-0x00007FF6E2B97000-memory.dmp

                                        Filesize

                                        5.6MB

                                        Download

                                      • memory/3788-192-0x000001E92B110000-0x000001E92B132000-memory.dmp

                                        Filesize

                                        136KB

                                        Download

                                      • memory/4172-159-0x0000000002E00000-0x0000000002E50000-memory.dmp

                                        Filesize

                                        320KB

                                        Download

                                      • memory/4172-160-0x000000001BF90000-0x000000001C042000-memory.dmp

                                        Filesize

                                        712KB

                                        Download

                                      • memory/4240-222-0x00007FF61AD30000-0x00007FF61B2C7000-memory.dmp

                                        Filesize

                                        5.6MB

                                        Download

                                      • memory/4324-204-0x0000000000400000-0x000000000047E000-memory.dmp

                                        Filesize

                                        504KB

                                        Download

                                      • memory/4324-161-0x0000000000400000-0x000000000047E000-memory.dmp

                                        Filesize

                                        504KB

                                        Download

                                      • memory/4324-163-0x0000000000400000-0x000000000047E000-memory.dmp

                                        Filesize

                                        504KB

                                        Download

                                      • memory/4356-69-0x00000000077B0000-0x0000000007E2A000-memory.dmp

                                        Filesize

                                        6.5MB

                                        Download

                                      • memory/4356-57-0x000000006FAC0000-0x000000006FB0C000-memory.dmp

                                        Filesize

                                        304KB

                                        Download

                                      • memory/4356-34-0x0000000005780000-0x00000000057E6000-memory.dmp

                                        Filesize

                                        408KB

                                        Download

                                      • memory/4356-32-0x0000000004E10000-0x0000000004E32000-memory.dmp

                                        Filesize

                                        136KB

                                        Download

                                      • memory/4356-44-0x00000000057F0000-0x0000000005B44000-memory.dmp

                                        Filesize

                                        3.3MB

                                        Download

                                      • memory/4356-84-0x0000000007340000-0x000000000734E000-memory.dmp

                                        Filesize

                                        56KB

                                        Download

                                      • memory/4356-83-0x0000000007320000-0x0000000007331000-memory.dmp

                                        Filesize

                                        68KB

                                        Download

                                      • memory/4356-82-0x0000000007380000-0x0000000007416000-memory.dmp

                                        Filesize

                                        600KB

                                        Download

                                      • memory/4356-81-0x0000000007180000-0x000000000718A000-memory.dmp

                                        Filesize

                                        40KB

                                        Download

                                      • memory/4356-70-0x0000000007100000-0x000000000711A000-memory.dmp

                                        Filesize

                                        104KB

                                        Download

                                      • memory/4356-31-0x0000000004F30000-0x0000000005558000-memory.dmp

                                        Filesize

                                        6.2MB

                                        Download

                                      • memory/4356-68-0x0000000006DD0000-0x0000000006E73000-memory.dmp

                                        Filesize

                                        652KB

                                        Download

                                      • memory/4356-67-0x0000000006DA0000-0x0000000006DBE000-memory.dmp

                                        Filesize

                                        120KB

                                        Download

                                      • memory/4356-30-0x0000000004810000-0x0000000004846000-memory.dmp

                                        Filesize

                                        216KB

                                        Download

                                      • memory/4356-56-0x00000000063B0000-0x00000000063E2000-memory.dmp

                                        Filesize

                                        200KB

                                        Download

                                      • memory/4356-33-0x0000000005660000-0x00000000056C6000-memory.dmp

                                        Filesize

                                        408KB

                                        Download

                                      • memory/4356-45-0x0000000005DD0000-0x0000000005DEE000-memory.dmp

                                        Filesize

                                        120KB

                                        Download

                                      • memory/4356-46-0x0000000005E10000-0x0000000005E5C000-memory.dmp

                                        Filesize

                                        304KB

                                        Download

                                      • memory/4580-140-0x0000000000210000-0x0000000000534000-memory.dmp

                                        Filesize

                                        3.1MB

                                        Download

                                      • memory/4584-273-0x0000000000400000-0x0000000000416000-memory.dmp

                                        Filesize

                                        88KB

                                        Download

                                      • memory/4584-274-0x00000000004B0000-0x00000000004CC000-memory.dmp

                                        Filesize

                                        112KB

                                        Download

                                      • memory/4584-292-0x0000000000400000-0x0000000000416000-memory.dmp

                                        Filesize

                                        88KB

                                        Download

                                      • memory/4584-285-0x00000000004B0000-0x00000000004CC000-memory.dmp

                                        Filesize

                                        112KB

                                        Download

                                      • memory/4840-3-0x0000000074E90000-0x0000000075640000-memory.dmp

                                        Filesize

                                        7.7MB

                                        Download

                                      • memory/4840-2-0x0000000005800000-0x000000000589C000-memory.dmp

                                        Filesize

                                        624KB

                                        Download

                                      • memory/4840-1-0x0000000000E10000-0x0000000000E18000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/4840-0-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4840-89-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4840-94-0x0000000074E90000-0x0000000075640000-memory.dmp

                                        Filesize

                                        7.7MB

                                        Download

                                      • memory/4852-116-0x00000000002E0000-0x00000000002E6000-memory.dmp

                                        Filesize

                                        24KB

                                        Download

                                      • memory/5016-231-0x00007FF7D9FB0000-0x00007FF7DA79F000-memory.dmp

                                        Filesize

                                        7.9MB

                                        Download

                                      • memory/5016-277-0x00007FF7D9FB0000-0x00007FF7DA79F000-memory.dmp

                                        Filesize

                                        7.9MB

                                        Download

                                      • memory/5016-272-0x00007FF7D9FB0000-0x00007FF7DA79F000-memory.dmp

                                        Filesize

                                        7.9MB

                                        Download

                                      • memory/5016-249-0x00007FF7D9FB0000-0x00007FF7DA79F000-memory.dmp

                                        Filesize

                                        7.9MB

                                        Download

                                      • memory/5016-245-0x00007FF7D9FB0000-0x00007FF7DA79F000-memory.dmp

                                        Filesize

                                        7.9MB

                                        Download

                                      • memory/5016-228-0x00007FF7D9FB0000-0x00007FF7DA79F000-memory.dmp

                                        Filesize

                                        7.9MB

                                        Download

                                      • memory/5016-333-0x00007FF7D9FB0000-0x00007FF7DA79F000-memory.dmp

                                        Filesize

                                        7.9MB

                                        Download

                                      • memory/5016-225-0x00007FF7D9FB0000-0x00007FF7DA79F000-memory.dmp

                                        Filesize

                                        7.9MB

                                        Download

                                      • memory/5016-221-0x00000161DE1A0000-0x00000161DE1C0000-memory.dmp

                                        Filesize

                                        128KB

                                        Download