Overview

overview

10

Static

static

10

CrackLauncher.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 07:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CrackLauncher.exe

  • Size

    81KB

  • MD5

    f068a2f351d11284fee8d768a64f6c9c

  • SHA1

    6fcba43b6b6024c8795d699f638444654714c276

  • SHA256

    4854a1611616f474d7241dc0268f913f92887a383a81e2dba1186c358cf93f22

  • SHA512

    856c01cfbde2b8a41564a77f07b5561d69679da6a0af8da86d6dc869309d04cabac0a06c37560456e8bf6dfa0f04e342b57f2afbcb5ddbf4d0bbe06944387ff2

  • SSDEEP

    1536:NfFb0NWmGRk7di8n/7IbDqS8a1gMGT6tVOUVprKsZ:NBrk7dHIbDMMJVOUVpdZ

Score
10/10
dcratxwormdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/vJmE27fr

Extracted

Family

xworm

Version

3.0

C2

plus-loves.gl.at.ply.gg:59327

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Detect Xworm Payload 4 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 16 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 14 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CrackLauncher.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4836
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2368
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2856
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4152
    • C:\Users\Admin\AppData\Local\Temp\0CL3VFCW2AZHAWY.exe
      "C:\Users\Admin\AppData\Local\Temp\0CL3VFCW2AZHAWY.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:60
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "0CL3VFCW2AZHAWY" /tr "C:\Users\Admin\AppData\Roaming\0CL3VFCW2AZHAWY.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2044
    • C:\Users\Admin\AppData\Local\Temp\40KRNS9E3DPKM3P.exe
      "C:\Users\Admin\AppData\Local\Temp\40KRNS9E3DPKM3P.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1384
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1084
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4516
          • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
            "C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2800
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4nebwnl0\4nebwnl0.cmdline"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2104
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2323.tmp" "c:\ProgramData\CSC13FBD57C4B34D6D9E46D64961A72D8.TMP"
                7⤵
                  PID:3632
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gkltrvak\gkltrvak.cmdline"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2168
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23DF.tmp" "c:\Users\Admin\AppData\Roaming\CSC628C5F9ECBD8445DAB85C7FC37564891.TMP"
                  7⤵
                    PID:2184
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\st4vl3r3\st4vl3r3.cmdline"
                  6⤵
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:552
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2507.tmp" "c:\Windows\System32\CSC3783865C5BB94E8CB9D47FED5E42CFD1.TMP"
                    7⤵
                      PID:1280
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\sppsvc.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1528
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\RuntimeBroker.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3068
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dllhost.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4960
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1952
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\unsecapp.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1300
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:548
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fL07aIBaov.bat"
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:968
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      7⤵
                        PID:3712
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        7⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:2584
                      • C:\Program Files (x86)\Windows Defender\unsecapp.exe
                        "C:\Program Files (x86)\Windows Defender\unsecapp.exe"
                        7⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4656
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\sppsvc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4680
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Cursors\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5108
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Cursors\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5036
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4668
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1076
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4444
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4664
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5100
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:452
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3132
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4876
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1828
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\unsecapp.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3928
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4432
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2404
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 8 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2000
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2024
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 12 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1960
          • C:\ProgramData\svchost.exe
            C:\ProgramData\svchost.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1904
            • C:\Windows\Cursors\sppsvc.exe
              "C:\Windows\Cursors\sppsvc.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:436
            • C:\ProgramData\svchost.exe.exe
              "C:\ProgramData\svchost.exe.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1060
          • C:\Users\Admin\AppData\Roaming\0CL3VFCW2AZHAWY.exe
            C:\Users\Admin\AppData\Roaming\0CL3VFCW2AZHAWY.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3136
            • C:\Users\Admin\AppData\Roaming\0CL3VFCW2AZHAWY.exe.exe
              "C:\Users\Admin\AppData\Roaming\0CL3VFCW2AZHAWY.exe.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:4504
            • C:\Windows\Cursors\sppsvc.exe
              "C:\Windows\Cursors\sppsvc.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3476
          • C:\ProgramData\svchost.exe
            C:\ProgramData\svchost.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            PID:3632
            • C:\ProgramData\svchost.exe.exe
              "C:\ProgramData\svchost.exe.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3968
            • C:\Windows\Cursors\sppsvc.exe
              "C:\Windows\Cursors\sppsvc.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1524
          • C:\Users\Admin\AppData\Roaming\0CL3VFCW2AZHAWY.exe
            C:\Users\Admin\AppData\Roaming\0CL3VFCW2AZHAWY.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            PID:4660
            • C:\Users\Admin\AppData\Roaming\0CL3VFCW2AZHAWY.exe.exe
              "C:\Users\Admin\AppData\Roaming\0CL3VFCW2AZHAWY.exe.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3496
            • C:\Windows\Cursors\sppsvc.exe
              "C:\Windows\Cursors\sppsvc.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:4792

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          2
          T1012

          Remote System Discovery

          1
          T1018

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          System Network Configuration Discovery

          1
          T1016

          Internet Connection Discovery

          1
          T1016.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Web Service

          1
          T1102

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe
            Filesize

            220B

            MD5

            47085bdd4e3087465355c9bb9bbc6005

            SHA1

            bf0c5b11c20beca45cc9d4298f2a11a16c793a61

            SHA256

            80577e4666fad86273b01f60b8d63c15e4ce37774575ac1e0df7a7c396979752

            SHA512

            e74dd8e9756cab1123410a46609dc91540cc29a8fea93017155746f7bb9b7a41bfd3d7595a62788264bedceb475b2a733cce9b70f37cc4478302d5fc228d7684

            Download Submit

          • C:\HypercomponentCommon\cemEzm0xYx1.bat
            Filesize

            105B

            MD5

            5ee2935a1949f69f67601f7375b3e8a3

            SHA1

            6a3229f18db384e57435bd3308298da56aa8c404

            SHA256

            c24a0d7f53a7aa3437f6b6566d3aaebdb36053b64e72cbd1d3796596fc8e3c06

            SHA512

            9777fcb9ee8a8aa0c770c835c5f30aff6efc5fb16a1819047e13d580d748703ffcb446db110067fb2546a637213cb8f25416d4b621a95a789b8e113d31d3401a

            Download Submit

          • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
            Filesize

            1.9MB

            MD5

            7be5cea1c84ad0b2a6d2e5b6292c8d80

            SHA1

            631e3de0fe83ebacbe5be4e7f895dd0bd8b095ce

            SHA256

            6eb90684ebc56fb2713f5c468b55a964625ec2af698d9687492b1de4225693b7

            SHA512

            ea58d3b1664fe70968635c2722e19ce65ce4c1d66c68aed2d98441e60e773c7295f18d9c99cf4c454c510f33f5e37d3d2c0053b7434a46c542a0d63a4cc03647

            Download Submit

          • C:\ProgramData\svchost.exe
            Filesize

            4KB

            MD5

            ce5f46ffebbe8b5d5394e1b9080c21ac

            SHA1

            b1bfc2b6c5af699413100490a8710122b8e73e77

            SHA256

            250a826ba7319d65dd2ced811037e44009fc48631f9d93275e9c4b2204d25c79

            SHA512

            2dce745ed3a833373467a14a0959b95a282f07c95bebfb773a08f8f8e0ebf42ffbcdcac7823aebfde23ffb66c481971fa2212e971b7a0720a14aac157f5647a6

            Download Submit

          • C:\ProgramData\svchost.exe
            Filesize

            81KB

            MD5

            f068a2f351d11284fee8d768a64f6c9c

            SHA1

            6fcba43b6b6024c8795d699f638444654714c276

            SHA256

            4854a1611616f474d7241dc0268f913f92887a383a81e2dba1186c358cf93f22

            SHA512

            856c01cfbde2b8a41564a77f07b5561d69679da6a0af8da86d6dc869309d04cabac0a06c37560456e8bf6dfa0f04e342b57f2afbcb5ddbf4d0bbe06944387ff2

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log
            Filesize

            847B

            MD5

            66a0a4aa01208ed3d53a5e131a8d030a

            SHA1

            ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

            SHA256

            f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

            SHA512

            626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.exe.log
            Filesize

            654B

            MD5

            2ff39f6c7249774be85fd60a8f9a245e

            SHA1

            684ff36b31aedc1e587c8496c02722c6698c1c4e

            SHA256

            e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

            SHA512

            1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
            Filesize

            226B

            MD5

            28d7fcc2b910da5e67ebb99451a5f598

            SHA1

            a5bf77a53eda1208f4f37d09d82da0b9915a6747

            SHA256

            2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

            SHA512

            2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            83685d101174171875b4a603a6c2a35c

            SHA1

            37be24f7c4525e17fa18dbd004186be3a9209017

            SHA256

            0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

            SHA512

            005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            be67063c62a242565760a02a642a9f02

            SHA1

            d1043a892b44d6676f71b568f578fff947266a19

            SHA256

            56f158298dc5f781d6636a0b15d040f9cffb1d46cd11079aa40a26b662217f48

            SHA512

            90d2cbd882ff8043412ad25e74df0cf6b71d6f3fbdfa6f1efa0efc8eed86a925606c7d2e967f112a34d3f0e04f01a396898508571400dcf7e6fd69e78f406638

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            4bcd5d606b117c5d09a65d5918edced7

            SHA1

            f798364fe6e5ff04c101cccde83d762fc02b2156

            SHA256

            b928fcacbeefea92cb4dbc48ccf8fa5a78ae4d8af6422b67a512a3870a091430

            SHA512

            c5abfe0836c679feff681e60ec12739a727cab144b860cf0bae8dcfbd736535a283a2f123232b65ff0ba4b493c6be457dddf36b933c8da389b5ddd3438bd805c

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            205f6010c033eefc37d63d8ce846bce4

            SHA1

            417b1aabb447765a2aa149529a1f4f52ded194ea

            SHA256

            993dbee9fb487dbdff56c09a1df360ea68b583bd8b28b2c315ec9d92639f3697

            SHA512

            c6bbd60c82ffbc3297d1d355ab3c6692de97da0b3bdd60ea4aacec6d27d360341cefa11a4411d7b8877d54d1177b48f4dc003e2a391031cc1a304b177689bfaf

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            6c47b3f4e68eebd47e9332eebfd2dd4e

            SHA1

            67f0b143336d7db7b281ed3de5e877fa87261834

            SHA256

            8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

            SHA512

            0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            f41f42c322498af0591f396c59dd4304

            SHA1

            e1e5aa68d73d48bc5e743a34f6c0fa8960ff7514

            SHA256

            d8bd9a4a363ff2ac2dc887759ec6ba4215a4ce0925a8fb9c531573458ee4a31c

            SHA512

            2328a1b402b4fb0de9c451fb630eab58549129d3bcfb70b9834cfbd16065ebaadec006b309ea17ac182d34c53e01705cbc9e0196eb0cbd62600c866e79a1844f

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            da5c82b0e070047f7377042d08093ff4

            SHA1

            89d05987cd60828cca516c5c40c18935c35e8bd3

            SHA256

            77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

            SHA512

            7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\0CL3VFCW2AZHAWY.exe
            Filesize

            185KB

            MD5

            e0c8976957ffdc4fe5555adbe8cb0d0c

            SHA1

            226a764bacfa17b92131993aa85fe63f1dbf347c

            SHA256

            b8260ac46e03f2a7baa9ae01bee5443d16d9eb96f6ee8588a887d6de72a750d4

            SHA512

            3a1ea48e81ebfd5586938a72afd68bcc48d4c5d69949cfdacf33aee3371d98f202443f5db12bac876ca7cecc982ddc56827f8d9b1857d22bda71242d5b2cc71e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\40KRNS9E3DPKM3P.exe
            Filesize

            2.2MB

            MD5

            05d87a4a162784fd5256f4118aff32af

            SHA1

            484ed03930ed6a60866b6f909b37ef0d852dbefd

            SHA256

            7e3d0dabaded78094abfac40d694eaebf861f3cb865d3835bb053d435e996950

            SHA512

            3d4ce511e9671d8bfa15e93d681fedd972f4fe4c09ac9cfd9653afe83e936654c88ee515a76e7ac80e8f34868802e68c6531fdea0b718029d2196ad1425981fc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES2323.tmp
            Filesize

            1KB

            MD5

            58147fb30c287dbf459e228498772fd2

            SHA1

            4c0c006665f51260babc7f60a4764c5b9551c96c

            SHA256

            bb1deeb38168503dfa0452148f31b487d151da327511b651084e830d9ba9a63f

            SHA512

            23aa949117971fd768aa7fbccddc107a9c54c096faebefd84815ea66cf0567f652f6f72346ece451c18650be204ed8d984f7964dc09d4516f96e4abe10bda50d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES23DF.tmp
            Filesize

            1KB

            MD5

            c493bb7e4eebdc0d537b424e477b7381

            SHA1

            0099e500cadfadd68b22640a45877514512dbd40

            SHA256

            2efef25c53fb7add601a4723a3cad640da016b67ab90f6df40239d6742ea5eab

            SHA512

            b05c68a4882e95157bccd18eecf4ae4c9f92b2df391547010c5a42c169914e2f397883c93c60e1757b121106b74f72142acde36de7e352f03438652d7020791b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES2507.tmp
            Filesize

            1KB

            MD5

            52c6a29770e818632ea6683c2a70d6c9

            SHA1

            c086cdbb2fe316aa114e28658b8a79198520c5a7

            SHA256

            be65cb4079eb0106cbf8bac5d0b3f3461e905474e130f34c9258d68611bcd90c

            SHA512

            ae32a9a2818a2ad6366bd683fdda74f9ec88ef65b69fa567efa88ee3321d9f19677339189be8f7a6be905d20dc2ba9e268abd294433f65c6c56834fd3bf09e36

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eexa4snk.wa2.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\fL07aIBaov.bat
            Filesize

            180B

            MD5

            115308dfa6b815baa87f6979a271ea26

            SHA1

            319ca2334aa4cff2a03700d2727bca77dfb2c687

            SHA256

            c1abaf7024915596725123a72aa39dc0743a28b69d818ccfb3532cfe1eac226c

            SHA512

            0dbbc8a62255b9016424c3b08804715a9b6878361f6c1bd6e6dd0ad2eec8d9312f4ae5c4c75bdbe924fe1af7c1a61a82b1cf3b849cfeff9d270d22d5f5d685ed

            Download Submit

          • C:\Users\Admin\AppData\Roaming\0CL3VFCW2AZHAWY.exe
            Filesize

            4KB

            MD5

            f2c269189de5c8eb7fe13d38f53019dd

            SHA1

            77626ba1f43394b982d9b6a10f01036d24a6e45e

            SHA256

            4a01debff11018b9ef5640316f6b455d0fcc037757933ff31f4ce6c8862ab0fa

            SHA512

            b2043db5cc9170b5a2af3ed2e7dec821d9728ce96269d871b47a895c635f37ff4219df39cd91d4dbdf5234809757b5625aeb2f48e9fe9487618302c4de5a41c2

            Download Submit

          • \??\c:\ProgramData\CSC13FBD57C4B34D6D9E46D64961A72D8.TMP
            Filesize

            1KB

            MD5

            b10290e193d94a5e3c95660f0626a397

            SHA1

            7b9de1fd7a43f6f506e5fc3426836b8c52d0d711

            SHA256

            75c9e1766bfb99754b6a00d37ef93488ab216b5ac48984ed7d9d2076a7056fd2

            SHA512

            6ae4201552a499eaa726416b29230f48d94ac7f40ff038165bf8582626bbefe601ef6c051ad97d9156dc4b9b55fd22081db61bcd013916136340c5f1324e4bb5

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\4nebwnl0\4nebwnl0.0.cs
            Filesize

            357B

            MD5

            69ebefa586f2b3ddfd23a3e09d596193

            SHA1

            a50ede11aaa81f353f527757505b701850431f0e

            SHA256

            5550706124b93bbfa004fcb312f4575274717a297164eda47235f60a1dabd6d9

            SHA512

            e0efa05a90b7d1eda44b5512bfdf87c276ee25d1308e2660f3bdb0c0faceafa6584c70447ef9568e59b7bdd119013fe7e4760e2d2d0dcf9cea702091e099dd28

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\4nebwnl0\4nebwnl0.cmdline
            Filesize

            231B

            MD5

            8f0d35d87093878d14c65ca85f062bec

            SHA1

            e5f7f76e76dcef49e911eaf489507f5d42473826

            SHA256

            7a9f1d6d88f3066cdff52cc716869526450fbce6662af6fe7ccae9a21dccc52c

            SHA512

            a505b6e2684300c2ee31f21cc59021146d51eb59c79394bedd1365256e0f1e27579b0c530124b69f4155ae79a5762849b6d0f6e4f4386b85fc0d2c3119240fb4

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\gkltrvak\gkltrvak.0.cs
            Filesize

            381B

            MD5

            2f64c7a4ef3d1143669fb62c43a2bd35

            SHA1

            420b0c2442b1f2096a3e8da3702a0a4f90cf9929

            SHA256

            01d417ffa5b9081e5e3eb366353bc4f05fecc9a8f244f87afe29352d421f8191

            SHA512

            99592152b6a9843ca633b2667ab115bd32192678ceedf678c9d0231565a4b6e05e30af3dc634df71de017004660370ecdbd886a4fb74cb09a42923a13caf5b24

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\gkltrvak\gkltrvak.cmdline
            Filesize

            255B

            MD5

            e273df028a46eb5b5f71d1b8f177b332

            SHA1

            6a05bf1c735bf1dc109f484120c4e85c1c91a5b0

            SHA256

            0a5d275772bcee203233cad52665b80de5246c248e5d8d17cd83aeacdb397831

            SHA512

            5087220e2c9dd2576447f6d88c92068de3d6fe4ff138d13bef1d33417389f4a90674f9c900d8a7135e319cc81970bb98c041f60b6b121eab3fdd9d678dc244da

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\st4vl3r3\st4vl3r3.0.cs
            Filesize

            361B

            MD5

            22026f9c04c5c49e64eed742f6574cac

            SHA1

            944244f9133405c4df614a8b13c335192fe876e0

            SHA256

            63bbf89711c399db10d11460259d429403db6447c30a1046408978ab11e6b326

            SHA512

            686e43805819f25cfc6071b514f9b918ff5255758616ee24b16562e9a8c9f474cb97dfa883988df6a90aee8da8c03416367445610166107e61ca4fb42ec84218

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\st4vl3r3\st4vl3r3.cmdline
            Filesize

            235B

            MD5

            0641cdf28cc14e963805b433635ea414

            SHA1

            2a54c7dfdd201e13cd0081c63c48ae1d83fbbcdd

            SHA256

            5db633e2a741fb9147769dc5940aac8b8ed39e1a795a0f2e1e04d364e1f5f531

            SHA512

            74404ebe61b91feb8d134b480548448c6c4ac9a36eb1e724faeb78a07649d90297f1a7b18c748187eb8df65e89d8da5b8d8c0862c8743d9062249cc51cf1fc02

            Download Submit

          • \??\c:\Users\Admin\AppData\Roaming\CSC628C5F9ECBD8445DAB85C7FC37564891.TMP
            Filesize

            1KB

            MD5

            6e87a73e2f0a1d7d094ea64590a538a9

            SHA1

            18336bb40f4393fad0203eb99bcd2cb3d0dd0949

            SHA256

            7f7861c0ed7e54eeb9adca6570288b3735b51c517daad4a8add6eee85aa3d674

            SHA512

            4d9e29c225a82174fa52eb32d1ddc6511c20143f0e7e817e6ebf7f60cf8c4fedbeebfc6dca03077179fce8d7ab6fae70de77cc72fd70780b0ae0e3c3cc5fbb36

            Download Submit

          • \??\c:\Windows\System32\CSC3783865C5BB94E8CB9D47FED5E42CFD1.TMP
            Filesize

            1KB

            MD5

            034b083b6729ade0b138a24cbdd66c6d

            SHA1

            299c5a9dd91498cfc4226a5fe6d52ea633c2d148

            SHA256

            8e3aa7a68c0bfea6cae11fe40e79aa1483bc2e43c4c3fd11fcebca1f7bcea0d2

            SHA512

            43f68ec3211f2d1eb3a095713b3988a5b45a6fb03136876431edd3b25b628f904079557cbb60d0107c0444551db274c8e6817d63a543e8a7e390206af64d1cc3

            Download Submit

          • memory/60-71-0x0000000000C60000-0x0000000000C94000-memory.dmp

            Filesize

            208KB

            Download

          • memory/1868-8-0x00007FFFDA610000-0x00007FFFDB0D1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1868-9-0x000002069DF10000-0x000002069DF32000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1868-18-0x00007FFFDA610000-0x00007FFFDB0D1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1868-14-0x00007FFFDA610000-0x00007FFFDB0D1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1868-15-0x00007FFFDA610000-0x00007FFFDB0D1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1904-233-0x0000000000490000-0x0000000000498000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2800-107-0x000000001B410000-0x000000001B428000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2800-100-0x00000000002B0000-0x0000000000496000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/2800-109-0x0000000002540000-0x000000000254E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2800-111-0x000000001B030000-0x000000001B03C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2800-105-0x000000001B460000-0x000000001B4B0000-memory.dmp

            Filesize

            320KB

            Download

          • memory/2800-104-0x000000001B0E0000-0x000000001B0FC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2800-102-0x0000000002530000-0x000000000253E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3136-243-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4900-0-0x00007FFFDA613000-0x00007FFFDA615000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4900-59-0x000000001BE90000-0x000000001BE9C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4900-58-0x00007FFFDA610000-0x00007FFFDB0D1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4900-57-0x00007FFFDA613000-0x00007FFFDA615000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4900-2-0x00007FFFDA610000-0x00007FFFDB0D1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4900-1-0x0000000000F60000-0x0000000000F7A000-memory.dmp

            Filesize

            104KB

            Download