Overview

overview

10

Static

static

10

XClientB.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    05/12/2024, 06:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    XClientB.exe

  • Size

    85KB

  • MD5

    a95c8560300ac51832c9baeca525230f

  • SHA1

    a04977f02be0dfd0a9af69a093f795468c1a7e30

  • SHA256

    1155ac9e41e46a3a870453570101bee1cfa164435847972c46ebfa70bc336a55

  • SHA512

    c53ea3ec545f4bde2828866fb96c61490c4a28bec0c01310a252f21908063f7a46b69f76f8327fa96234f04a9c661ad7f1fca3fc16f3b2bad68c0f64f96958be

  • SSDEEP

    1536:2inzt6mDiPKA7AIBdUZlouGQ68btAIzGNcrOlAy6TR7OybKExKN7:2ih7wX0vl68bOImcr9R7OaKES7

Score
10/10
dcratgurcuxwormdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %Temp%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/vJmE27fr

  • telegram

    https://api.telegram.org/bot7414557379:AAHJMIrSP_hoR0jelLf8igel3SZxGY860qU/sendMessage?chat_id=2076906822

Extracted

Family

xworm

Version

3.0

C2

plus-loves.gl.at.ply.gg:59327

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7414557379:AAHJMIrSP_hoR0jelLf8igel3SZxGY860qU/sendMessage?chat_id=2076906822

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Detect Xworm Payload 4 IoCs
  • Gurcu family
    gurcu
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 17 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 14 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClientB.exe
    "C:\Users\Admin\AppData\Local\Temp\XClientB.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4432
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClientB.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClientB.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:3736
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3848
    • C:\Users\Admin\AppData\Local\Temp\HXJT0UUBH96MZ8J.exe
      "C:\Users\Admin\AppData\Local\Temp\HXJT0UUBH96MZ8J.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "HXJT0UUBH96MZ8J" /tr "C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1620
    • C:\Users\Admin\AppData\Local\Temp\PTCRXCZWINIPZO5.exe
      "C:\Users\Admin\AppData\Local\Temp\PTCRXCZWINIPZO5.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4612
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3476
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1380
          • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
            "C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3728
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rhes23zl\rhes23zl.cmdline"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2740
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FB1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC59C25393273142499837C22471A1491.TMP"
                7⤵
                  PID:2708
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q3nmdtk4\q3nmdtk4.cmdline"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:3216
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES503E.tmp" "c:\Users\Admin\AppData\Roaming\CSCD305C3CB668441C2AE41F466BC27D28.TMP"
                  7⤵
                    PID:5044
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n5lykhxe\n5lykhxe.cmdline"
                  6⤵
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:1880
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50BB.tmp" "c:\Windows\System32\CSC47E3DA1CBB104541946EC14A51D43C23.TMP"
                    7⤵
                      PID:1564
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\dwm.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:5104
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\csrss.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:1264
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\conhost.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:2796
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:3620
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\services.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:4696
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:1864
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ftbNq2ZSX.bat"
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5056
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      7⤵
                        PID:2816
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        7⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:4312
                      • C:\HypercomponentCommon\services.exe
                        "C:\HypercomponentCommon\services.exe"
                        7⤵
                        • Executes dropped EXE
                        PID:2840
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            1⤵
            • Executes dropped EXE
            PID:2836
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\PrintHood\dwm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3396
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2788
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\PrintHood\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4724
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1112
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2704
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2144
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\conhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1760
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Google\conhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3644
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\conhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4352
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3616
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:728
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3340
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\HypercomponentCommon\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4792
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\HypercomponentCommon\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4980
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\HypercomponentCommon\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5040
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 10 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1868
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2304
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 5 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4612
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1184
            • C:\Users\Admin\PrintHood\dwm.exe
              "C:\Users\Admin\PrintHood\dwm.exe"
              2⤵
              • Executes dropped EXE
              PID:4376
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe
              "C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe"
              2⤵
              • Executes dropped EXE
              PID:3716
          • C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe
            "C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe"
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2368
            • C:\Users\Admin\PrintHood\dwm.exe
              "C:\Users\Admin\PrintHood\dwm.exe"
              2⤵
              • Executes dropped EXE
              PID:3180
            • C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe.exe
              "C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe.exe"
              2⤵
              • Executes dropped EXE
              PID:4628
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            PID:1184
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe
              "C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe"
              2⤵
              • Executes dropped EXE
              PID:4248
            • C:\Users\Admin\PrintHood\dwm.exe
              "C:\Users\Admin\PrintHood\dwm.exe"
              2⤵
              • Executes dropped EXE
              PID:3452
          • C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe
            "C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe"
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            PID:1656
            • C:\Users\Admin\PrintHood\dwm.exe
              "C:\Users\Admin\PrintHood\dwm.exe"
              2⤵
              • Executes dropped EXE
              PID:3664
            • C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe.exe
              "C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe.exe"
              2⤵
              • Executes dropped EXE
              PID:2832

          Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Command and Scripting Interpreter

                1
                T1059

                PowerShell

                1
                T1059.001

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Persistence

                Boot or Logon Autostart Execution

                2
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Winlogon Helper DLL

                1
                T1547.004

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Privilege Escalation

                Boot or Logon Autostart Execution

                2
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Winlogon Helper DLL

                1
                T1547.004

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Defense Evasion

                Modify Registry

                2
                T1112

                Credential Access

                Credentials from Password Stores

                1
                T1555

                Credentials from Web Browsers

                1
                T1555.003

                Unsecured Credentials

                1
                T1552

                Credentials In Files

                1
                T1552.001

                Discovery

                Query Registry

                2
                T1012

                Remote System Discovery

                1
                T1018

                System Information Discovery

                2
                T1082

                System Location Discovery

                1
                T1614

                System Language Discovery

                1
                T1614.001

                System Network Configuration Discovery

                1
                T1016

                Internet Connection Discovery

                1
                T1016.001

                Lateral Movement

                Collection

                Data from Local System

                1
                T1005

                Command and Control

                Web Service

                1
                T1102

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe
                  Filesize

                  220B

                  MD5

                  47085bdd4e3087465355c9bb9bbc6005

                  SHA1

                  bf0c5b11c20beca45cc9d4298f2a11a16c793a61

                  SHA256

                  80577e4666fad86273b01f60b8d63c15e4ce37774575ac1e0df7a7c396979752

                  SHA512

                  e74dd8e9756cab1123410a46609dc91540cc29a8fea93017155746f7bb9b7a41bfd3d7595a62788264bedceb475b2a733cce9b70f37cc4478302d5fc228d7684

                  Download Submit

                • C:\HypercomponentCommon\cemEzm0xYx1.bat
                  Filesize

                  105B

                  MD5

                  5ee2935a1949f69f67601f7375b3e8a3

                  SHA1

                  6a3229f18db384e57435bd3308298da56aa8c404

                  SHA256

                  c24a0d7f53a7aa3437f6b6566d3aaebdb36053b64e72cbd1d3796596fc8e3c06

                  SHA512

                  9777fcb9ee8a8aa0c770c835c5f30aff6efc5fb16a1819047e13d580d748703ffcb446db110067fb2546a637213cb8f25416d4b621a95a789b8e113d31d3401a

                  Download Submit

                • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
                  Filesize

                  1.9MB

                  MD5

                  7be5cea1c84ad0b2a6d2e5b6292c8d80

                  SHA1

                  631e3de0fe83ebacbe5be4e7f895dd0bd8b095ce

                  SHA256

                  6eb90684ebc56fb2713f5c468b55a964625ec2af698d9687492b1de4225693b7

                  SHA512

                  ea58d3b1664fe70968635c2722e19ce65ce4c1d66c68aed2d98441e60e773c7295f18d9c99cf4c454c510f33f5e37d3d2c0053b7434a46c542a0d63a4cc03647

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HXJT0UUBH96MZ8J.exe.log
                  Filesize

                  226B

                  MD5

                  b92bd19c1a9416298a873dfa43b439b7

                  SHA1

                  7b96a8874aff3a502363f4168332613ebc53d64e

                  SHA256

                  1ac8854abd01c202cf82e4ccdf80bf50319c59bc7a02dce2b19cecfedf7dd4ba

                  SHA512

                  5910691ebdd78a2740117b14f146629874682d196f518f479b8bcb754ed2501a009fc465cb9e3685f7aed8ced7b435690de2b8b8439117abb5f61dc4996387a6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log
                  Filesize

                  847B

                  MD5

                  37544b654facecb83555afec67d08b33

                  SHA1

                  4dc0f5db034801784b01befef5c1d3304145e1dc

                  SHA256

                  ec084a6c6ecd7d31f1927b0cd926ec03ce346a469f24e5a860e05f2241bd7bf4

                  SHA512

                  4af827ead52c8769672f58a69fca18484aeba1e59b7ec0527e200f8e3d893bcbc1063ea820260fc0b922985ee3b26c3a6f79b4044fb34f1b58f2e3379971b5f9

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                  Filesize

                  3KB

                  MD5

                  3eb3833f769dd890afc295b977eab4b4

                  SHA1

                  e857649b037939602c72ad003e5d3698695f436f

                  SHA256

                  c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

                  SHA512

                  c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
                  Filesize

                  654B

                  MD5

                  11c6e74f0561678d2cf7fc075a6cc00c

                  SHA1

                  535ee79ba978554abcb98c566235805e7ea18490

                  SHA256

                  d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

                  SHA512

                  32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  fd3185b98939ebd67bb8d4a8ed35c336

                  SHA1

                  a57a7fa4ab807003a035776223c49e3fb8288ab0

                  SHA256

                  8e37038f41e262bd7d604390b52b8b6fdd826175efa09e76a0f47a490184379e

                  SHA512

                  081c6d6c9d468e0b1be2be008b2a995c65ddf693fea47e9c2a3fa4484f160d1fec46f8b9831e9c1440e099c8cc5d7ac4580ee7daff1a9055a7db91010cf584bf

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  41b8b3dc843bb68cece421e263fcaf31

                  SHA1

                  576998931b3e982a9d0cc30a46973c4d6d934a53

                  SHA256

                  d8f3108fad9f28dc5b6efae92b55004f57019d862cc0548f9b5f9b84fde1ba52

                  SHA512

                  7ac0f22425feb43c0a0cd23256bac03b1143a4299ce469cf6bcb86a78377896149552d4c378b1955578084bfc334935c0daca621bf42904cfaeba45699083493

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  06acb95360249edbd1dfec718dc02408

                  SHA1

                  ff247df157f542248601cfcfb814d3627008803a

                  SHA256

                  0dc54625d4dc58aa1ed132c50f3b05fb53dbbd41c68e1a6bed050f8af5cab917

                  SHA512

                  69a75e21cfbc43817128dc39aea6ed43e2e7bc035ff1f9828f6fb9cfcc9bb214cb3d4c12566dce950210d3cd8592566eaa5e61863ccbbf0f74035e2332b2b196

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  d2f329b9f9029f110da30d6cfb4e9581

                  SHA1

                  ed81739aeac808f26efb323c5225dc5906a2f387

                  SHA256

                  85cdada775f58b40181ef2cd6ef87d5bedbffb3481107550a9add560a03dc44e

                  SHA512

                  572dc23dca888e54ac66c6988b12f75374e33eb99ebbdaee8ba7765de42f4103e645d5e553fcc3f94521827075d412155b34416dca3c9d89026770b4e8a822ce

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  1a2f06f0ac7ba67e291d3210e7bec51c

                  SHA1

                  708505f15771008a090d9a218ec109dc8745fb12

                  SHA256

                  6e055fb82c366d026275a9c20841eaa06fe5b6967f2ff3bc4b5173ddddfc7cea

                  SHA512

                  5be2281819c271849cfdfccc3edc5ff3da55f0ef262aa47dec4e5660fdeedfe8d2f6d267ddb8500cde8800547a1eeb052d3ebb9f19083c0c184fb06d48a88190

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  60b3262c3163ee3d466199160b9ed07d

                  SHA1

                  994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

                  SHA256

                  e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

                  SHA512

                  081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  f86e64a00401edb8dfb34a0b110b8984

                  SHA1

                  2e049a3d17b23e8f7350ab9b4a82a73b3a71814a

                  SHA256

                  1ed0dc6e40c3ace293d940624872c331caadbd156b1b70758c8649ad9a98dedc

                  SHA512

                  40ff195758d53ad934c4f8d6a9bd104b2d38ee1f77c1e352dc6105a9fa2e09cccc386d0680e2e3d356970b26c631c5d644037f0a95428fc5ee8e243cb84d61ba

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  648812e0a09d54e539e0de3d47839ab1

                  SHA1

                  5d3da316723063206acbbcb0a692f641e2df4e53

                  SHA256

                  487b4b8ebe1cf2b23a12a2d5b9d597af294f0807b7ba8eaeea0f8e33d25c4414

                  SHA512

                  6a06c9faa23cb04a05fec92d2c9a4323d63afab02d51cb826093b631e55cb8bd331963c373eaf972b6cfdabffc25eddc97be5398469430b18c49cdbae0cf194e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ftbNq2ZSX.bat
                  Filesize

                  164B

                  MD5

                  d0d42162045485fc621892c6ac37896c

                  SHA1

                  39c0ad26e13785108742c0399a850d78c46a9a0a

                  SHA256

                  563842fa7f76c39fc56224c688497b6c30fda4f2ce537cae8913d1fa2e0448a5

                  SHA512

                  8fbf02bf9839d6d686a7b32242bc3edde560fc7785064554fed0ed1b407d16c24a50ac83afe0641339966b6d3a6ce8556f9b51f741c6a5d43d7d9c29e00df0d7

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\HXJT0UUBH96MZ8J.exe
                  Filesize

                  185KB

                  MD5

                  e0c8976957ffdc4fe5555adbe8cb0d0c

                  SHA1

                  226a764bacfa17b92131993aa85fe63f1dbf347c

                  SHA256

                  b8260ac46e03f2a7baa9ae01bee5443d16d9eb96f6ee8588a887d6de72a750d4

                  SHA512

                  3a1ea48e81ebfd5586938a72afd68bcc48d4c5d69949cfdacf33aee3371d98f202443f5db12bac876ca7cecc982ddc56827f8d9b1857d22bda71242d5b2cc71e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\PTCRXCZWINIPZO5.exe
                  Filesize

                  2.2MB

                  MD5

                  05d87a4a162784fd5256f4118aff32af

                  SHA1

                  484ed03930ed6a60866b6f909b37ef0d852dbefd

                  SHA256

                  7e3d0dabaded78094abfac40d694eaebf861f3cb865d3835bb053d435e996950

                  SHA512

                  3d4ce511e9671d8bfa15e93d681fedd972f4fe4c09ac9cfd9653afe83e936654c88ee515a76e7ac80e8f34868802e68c6531fdea0b718029d2196ad1425981fc

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\RES4FB1.tmp
                  Filesize

                  1KB

                  MD5

                  91b41c069459c8665011d43837512597

                  SHA1

                  cf419670c0d5e3b0fdeba32d68dc633a22c12d47

                  SHA256

                  a2431257d3b814376992a5c4248e4f003b3737df9bfd4bd9e59e21d56e8dce64

                  SHA512

                  a50ec18b1bf1f1b92cceff490d4a1d1a9aef67651007a4bef9733b2f0d5aab9107b93b940a3da6ba0f3d72ae6fac5d7a3cfebd1700d3106576d199c3df8e533e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\RES503E.tmp
                  Filesize

                  1KB

                  MD5

                  da67fbcd1afea33d8f399e4c79d70017

                  SHA1

                  2c0429de29f73a9e42141f57664e2f5763236300

                  SHA256

                  31f1da127722a8c86d453420d5539d5732e6096ea8e9c9df19b3373bec38d9a1

                  SHA512

                  f880537ae4fe63097173d868284a7ef67b6a87612e4146219a3bd0d5350aed6f9ed8d6a8baad38c12e313ffe40e6f2cf53f4048347527149c533a35fb419d988

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\RES50BB.tmp
                  Filesize

                  1KB

                  MD5

                  3a4ee8558080f3f64b37a86de8d67138

                  SHA1

                  1fa8d430ff725763cefa6cf03a77eef1cdb2710e

                  SHA256

                  bc0d72c0f91a06992bab4d18cbf877bbb35a8cd4969d858e57976cecf40a2c07

                  SHA512

                  6cf1a46696d51e7337ff78e87d077a8f881d2d2c813c4ef785908e2b7983b982a481c9f286119c518d442c3edc23cec14f7c7995415d2f9bb1efa5325ff2d851

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_54sgqpse.4qo.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                  Filesize

                  4KB

                  MD5

                  7cb094d98030ef92c0ccc68ad4239a07

                  SHA1

                  c8fcd17cda00696c57082bd9384f24fd518ee37a

                  SHA256

                  5856ceb6da2e939b1c8dff48c285da19429f3f4c6bf1c3a825ae512061b01a45

                  SHA512

                  a62684f56d8f066be64db97c57d6e8cff8a763fce01d82372a893a3ce14d87d7c34ab2049b972e69c1e3f2f889301b3df67508c865082dbeaa72292727bcd7bb

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                  Filesize

                  85KB

                  MD5

                  a95c8560300ac51832c9baeca525230f

                  SHA1

                  a04977f02be0dfd0a9af69a093f795468c1a7e30

                  SHA256

                  1155ac9e41e46a3a870453570101bee1cfa164435847972c46ebfa70bc336a55

                  SHA512

                  c53ea3ec545f4bde2828866fb96c61490c4a28bec0c01310a252f21908063f7a46b69f76f8327fa96234f04a9c661ad7f1fca3fc16f3b2bad68c0f64f96958be

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\HXJT0UUBH96MZ8J.exe
                  Filesize

                  4KB

                  MD5

                  0f94ef9574d7876b592822979e0d91b3

                  SHA1

                  023bc8fae57073e597543ca679935bfa582a308b

                  SHA256

                  cd4ef962497c45cc5a60661ced522036338bcbdb4d251d4ac13907cdd9e1d1da

                  SHA512

                  36c0a23403c7ee6c1eb7de0cf56342e5e9747c95517eb3d50fd62cd58ccb490f83bcfecc6aa78c18eb24019ee02f8fc4836d72af17b13a25af125c868ccba7b2

                  Download Submit

                • \??\c:\Users\Admin\AppData\Local\Temp\CSC59C25393273142499837C22471A1491.TMP
                  Filesize

                  1KB

                  MD5

                  b10290e193d94a5e3c95660f0626a397

                  SHA1

                  7b9de1fd7a43f6f506e5fc3426836b8c52d0d711

                  SHA256

                  75c9e1766bfb99754b6a00d37ef93488ab216b5ac48984ed7d9d2076a7056fd2

                  SHA512

                  6ae4201552a499eaa726416b29230f48d94ac7f40ff038165bf8582626bbefe601ef6c051ad97d9156dc4b9b55fd22081db61bcd013916136340c5f1324e4bb5

                  Download Submit

                • \??\c:\Users\Admin\AppData\Local\Temp\n5lykhxe\n5lykhxe.0.cs
                  Filesize

                  364B

                  MD5

                  08c41b51d273fc90753172b3d7c43032

                  SHA1

                  0edbf1d5eb660563e62642e9c4e5af392631c85a

                  SHA256

                  f8f73e87401c216123e64f52810a5847d42a16384c5845d34b01a70d0bbfb998

                  SHA512

                  e065ea4f71fbc40918a2a618467ffd0bded68a23a99cf4663fdea6c64e537ac49cf73bbaac982a51b9465273757d9f1b6009c74ad9697ac37abdf8234dea62ff

                  Download Submit

                • \??\c:\Users\Admin\AppData\Local\Temp\n5lykhxe\n5lykhxe.cmdline
                  Filesize

                  235B

                  MD5

                  a39dcdaefc065c8d9b0114a5c2b25a06

                  SHA1

                  d3fea713dcffacb02517aa8d583f33c3ad59fdc5

                  SHA256

                  af3be25432dd3bcc64db14282533a849aa115e86bf478d019f69ce8876f6e18f

                  SHA512

                  2ed950f85dc37425a34fcf7b3dba3ab77b82accad0499e3a26ffd4e3e8571f734195424358f1126051dfee7f49f6364d2c75a693e763b4c03ebebaaf9056796a

                  Download Submit

                • \??\c:\Users\Admin\AppData\Local\Temp\q3nmdtk4\q3nmdtk4.0.cs
                  Filesize

                  384B

                  MD5

                  57fbfe344e2ab12c90b23acc0334c00b

                  SHA1

                  56796a2ce9445d69b75c98ca0da5ba3fdf5a30ee

                  SHA256

                  ba4ef87ab30a854de511df20359f643062fc29579d814490eebd3715c2feb6b5

                  SHA512

                  b75b5a22a0e23c08bd501d8869a1ce19c762c454b288e0ea6f53035dc493d74c5a12672b7a30357f23799b59d9674241c04d8d42a038d36c144f7b1660cf57b7

                  Download Submit

                • \??\c:\Users\Admin\AppData\Local\Temp\q3nmdtk4\q3nmdtk4.cmdline
                  Filesize

                  255B

                  MD5

                  003570c2c7f1ed918e9bd811e89a36b2

                  SHA1

                  f2956cbe7af4f6c38ad1107d7bd36b584c81993a

                  SHA256

                  120dddeb7bcff4742174e09d1d28c442b0aad4712a4b42f420cb32204b5984f1

                  SHA512

                  ca81db49ba97ff13213735490f187ae34d57423dcc351eaaf6ce0cd1577483f45233b5f0d5ed35b899fb59af5c819f94cf0157a595386407b2f65c2e2b2b8257

                  Download Submit

                • \??\c:\Users\Admin\AppData\Local\Temp\rhes23zl\rhes23zl.0.cs
                  Filesize

                  379B

                  MD5

                  e908db3bf86ca4889422c5c07a837949

                  SHA1

                  6cd03e0be7f14c4097771dc1ef9ef929ac09f620

                  SHA256

                  6aa0e685d1c19707c66dec687c62bce2bd924d2fe91b6fb67be27d8d13e61763

                  SHA512

                  adb6b2498aaca59db3df8618b45f1a7c9c0454e9b9def90239cf17f4ddeba019a40080a2c8e706af5f45122643a6b952d84770af693537c8d4b3cd7a8a9fccdc

                  Download Submit

                • \??\c:\Users\Admin\AppData\Local\Temp\rhes23zl\rhes23zl.cmdline
                  Filesize

                  250B

                  MD5

                  5400d8579226d8e24edb74b3afe5751f

                  SHA1

                  d920e711ccc3a68fac3c72af0e68ba9c5f42bf4d

                  SHA256

                  afffbe4c484bb31c8151944a95b44d453621d86a93fb2dac9a27f88822092799

                  SHA512

                  51532be6a7161afeb30792276c481a1002c443618d7c53b0c3546e71d3995712ce8654fddf0f1507c350a2b52c27ba9975c158fce8bf30947b883290d341259f

                  Download Submit

                • \??\c:\Users\Admin\AppData\Roaming\CSCD305C3CB668441C2AE41F466BC27D28.TMP
                  Filesize

                  1KB

                  MD5

                  d7eb52013da49eb81115ab44e6e16ede

                  SHA1

                  7a0b96ebe18681286f0c3cb3acd0f4e5570b4ff0

                  SHA256

                  16ad8c0b136f542082885fd68fcfc99077e435f067713fc89a6daa0080f2c3aa

                  SHA512

                  d6018a984720d24d9ea62c631a4f9b36b3ef66ed28eaedeb38401e16e3a2f2f75e30107f3739afcfec1159e7bbf8bdaf2b35f36014cec06a5504d21cd98f2e88

                  Download Submit

                • \??\c:\Windows\System32\CSC47E3DA1CBB104541946EC14A51D43C23.TMP
                  Filesize

                  1KB

                  MD5

                  b7890074c0676df846c8d319664a263c

                  SHA1

                  282b65c3ece5648ff1e2bca3fd63c81976f50578

                  SHA256

                  6f8f38bce1f63faeddbdf63cac6f27c360964fb4ab63aa611acc1e3ba9a55853

                  SHA512

                  5bee1cf30abb475f9170399688191287b598d51eeb5905fb6a6930d49ae9c1fe831a68d3679747c47efc8cd363bda6ec9330dbdece4de5b77acd4d53fa9f980a

                  Download Submit

                • memory/1184-256-0x0000000000850000-0x0000000000858000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2368-261-0x0000000000400000-0x0000000000408000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2380-79-0x0000000000010000-0x0000000000044000-memory.dmp

                  Filesize

                  208KB

                  Download

                • memory/2840-252-0x000000001CC50000-0x000000001CCBB000-memory.dmp

                  Filesize

                  428KB

                  Download

                • memory/3728-119-0x000000001BC70000-0x000000001BCC0000-memory.dmp

                  Filesize

                  320KB

                  Download

                • memory/3728-177-0x000000001B7F0000-0x000000001B85B000-memory.dmp

                  Filesize

                  428KB

                  Download

                • memory/3728-118-0x000000001B7B0000-0x000000001B7CC000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/3728-116-0x0000000002D40000-0x0000000002D4E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/3728-121-0x000000001B7D0000-0x000000001B7E8000-memory.dmp

                  Filesize

                  96KB

                  Download

                • memory/3728-114-0x0000000000A90000-0x0000000000C76000-memory.dmp

                  Filesize

                  1.9MB

                  Download

                • memory/3728-123-0x0000000002D60000-0x0000000002D6E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/3728-125-0x0000000002D70000-0x0000000002D7C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/4432-62-0x00007FFB0CA30000-0x00007FFB0D4F2000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4432-1-0x0000000000210000-0x000000000022C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/4432-277-0x000000001ECC0000-0x000000001F010000-memory.dmp

                  Filesize

                  3.3MB

                  Download

                • memory/4432-2-0x00007FFB0CA30000-0x00007FFB0D4F2000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4432-56-0x00007FFB0CA33000-0x00007FFB0CA35000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/4432-64-0x000000001D380000-0x000000001D38C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/4432-0-0x00007FFB0CA33000-0x00007FFB0CA35000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/4992-20-0x00007FFB0CA30000-0x00007FFB0D4F2000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4992-3-0x00007FFB0CA30000-0x00007FFB0D4F2000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4992-13-0x000001492ADB0000-0x000001492ADD2000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/4992-14-0x00007FFB0CA30000-0x00007FFB0D4F2000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4992-15-0x00007FFB0CA30000-0x00007FFB0D4F2000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4992-16-0x00007FFB0CA30000-0x00007FFB0D4F2000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4992-17-0x00007FFB0CA30000-0x00007FFB0D4F2000-memory.dmp

                  Filesize

                  10.8MB

                  Download