Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

XClientB.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    05/12/2024, 06:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClientB.exe

  • Size

    85KB

  • MD5

    a95c8560300ac51832c9baeca525230f

  • SHA1

    a04977f02be0dfd0a9af69a093f795468c1a7e30

  • SHA256

    1155ac9e41e46a3a870453570101bee1cfa164435847972c46ebfa70bc336a55

  • SHA512

    c53ea3ec545f4bde2828866fb96c61490c4a28bec0c01310a252f21908063f7a46b69f76f8327fa96234f04a9c661ad7f1fca3fc16f3b2bad68c0f64f96958be

  • SSDEEP

    1536:2inzt6mDiPKA7AIBdUZlouGQ68btAIzGNcrOlAy6TR7OybKExKN7:2ih7wX0vl68bOImcr9R7OaKES7

Score
10/10
dcratgurcuxwormdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %Temp%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/vJmE27fr

  • telegram

    https://api.telegram.org/bot7414557379:AAHJMIrSP_hoR0jelLf8igel3SZxGY860qU/sendMessage?chat_id=2076906822

Extracted

Family

xworm

Version

3.0

C2

plus-loves.gl.at.ply.gg:59327

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7414557379:AAHJMIrSP_hoR0jelLf8igel3SZxGY860qU/sendMessage?chat_id=2076906822

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Detect Xworm Payload 4 IoCs
  • Gurcu family
    gurcu
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 17 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 14 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClientB.exe
    "C:\Users\Admin\AppData\Local\Temp\XClientB.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4432
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClientB.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClientB.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:3736
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3848
    • C:\Users\Admin\AppData\Local\Temp\HXJT0UUBH96MZ8J.exe
      "C:\Users\Admin\AppData\Local\Temp\HXJT0UUBH96MZ8J.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "HXJT0UUBH96MZ8J" /tr "C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1620
    • C:\Users\Admin\AppData\Local\Temp\PTCRXCZWINIPZO5.exe
      "C:\Users\Admin\AppData\Local\Temp\PTCRXCZWINIPZO5.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4612
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3476
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1380
          • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
            "C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3728
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rhes23zl\rhes23zl.cmdline"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2740
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FB1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC59C25393273142499837C22471A1491.TMP"
                7⤵
                  PID:2708
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q3nmdtk4\q3nmdtk4.cmdline"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:3216
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES503E.tmp" "c:\Users\Admin\AppData\Roaming\CSCD305C3CB668441C2AE41F466BC27D28.TMP"
                  7⤵
                    PID:5044
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n5lykhxe\n5lykhxe.cmdline"
                  6⤵
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:1880
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50BB.tmp" "c:\Windows\System32\CSC47E3DA1CBB104541946EC14A51D43C23.TMP"
                    7⤵
                      PID:1564
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\dwm.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:5104
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\csrss.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:1264
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\conhost.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:2796
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:3620
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\services.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:4696
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:1864
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ftbNq2ZSX.bat"
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5056
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      7⤵
                        PID:2816
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        7⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:4312
                      • C:\HypercomponentCommon\services.exe
                        "C:\HypercomponentCommon\services.exe"
                        7⤵
                        • Executes dropped EXE
                        PID:2840
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            1⤵
            • Executes dropped EXE
            PID:2836
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\PrintHood\dwm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3396
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2788
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\PrintHood\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4724
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1112
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2704
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2144
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\conhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1760
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Google\conhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3644
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\conhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4352
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3616
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:728
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3340
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\HypercomponentCommon\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4792
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\HypercomponentCommon\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4980
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\HypercomponentCommon\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5040
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 10 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1868
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2304
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 5 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4612
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1184
            • C:\Users\Admin\PrintHood\dwm.exe
              "C:\Users\Admin\PrintHood\dwm.exe"
              2⤵
              • Executes dropped EXE
              PID:4376
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe
              "C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe"
              2⤵
              • Executes dropped EXE
              PID:3716
          • C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe
            "C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe"
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2368
            • C:\Users\Admin\PrintHood\dwm.exe
              "C:\Users\Admin\PrintHood\dwm.exe"
              2⤵
              • Executes dropped EXE
              PID:3180
            • C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe.exe
              "C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe.exe"
              2⤵
              • Executes dropped EXE
              PID:4628
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            PID:1184
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe
              "C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe"
              2⤵
              • Executes dropped EXE
              PID:4248
            • C:\Users\Admin\PrintHood\dwm.exe
              "C:\Users\Admin\PrintHood\dwm.exe"
              2⤵
              • Executes dropped EXE
              PID:3452
          • C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe
            "C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe"
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            PID:1656
            • C:\Users\Admin\PrintHood\dwm.exe
              "C:\Users\Admin\PrintHood\dwm.exe"
              2⤵
              • Executes dropped EXE
              PID:3664
            • C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe.exe
              "C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe.exe"
              2⤵
              • Executes dropped EXE
              PID:2832

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          2
          T1012

          Remote System Discovery

          1
          T1018

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          System Network Configuration Discovery

          1
          T1016

          Internet Connection Discovery

          1
          T1016.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Web Service

          1
          T1102

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe
            Filesize

            220B

            MD5

            47085bdd4e3087465355c9bb9bbc6005

            SHA1

            bf0c5b11c20beca45cc9d4298f2a11a16c793a61

            SHA256

            80577e4666fad86273b01f60b8d63c15e4ce37774575ac1e0df7a7c396979752

            SHA512

            e74dd8e9756cab1123410a46609dc91540cc29a8fea93017155746f7bb9b7a41bfd3d7595a62788264bedceb475b2a733cce9b70f37cc4478302d5fc228d7684

            Download Submit

          • C:\HypercomponentCommon\cemEzm0xYx1.bat
            Filesize

            105B

            MD5

            5ee2935a1949f69f67601f7375b3e8a3

            SHA1

            6a3229f18db384e57435bd3308298da56aa8c404

            SHA256

            c24a0d7f53a7aa3437f6b6566d3aaebdb36053b64e72cbd1d3796596fc8e3c06

            SHA512

            9777fcb9ee8a8aa0c770c835c5f30aff6efc5fb16a1819047e13d580d748703ffcb446db110067fb2546a637213cb8f25416d4b621a95a789b8e113d31d3401a

            Download Submit

          • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
            Filesize

            1.9MB

            MD5

            7be5cea1c84ad0b2a6d2e5b6292c8d80

            SHA1

            631e3de0fe83ebacbe5be4e7f895dd0bd8b095ce

            SHA256

            6eb90684ebc56fb2713f5c468b55a964625ec2af698d9687492b1de4225693b7

            SHA512

            ea58d3b1664fe70968635c2722e19ce65ce4c1d66c68aed2d98441e60e773c7295f18d9c99cf4c454c510f33f5e37d3d2c0053b7434a46c542a0d63a4cc03647

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HXJT0UUBH96MZ8J.exe.log
            Filesize

            226B

            MD5

            b92bd19c1a9416298a873dfa43b439b7

            SHA1

            7b96a8874aff3a502363f4168332613ebc53d64e

            SHA256

            1ac8854abd01c202cf82e4ccdf80bf50319c59bc7a02dce2b19cecfedf7dd4ba

            SHA512

            5910691ebdd78a2740117b14f146629874682d196f518f479b8bcb754ed2501a009fc465cb9e3685f7aed8ced7b435690de2b8b8439117abb5f61dc4996387a6

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log
            Filesize

            847B

            MD5

            37544b654facecb83555afec67d08b33

            SHA1

            4dc0f5db034801784b01befef5c1d3304145e1dc

            SHA256

            ec084a6c6ecd7d31f1927b0cd926ec03ce346a469f24e5a860e05f2241bd7bf4

            SHA512

            4af827ead52c8769672f58a69fca18484aeba1e59b7ec0527e200f8e3d893bcbc1063ea820260fc0b922985ee3b26c3a6f79b4044fb34f1b58f2e3379971b5f9

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            3eb3833f769dd890afc295b977eab4b4

            SHA1

            e857649b037939602c72ad003e5d3698695f436f

            SHA256

            c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

            SHA512

            c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
            Filesize

            654B

            MD5

            11c6e74f0561678d2cf7fc075a6cc00c

            SHA1

            535ee79ba978554abcb98c566235805e7ea18490

            SHA256

            d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

            SHA512

            32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            fd3185b98939ebd67bb8d4a8ed35c336

            SHA1

            a57a7fa4ab807003a035776223c49e3fb8288ab0

            SHA256

            8e37038f41e262bd7d604390b52b8b6fdd826175efa09e76a0f47a490184379e

            SHA512

            081c6d6c9d468e0b1be2be008b2a995c65ddf693fea47e9c2a3fa4484f160d1fec46f8b9831e9c1440e099c8cc5d7ac4580ee7daff1a9055a7db91010cf584bf

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            41b8b3dc843bb68cece421e263fcaf31

            SHA1

            576998931b3e982a9d0cc30a46973c4d6d934a53

            SHA256

            d8f3108fad9f28dc5b6efae92b55004f57019d862cc0548f9b5f9b84fde1ba52

            SHA512

            7ac0f22425feb43c0a0cd23256bac03b1143a4299ce469cf6bcb86a78377896149552d4c378b1955578084bfc334935c0daca621bf42904cfaeba45699083493

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            06acb95360249edbd1dfec718dc02408

            SHA1

            ff247df157f542248601cfcfb814d3627008803a

            SHA256

            0dc54625d4dc58aa1ed132c50f3b05fb53dbbd41c68e1a6bed050f8af5cab917

            SHA512

            69a75e21cfbc43817128dc39aea6ed43e2e7bc035ff1f9828f6fb9cfcc9bb214cb3d4c12566dce950210d3cd8592566eaa5e61863ccbbf0f74035e2332b2b196

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            d2f329b9f9029f110da30d6cfb4e9581

            SHA1

            ed81739aeac808f26efb323c5225dc5906a2f387

            SHA256

            85cdada775f58b40181ef2cd6ef87d5bedbffb3481107550a9add560a03dc44e

            SHA512

            572dc23dca888e54ac66c6988b12f75374e33eb99ebbdaee8ba7765de42f4103e645d5e553fcc3f94521827075d412155b34416dca3c9d89026770b4e8a822ce

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            1a2f06f0ac7ba67e291d3210e7bec51c

            SHA1

            708505f15771008a090d9a218ec109dc8745fb12

            SHA256

            6e055fb82c366d026275a9c20841eaa06fe5b6967f2ff3bc4b5173ddddfc7cea

            SHA512

            5be2281819c271849cfdfccc3edc5ff3da55f0ef262aa47dec4e5660fdeedfe8d2f6d267ddb8500cde8800547a1eeb052d3ebb9f19083c0c184fb06d48a88190

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            60b3262c3163ee3d466199160b9ed07d

            SHA1

            994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

            SHA256

            e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

            SHA512

            081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            f86e64a00401edb8dfb34a0b110b8984

            SHA1

            2e049a3d17b23e8f7350ab9b4a82a73b3a71814a

            SHA256

            1ed0dc6e40c3ace293d940624872c331caadbd156b1b70758c8649ad9a98dedc

            SHA512

            40ff195758d53ad934c4f8d6a9bd104b2d38ee1f77c1e352dc6105a9fa2e09cccc386d0680e2e3d356970b26c631c5d644037f0a95428fc5ee8e243cb84d61ba

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            648812e0a09d54e539e0de3d47839ab1

            SHA1

            5d3da316723063206acbbcb0a692f641e2df4e53

            SHA256

            487b4b8ebe1cf2b23a12a2d5b9d597af294f0807b7ba8eaeea0f8e33d25c4414

            SHA512

            6a06c9faa23cb04a05fec92d2c9a4323d63afab02d51cb826093b631e55cb8bd331963c373eaf972b6cfdabffc25eddc97be5398469430b18c49cdbae0cf194e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7ftbNq2ZSX.bat
            Filesize

            164B

            MD5

            d0d42162045485fc621892c6ac37896c

            SHA1

            39c0ad26e13785108742c0399a850d78c46a9a0a

            SHA256

            563842fa7f76c39fc56224c688497b6c30fda4f2ce537cae8913d1fa2e0448a5

            SHA512

            8fbf02bf9839d6d686a7b32242bc3edde560fc7785064554fed0ed1b407d16c24a50ac83afe0641339966b6d3a6ce8556f9b51f741c6a5d43d7d9c29e00df0d7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\HXJT0UUBH96MZ8J.exe
            Filesize

            185KB

            MD5

            e0c8976957ffdc4fe5555adbe8cb0d0c

            SHA1

            226a764bacfa17b92131993aa85fe63f1dbf347c

            SHA256

            b8260ac46e03f2a7baa9ae01bee5443d16d9eb96f6ee8588a887d6de72a750d4

            SHA512

            3a1ea48e81ebfd5586938a72afd68bcc48d4c5d69949cfdacf33aee3371d98f202443f5db12bac876ca7cecc982ddc56827f8d9b1857d22bda71242d5b2cc71e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\PTCRXCZWINIPZO5.exe
            Filesize

            2.2MB

            MD5

            05d87a4a162784fd5256f4118aff32af

            SHA1

            484ed03930ed6a60866b6f909b37ef0d852dbefd

            SHA256

            7e3d0dabaded78094abfac40d694eaebf861f3cb865d3835bb053d435e996950

            SHA512

            3d4ce511e9671d8bfa15e93d681fedd972f4fe4c09ac9cfd9653afe83e936654c88ee515a76e7ac80e8f34868802e68c6531fdea0b718029d2196ad1425981fc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES4FB1.tmp
            Filesize

            1KB

            MD5

            91b41c069459c8665011d43837512597

            SHA1

            cf419670c0d5e3b0fdeba32d68dc633a22c12d47

            SHA256

            a2431257d3b814376992a5c4248e4f003b3737df9bfd4bd9e59e21d56e8dce64

            SHA512

            a50ec18b1bf1f1b92cceff490d4a1d1a9aef67651007a4bef9733b2f0d5aab9107b93b940a3da6ba0f3d72ae6fac5d7a3cfebd1700d3106576d199c3df8e533e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES503E.tmp
            Filesize

            1KB

            MD5

            da67fbcd1afea33d8f399e4c79d70017

            SHA1

            2c0429de29f73a9e42141f57664e2f5763236300

            SHA256

            31f1da127722a8c86d453420d5539d5732e6096ea8e9c9df19b3373bec38d9a1

            SHA512

            f880537ae4fe63097173d868284a7ef67b6a87612e4146219a3bd0d5350aed6f9ed8d6a8baad38c12e313ffe40e6f2cf53f4048347527149c533a35fb419d988

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES50BB.tmp
            Filesize

            1KB

            MD5

            3a4ee8558080f3f64b37a86de8d67138

            SHA1

            1fa8d430ff725763cefa6cf03a77eef1cdb2710e

            SHA256

            bc0d72c0f91a06992bab4d18cbf877bbb35a8cd4969d858e57976cecf40a2c07

            SHA512

            6cf1a46696d51e7337ff78e87d077a8f881d2d2c813c4ef785908e2b7983b982a481c9f286119c518d442c3edc23cec14f7c7995415d2f9bb1efa5325ff2d851

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_54sgqpse.4qo.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            Filesize

            4KB

            MD5

            7cb094d98030ef92c0ccc68ad4239a07

            SHA1

            c8fcd17cda00696c57082bd9384f24fd518ee37a

            SHA256

            5856ceb6da2e939b1c8dff48c285da19429f3f4c6bf1c3a825ae512061b01a45

            SHA512

            a62684f56d8f066be64db97c57d6e8cff8a763fce01d82372a893a3ce14d87d7c34ab2049b972e69c1e3f2f889301b3df67508c865082dbeaa72292727bcd7bb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            Filesize

            85KB

            MD5

            a95c8560300ac51832c9baeca525230f

            SHA1

            a04977f02be0dfd0a9af69a093f795468c1a7e30

            SHA256

            1155ac9e41e46a3a870453570101bee1cfa164435847972c46ebfa70bc336a55

            SHA512

            c53ea3ec545f4bde2828866fb96c61490c4a28bec0c01310a252f21908063f7a46b69f76f8327fa96234f04a9c661ad7f1fca3fc16f3b2bad68c0f64f96958be

            Download Submit

          • C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe
            Filesize

            4KB

            MD5

            0f94ef9574d7876b592822979e0d91b3

            SHA1

            023bc8fae57073e597543ca679935bfa582a308b

            SHA256

            cd4ef962497c45cc5a60661ced522036338bcbdb4d251d4ac13907cdd9e1d1da

            SHA512

            36c0a23403c7ee6c1eb7de0cf56342e5e9747c95517eb3d50fd62cd58ccb490f83bcfecc6aa78c18eb24019ee02f8fc4836d72af17b13a25af125c868ccba7b2

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\CSC59C25393273142499837C22471A1491.TMP
            Filesize

            1KB

            MD5

            b10290e193d94a5e3c95660f0626a397

            SHA1

            7b9de1fd7a43f6f506e5fc3426836b8c52d0d711

            SHA256

            75c9e1766bfb99754b6a00d37ef93488ab216b5ac48984ed7d9d2076a7056fd2

            SHA512

            6ae4201552a499eaa726416b29230f48d94ac7f40ff038165bf8582626bbefe601ef6c051ad97d9156dc4b9b55fd22081db61bcd013916136340c5f1324e4bb5

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\n5lykhxe\n5lykhxe.0.cs
            Filesize

            364B

            MD5

            08c41b51d273fc90753172b3d7c43032

            SHA1

            0edbf1d5eb660563e62642e9c4e5af392631c85a

            SHA256

            f8f73e87401c216123e64f52810a5847d42a16384c5845d34b01a70d0bbfb998

            SHA512

            e065ea4f71fbc40918a2a618467ffd0bded68a23a99cf4663fdea6c64e537ac49cf73bbaac982a51b9465273757d9f1b6009c74ad9697ac37abdf8234dea62ff

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\n5lykhxe\n5lykhxe.cmdline
            Filesize

            235B

            MD5

            a39dcdaefc065c8d9b0114a5c2b25a06

            SHA1

            d3fea713dcffacb02517aa8d583f33c3ad59fdc5

            SHA256

            af3be25432dd3bcc64db14282533a849aa115e86bf478d019f69ce8876f6e18f

            SHA512

            2ed950f85dc37425a34fcf7b3dba3ab77b82accad0499e3a26ffd4e3e8571f734195424358f1126051dfee7f49f6364d2c75a693e763b4c03ebebaaf9056796a

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\q3nmdtk4\q3nmdtk4.0.cs
            Filesize

            384B

            MD5

            57fbfe344e2ab12c90b23acc0334c00b

            SHA1

            56796a2ce9445d69b75c98ca0da5ba3fdf5a30ee

            SHA256

            ba4ef87ab30a854de511df20359f643062fc29579d814490eebd3715c2feb6b5

            SHA512

            b75b5a22a0e23c08bd501d8869a1ce19c762c454b288e0ea6f53035dc493d74c5a12672b7a30357f23799b59d9674241c04d8d42a038d36c144f7b1660cf57b7

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\q3nmdtk4\q3nmdtk4.cmdline
            Filesize

            255B

            MD5

            003570c2c7f1ed918e9bd811e89a36b2

            SHA1

            f2956cbe7af4f6c38ad1107d7bd36b584c81993a

            SHA256

            120dddeb7bcff4742174e09d1d28c442b0aad4712a4b42f420cb32204b5984f1

            SHA512

            ca81db49ba97ff13213735490f187ae34d57423dcc351eaaf6ce0cd1577483f45233b5f0d5ed35b899fb59af5c819f94cf0157a595386407b2f65c2e2b2b8257

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\rhes23zl\rhes23zl.0.cs
            Filesize

            379B

            MD5

            e908db3bf86ca4889422c5c07a837949

            SHA1

            6cd03e0be7f14c4097771dc1ef9ef929ac09f620

            SHA256

            6aa0e685d1c19707c66dec687c62bce2bd924d2fe91b6fb67be27d8d13e61763

            SHA512

            adb6b2498aaca59db3df8618b45f1a7c9c0454e9b9def90239cf17f4ddeba019a40080a2c8e706af5f45122643a6b952d84770af693537c8d4b3cd7a8a9fccdc

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\rhes23zl\rhes23zl.cmdline
            Filesize

            250B

            MD5

            5400d8579226d8e24edb74b3afe5751f

            SHA1

            d920e711ccc3a68fac3c72af0e68ba9c5f42bf4d

            SHA256

            afffbe4c484bb31c8151944a95b44d453621d86a93fb2dac9a27f88822092799

            SHA512

            51532be6a7161afeb30792276c481a1002c443618d7c53b0c3546e71d3995712ce8654fddf0f1507c350a2b52c27ba9975c158fce8bf30947b883290d341259f

            Download Submit

          • \??\c:\Users\Admin\AppData\Roaming\CSCD305C3CB668441C2AE41F466BC27D28.TMP
            Filesize

            1KB

            MD5

            d7eb52013da49eb81115ab44e6e16ede

            SHA1

            7a0b96ebe18681286f0c3cb3acd0f4e5570b4ff0

            SHA256

            16ad8c0b136f542082885fd68fcfc99077e435f067713fc89a6daa0080f2c3aa

            SHA512

            d6018a984720d24d9ea62c631a4f9b36b3ef66ed28eaedeb38401e16e3a2f2f75e30107f3739afcfec1159e7bbf8bdaf2b35f36014cec06a5504d21cd98f2e88

            Download Submit

          • \??\c:\Windows\System32\CSC47E3DA1CBB104541946EC14A51D43C23.TMP
            Filesize

            1KB

            MD5

            b7890074c0676df846c8d319664a263c

            SHA1

            282b65c3ece5648ff1e2bca3fd63c81976f50578

            SHA256

            6f8f38bce1f63faeddbdf63cac6f27c360964fb4ab63aa611acc1e3ba9a55853

            SHA512

            5bee1cf30abb475f9170399688191287b598d51eeb5905fb6a6930d49ae9c1fe831a68d3679747c47efc8cd363bda6ec9330dbdece4de5b77acd4d53fa9f980a

            Download Submit

          • memory/1184-256-0x0000000000850000-0x0000000000858000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2368-261-0x0000000000400000-0x0000000000408000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2380-79-0x0000000000010000-0x0000000000044000-memory.dmp

            Filesize

            208KB

            Download

          • memory/2840-252-0x000000001CC50000-0x000000001CCBB000-memory.dmp

            Filesize

            428KB

            Download

          • memory/3728-119-0x000000001BC70000-0x000000001BCC0000-memory.dmp

            Filesize

            320KB

            Download

          • memory/3728-177-0x000000001B7F0000-0x000000001B85B000-memory.dmp

            Filesize

            428KB

            Download

          • memory/3728-118-0x000000001B7B0000-0x000000001B7CC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/3728-116-0x0000000002D40000-0x0000000002D4E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3728-121-0x000000001B7D0000-0x000000001B7E8000-memory.dmp

            Filesize

            96KB

            Download

          • memory/3728-114-0x0000000000A90000-0x0000000000C76000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/3728-123-0x0000000002D60000-0x0000000002D6E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3728-125-0x0000000002D70000-0x0000000002D7C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4432-62-0x00007FFB0CA30000-0x00007FFB0D4F2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4432-1-0x0000000000210000-0x000000000022C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/4432-277-0x000000001ECC0000-0x000000001F010000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4432-2-0x00007FFB0CA30000-0x00007FFB0D4F2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4432-56-0x00007FFB0CA33000-0x00007FFB0CA35000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4432-64-0x000000001D380000-0x000000001D38C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4432-0-0x00007FFB0CA33000-0x00007FFB0CA35000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4992-20-0x00007FFB0CA30000-0x00007FFB0D4F2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4992-3-0x00007FFB0CA30000-0x00007FFB0D4F2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4992-13-0x000001492ADB0000-0x000001492ADD2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4992-14-0x00007FFB0CA30000-0x00007FFB0D4F2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4992-15-0x00007FFB0CA30000-0x00007FFB0D4F2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4992-16-0x00007FFB0CA30000-0x00007FFB0D4F2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4992-17-0x00007FFB0CA30000-0x00007FFB0D4F2000-memory.dmp

            Filesize

            10.8MB

            Download