Overview

overview

10

Static

static

3

CheckDevices.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    08-12-2024 18:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CheckDevices.exe

  • Size

    10KB

  • MD5

    ca36f96aa7ca67cf4d2e227ce393349f

  • SHA1

    21cd010dd38abc00992e88901c5f9f33c167cae2

  • SHA256

    c29a78d31165cb75e92f1b383f2b68bed0249342634c25732de51215296cc6c9

  • SHA512

    5c164a58c5c398e9b393dc22df163a5619f89b96112b0b5deec65b4bc9045c738189bd870a979014d349ad8fe479473d9ef3a133110ec87c037865542bb72452

  • SSDEEP

    192:6rduMPMlcK/7GvRoCZgp8+50Z6Ff/3kySosp+yxp34STVJnIfUqqpOU:QPMlcK/7G5oCK0E/UySoyz34uVGfUqqQ

Score
10/10
dcratxwormdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %Temp%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/vJmE27fr

Extracted

Family

xworm

Version

3.0

C2

plus-loves.gl.at.ply.gg:59327

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Detect Xworm Payload 4 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 13 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 14 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\CheckDevices.exe
    "C:\Users\Admin\AppData\Local\Temp\CheckDevices.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4148
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3948
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1880
    • C:\Users\Admin\AppData\Local\Temp\BulbaZUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\BulbaZUpdate.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4624
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BulbaZUpdate.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1964
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BulbaZUpdate.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:60
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:4700
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:964
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:5072
      • C:\Users\Admin\AppData\Local\Temp\NQV2YQ816SHBF5X.exe
        "C:\Users\Admin\AppData\Local\Temp\NQV2YQ816SHBF5X.exe"
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3880
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NQV2YQ816SHBF5X" /tr "C:\Users\Admin\AppData\Roaming\NQV2YQ816SHBF5X.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:896
      • C:\Users\Admin\AppData\Local\Temp\7M6PJH6A1SAZFQ9.exe
        "C:\Users\Admin\AppData\Local\Temp\7M6PJH6A1SAZFQ9.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2104
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4848
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1556
            • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
              "C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"
              6⤵
              • Modifies WinLogon for persistence
              • Checks computer location settings
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:5104
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u550boqk\u550boqk.cmdline"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1952
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA16B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7720C75C93164E08BBC2A6FFD6B0F76B.TMP"
                  8⤵
                    PID:3920
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1xbyz5yw\1xbyz5yw.cmdline"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1932
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1D9.tmp" "c:\Users\Admin\AppData\Roaming\CSCF9712FE1C10C4444B0B354C193C55F8B.TMP"
                    8⤵
                      PID:4492
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v3eids0a\v3eids0a.cmdline"
                    7⤵
                    • Drops file in System32 directory
                    • Suspicious use of WriteProcessMemory
                    PID:3284
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA246.tmp" "c:\Windows\System32\CSCD7528C2BCC5243DE9A1FAE238949250.TMP"
                      8⤵
                        PID:5052
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\wininit.exe'
                      7⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:4732
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\fontdrvhost.exe'
                      7⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:564
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OEM\dllhost.exe'
                      7⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:892
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
                      7⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:2396
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellExperiences\Registry.exe'
                      7⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:4960
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'
                      7⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:344
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TETGOcUKds.bat"
                      7⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1224
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        8⤵
                          PID:5020
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          8⤵
                            PID:1192
                          • C:\Recovery\OEM\dllhost.exe
                            "C:\Recovery\OEM\dllhost.exe"
                            8⤵
                            • Executes dropped EXE
                            PID:3264
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" -NoProfile -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'"
                2⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3192
            • C:\Users\Admin\AppData\Roaming\NQV2YQ816SHBF5X.exe
              "C:\Users\Admin\AppData\Roaming\NQV2YQ816SHBF5X.exe"
              1⤵
              • Executes dropped EXE
              PID:4672
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
              1⤵
              • Executes dropped EXE
              PID:4528
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\wininit.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2484
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\wininit.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2768
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\wininit.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3220
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:704
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1028
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4608
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\OEM\dllhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1008
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\OEM\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1192
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\OEM\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:644
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3016
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1208
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:568
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellExperiences\Registry.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2112
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\Registry.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2676
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellExperiences\Registry.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3524
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 12 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4888
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4048
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 14 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3092
            • C:\Users\Admin\AppData\Roaming\NQV2YQ816SHBF5X.exe
              "C:\Users\Admin\AppData\Roaming\NQV2YQ816SHBF5X.exe"
              1⤵
              • Checks computer location settings
              • Executes dropped EXE
              PID:792
              • C:\Program Files (x86)\Windows Defender\wininit.exe
                "C:\Program Files (x86)\Windows Defender\wininit.exe"
                2⤵
                • Executes dropped EXE
                PID:4032
              • C:\Users\Admin\AppData\Roaming\NQV2YQ816SHBF5X.exe.exe
                "C:\Users\Admin\AppData\Roaming\NQV2YQ816SHBF5X.exe.exe"
                2⤵
                • Executes dropped EXE
                PID:4396
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
              1⤵
              • Checks computer location settings
              • Executes dropped EXE
              PID:3268
              • C:\Program Files (x86)\Windows Defender\wininit.exe
                "C:\Program Files (x86)\Windows Defender\wininit.exe"
                2⤵
                • Executes dropped EXE
                PID:4340
              • C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe
                "C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe"
                2⤵
                • Executes dropped EXE
                PID:5020

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Command and Scripting Interpreter

            1
            T1059

            PowerShell

            1
            T1059.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Persistence

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Modify Registry

            2
            T1112

            Credential Access

            Credentials from Password Stores

            1
            T1555

            Credentials from Web Browsers

            1
            T1555.003

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Query Registry

            2
            T1012

            System Information Discovery

            2
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Command and Control

            Web Service

            1
            T1102

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe
              Filesize

              220B

              MD5

              47085bdd4e3087465355c9bb9bbc6005

              SHA1

              bf0c5b11c20beca45cc9d4298f2a11a16c793a61

              SHA256

              80577e4666fad86273b01f60b8d63c15e4ce37774575ac1e0df7a7c396979752

              SHA512

              e74dd8e9756cab1123410a46609dc91540cc29a8fea93017155746f7bb9b7a41bfd3d7595a62788264bedceb475b2a733cce9b70f37cc4478302d5fc228d7684

              Download Submit

            • C:\HypercomponentCommon\cemEzm0xYx1.bat
              Filesize

              105B

              MD5

              5ee2935a1949f69f67601f7375b3e8a3

              SHA1

              6a3229f18db384e57435bd3308298da56aa8c404

              SHA256

              c24a0d7f53a7aa3437f6b6566d3aaebdb36053b64e72cbd1d3796596fc8e3c06

              SHA512

              9777fcb9ee8a8aa0c770c835c5f30aff6efc5fb16a1819047e13d580d748703ffcb446db110067fb2546a637213cb8f25416d4b621a95a789b8e113d31d3401a

              Download Submit

            • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
              Filesize

              1.9MB

              MD5

              7be5cea1c84ad0b2a6d2e5b6292c8d80

              SHA1

              631e3de0fe83ebacbe5be4e7f895dd0bd8b095ce

              SHA256

              6eb90684ebc56fb2713f5c468b55a964625ec2af698d9687492b1de4225693b7

              SHA512

              ea58d3b1664fe70968635c2722e19ce65ce4c1d66c68aed2d98441e60e773c7295f18d9c99cf4c454c510f33f5e37d3d2c0053b7434a46c542a0d63a4cc03647

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NQV2YQ816SHBF5X.exe.log
              Filesize

              654B

              MD5

              11c6e74f0561678d2cf7fc075a6cc00c

              SHA1

              535ee79ba978554abcb98c566235805e7ea18490

              SHA256

              d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

              SHA512

              32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              3KB

              MD5

              3eb3833f769dd890afc295b977eab4b4

              SHA1

              e857649b037939602c72ad003e5d3698695f436f

              SHA256

              c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

              SHA512

              c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log
              Filesize

              847B

              MD5

              37544b654facecb83555afec67d08b33

              SHA1

              4dc0f5db034801784b01befef5c1d3304145e1dc

              SHA256

              ec084a6c6ecd7d31f1927b0cd926ec03ce346a469f24e5a860e05f2241bd7bf4

              SHA512

              4af827ead52c8769672f58a69fca18484aeba1e59b7ec0527e200f8e3d893bcbc1063ea820260fc0b922985ee3b26c3a6f79b4044fb34f1b58f2e3379971b5f9

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              f811272c20ff6decbbd16ff364334427

              SHA1

              cb31be66c972daa61d45920fa2fa824c1dfb194d

              SHA256

              730aff8c9e430a9f9e5e44f1c376e57f42fa5adc744824df2f69855009473592

              SHA512

              5c68bf3a41c3607cad5abe94f2bb3816f3e69426fa7d43bf7c9787c4e9ce6660b1843a2e505a22a93d7008b76fc564078513fe9ef47051e5b6fc344ab9d0a528

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              21KB

              MD5

              09540d14fbd41666e7388df66da2ef5e

              SHA1

              04332262621ebc2b84e466c2ba115f68917c4b18

              SHA256

              444751aa6941ee79af0f1a2008556bfbe02033004ff6a16282bcfa950d951167

              SHA512

              4f9a1d92c665cc6e39bb33e6a0492eb503b50b61f86d81ad995756d16540c5384b49c491f9f647685e6bff7b75165c4d9e716d9d06d1fce0ddd60f289a77ff2c

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              21KB

              MD5

              54d97b2a9504deeda24b9b719396b3dd

              SHA1

              6f0ccc80c99cf72ffb0442978e3c3eb5b58597fe

              SHA256

              64dcb5963a94b63c79cf4ccc245db85cd2f9314fca4720061df83ec7aaadd372

              SHA512

              5ecfb0e11f81659704f655347c0f34a66b53c831daf7b72ee0a0f982a1e3e432ab2a7e9dd5b77d8c90e9af056a43528813b24e80895020c5cc6a993516192349

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              730d375c503ac7775813330efd853380

              SHA1

              300c1b9ab4fb1434c3d8707309794bdd972717d2

              SHA256

              bc155a091781a76ef6811cf536a50729729fcf645f4232107072178ad186c5ab

              SHA512

              ce04a25ef018692dbc125433d00416badf2a9084d536dd83f8040bfcbac96f7f947ae5d13f147337aa96164553f050a9398ee369a7681f24cadc6b194e8a4f49

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              08b59cf8e2e3a929ea95184bf5aa591a

              SHA1

              4f515ff72e582be6122d1642996c1e575c515e2b

              SHA256

              dc31980e5e8823ff48fd4c1e8fec022358d874c21d3ba766c64fae24ad3aeeeb

              SHA512

              c1af66be8dfaaf2ab50487e77438f9d78bca794fd3e2378cd4f4fb67b4038a02f606b9e8258c29cf0988400b72b903bf3d403b0b6c47c2bc87f4702d644eab71

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              b98d6527b59a6ce74ee1debe99874bf8

              SHA1

              bd6a6b0480f7195743baad430af3bea3ae873921

              SHA256

              4327bd56e3c8f3dc8810da66190483589a91a64cff2997321e0f78bf0c3a2100

              SHA512

              a345396544f241bb8f2839ae36c385ac568e1e36bf0b1a6863d4fbaa11212876896cc899cd4aa096a19bc8db09ead46564285842afc3925bfa4cf71ba7046269

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              a5aff2a874f50b1f4b6049f64efb45c0

              SHA1

              72abaf778dcf4ca73737ed94170374469fd97a75

              SHA256

              7c5870ea73eab424ce80db0789b6b38e2b3f34d9b58f39131c353458dac91f78

              SHA512

              801e844b063b681bf33da72e05feb083b835eca4710e7436befc443fb59cdd5759b01cd6754cd92e2409c5303d3654ef82a89ca8aedb3e450f015c76320ccd71

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              a57def4801e203be8419d003bedf9c9b

              SHA1

              230bc8fb49be0c852f2e39b0fc2edfe6175dc11e

              SHA256

              4b5c2d5c721ed4af1aa7a0d1bc5b84bbebf060a1889201cb3f0da0ffdf17cde4

              SHA512

              32008239dd28e6b85b66cd5c0e780b85eeb118b4f232b22e62d49d6a889679acf716554565cfc759be2fccc9abdd31e56e803513283db2c2dd29b966a731ea71

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              41b8b3dc843bb68cece421e263fcaf31

              SHA1

              576998931b3e982a9d0cc30a46973c4d6d934a53

              SHA256

              d8f3108fad9f28dc5b6efae92b55004f57019d862cc0548f9b5f9b84fde1ba52

              SHA512

              7ac0f22425feb43c0a0cd23256bac03b1143a4299ce469cf6bcb86a78377896149552d4c378b1955578084bfc334935c0daca621bf42904cfaeba45699083493

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              94861ff8461631e24b49b9ef8166e607

              SHA1

              54fc909130b4f81326131951bbcc527945385b16

              SHA256

              686b1fc015187ec2b24d6b2901417fb3400d27c15de31672b924b65c462b76b9

              SHA512

              4fbbe50210da2569500c8133f37ed857d45c81241f69dd0537ebed02d8cf217f83d082b2cad8bb737b1e4030653fef2e19de1c97bcb08e013b5a493280b1fa99

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              21KB

              MD5

              665cbc2fcb1f6907718df75b0d48010c

              SHA1

              73995dd73eeda2828d48267e81d9a017bb6366ef

              SHA256

              2aaf253f26b34b669b71f3963b4b6b88258c03fa0277d728d5fa6ee275ab2315

              SHA512

              6b25da82ba66f5de42922a68509dfa8adbb382bb04d1d326ad0c74d6e334e46b25631c3f13367b55bf27126bc8455973e80726bf2ef83a9aa6c3003ff597569b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7M6PJH6A1SAZFQ9.exe
              Filesize

              2.2MB

              MD5

              05d87a4a162784fd5256f4118aff32af

              SHA1

              484ed03930ed6a60866b6f909b37ef0d852dbefd

              SHA256

              7e3d0dabaded78094abfac40d694eaebf861f3cb865d3835bb053d435e996950

              SHA512

              3d4ce511e9671d8bfa15e93d681fedd972f4fe4c09ac9cfd9653afe83e936654c88ee515a76e7ac80e8f34868802e68c6531fdea0b718029d2196ad1425981fc

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\BulbaZUpdate.exe
              Filesize

              73KB

              MD5

              d6e46bbc2d5aff61a5a6ef1e9622cd74

              SHA1

              07df7137ffd475f77bdbdc6c25e9a17d41807bc0

              SHA256

              337d1a295dc78a08800cbb19f8dcb563218eb0a89819282384990f6a8fe305be

              SHA512

              d0ae2166d11c683e14db1149a3f498a4868442fad08384440dcdccc18c0110f295307e3d41885b8b540c1c964d4e6db102fb6b014b3a7cf64d8b2dadb075638f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\NQV2YQ816SHBF5X.exe
              Filesize

              185KB

              MD5

              e0c8976957ffdc4fe5555adbe8cb0d0c

              SHA1

              226a764bacfa17b92131993aa85fe63f1dbf347c

              SHA256

              b8260ac46e03f2a7baa9ae01bee5443d16d9eb96f6ee8588a887d6de72a750d4

              SHA512

              3a1ea48e81ebfd5586938a72afd68bcc48d4c5d69949cfdacf33aee3371d98f202443f5db12bac876ca7cecc982ddc56827f8d9b1857d22bda71242d5b2cc71e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RESA16B.tmp
              Filesize

              1KB

              MD5

              e2e47067026f89d6c3d3b1b460238f1a

              SHA1

              5b37ffa065ddce7b5efc5d92c23f19ebdc9fed9e

              SHA256

              f2453c59669be5e11031667f2f7eed68ca50153bc3babf12f5b3286795cba1b8

              SHA512

              8b74687c272d2bdb9fe197daf3a2cd2e209ac56c52adfbc1fe9ba47e9ba45ad301c57936f97298ac67c2eca3df39b8874c512d13c457c997fbe244cd31a483c8

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RESA1D9.tmp
              Filesize

              1KB

              MD5

              793a7252e9ad98f147b707146b60ec1e

              SHA1

              9d0961683ed060899358920b0b6bf5f485b83ee5

              SHA256

              2273e3dc6e2908f0ebb677a27cebdb24eb39c9ed15686d551595dee68a4202ab

              SHA512

              4a945616a27e6b9a2af537e2a26cdaadf277a1cb6d13fa46317b64bb515c3a2dccef11fdf76d1971846f218e6f8f482e6620a15a9a509fee30db8df6c781ab69

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RESA246.tmp
              Filesize

              1KB

              MD5

              317816f0158752b3adaad059b9c210ab

              SHA1

              f52659dfa0418094ccc0d4d803bec9627d75ac79

              SHA256

              3fa0a451c5c284d1bb959dd6690aca5da7b8ae0fdbce1596c6410fee3ea5d54d

              SHA512

              1fff1233ec0ea727eef9daefc19ec20bbc970774fe7aa74247e20c6e0c4ae92fda1712bbd3044dc53cdceaef0c4062079309f6b38879a2511b6daa2922cae2c4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\TETGOcUKds.bat
              Filesize

              203B

              MD5

              f91f9882afa40b55d08acd9bca0fbab2

              SHA1

              3553c57789c4acce742b8a267fbcece6ace3a200

              SHA256

              005931e5d1c9a9730b6b588b3cfb191aaba7655bef7ed359436852fbd6b9ed38

              SHA512

              48d842e2a59c99eb87666af98d6ce4d911acce0e48db8eb743a91ed935e214da27ac6792279e4dba9f435e4d7bfd8d1f1b1d79759473f1924dc72ae40c61814f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hswdriqu.pha.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              Filesize

              4KB

              MD5

              ea87c77fcf5454c0675e0f67609d2f8a

              SHA1

              45e3856a90d405d9e694d95362c53d3e27d3d2ef

              SHA256

              db0d9c41d71601048608499e5fdac10ff2f5e0cb724424f71d8b75600cf104f0

              SHA512

              27e7da2afca205a288b3e83ab7b0ec279e96da121300260ea60f691ec81eac57e9f3de227717a67b24a93068deb74a879e0bca88c21d5630a9af4e8b06e5ddfa

              Download Submit

            • C:\Users\Admin\AppData\Roaming\NQV2YQ816SHBF5X.exe
              Filesize

              4KB

              MD5

              2a6a83bd9f0d6f4d3a99407088354ca9

              SHA1

              97cd1862c012db3a63488c43b72696a88d400886

              SHA256

              cf48ba2148253665a47b4612ede70597f3787757db6293d46a90f522da0f304b

              SHA512

              98b7067ff184ed52f3e41e09747899f189768d62a1052aa62baf2dd7fee5d6c42543c1b04d988d412eef3f07cf688a3d4862421a6f186e5b46a2ec5045bae0e1

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\1xbyz5yw\1xbyz5yw.0.cs
              Filesize

              403B

              MD5

              91c13d1dd01abbc5f4b076f1afa8e210

              SHA1

              471322ea91802103ea72b1419d7ae379409f8f62

              SHA256

              f4c1582d0078bf5178ea0b67f92c8e2169a2a7447d93314383023923e5733a2a

              SHA512

              f23084d3c07c5e848c01a4c39b51829cc1e9c72b0f1d6ee5fccacd8423622f8f41999ce4852ce09d74d1455aec2e14f9184ae322aebcd196e26727cc40d9f601

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\1xbyz5yw\1xbyz5yw.cmdline
              Filesize

              255B

              MD5

              2500945a2290f340cd24a6cd2e7755eb

              SHA1

              d371c8dbd63edbdc6e1fc64298bdf2b111ee86e3

              SHA256

              70079c262aaec923649faa6859ef63b66366eb780f02c107f313adeaaaad39d8

              SHA512

              5994ac29b88b67eaf4d6495edc084ef3674d8330f1f66f18fefc72bcbf8fc926d09f0a41d7466a6c770a7772dbb5a3615b8f5d167040e1fe0840d7942616109c

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\CSC7720C75C93164E08BBC2A6FFD6B0F76B.TMP
              Filesize

              1KB

              MD5

              b10290e193d94a5e3c95660f0626a397

              SHA1

              7b9de1fd7a43f6f506e5fc3426836b8c52d0d711

              SHA256

              75c9e1766bfb99754b6a00d37ef93488ab216b5ac48984ed7d9d2076a7056fd2

              SHA512

              6ae4201552a499eaa726416b29230f48d94ac7f40ff038165bf8582626bbefe601ef6c051ad97d9156dc4b9b55fd22081db61bcd013916136340c5f1324e4bb5

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\u550boqk\u550boqk.0.cs
              Filesize

              398B

              MD5

              e8099715caf5d00ba46b9b8d6cbc1d5b

              SHA1

              4db421ffa74c88e1b0d6d4ae0c9a422698ffe6ba

              SHA256

              4b7c4c5917a21ac6b1073914dbe857c21c7cceb54c2240c3bc2dfd84d194f795

              SHA512

              53448ae4038608cc580c905f514d34ff879133c9e719ef3413ed625427deac05b85b6932bb01c4112daefb60e4b26318d2c9f55d71d9785e15026babf18efe2f

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\u550boqk\u550boqk.cmdline
              Filesize

              250B

              MD5

              fe7930c9e03cd18ea2c468b25e361816

              SHA1

              1cf66654152ab7faeb64f8b45f01349ba75229d5

              SHA256

              39844343229efee92f8437d0d396f765c3ac04420fad8594c127138458a3fe15

              SHA512

              e3fcf5648a26f7bbffe13c027a9b55f00ae7286485eeff5f9ac9aa8e8a3abaa8f7e6993723a1c0b9fe6023a74fe1d022e208180128ad32f0d7f04cb4b4b89a45

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\v3eids0a\v3eids0a.0.cs
              Filesize

              383B

              MD5

              37bdc953c1da93a7c16d5412a2051534

              SHA1

              c8d312b6060c3c0e271ef12c77d8887f21aff4fc

              SHA256

              2fd464bf90855d52f69cf70f418fa6c5d53eca19c90ef0ee5b25db325c61bb63

              SHA512

              02a46d9c07a2f1f5897a8dfc41a913b4b6869c8a684022c72ac06dd418e412737ae319a7655dfb555bf8bcd47b8914f789161c378210039701265921e09ec5d5

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\v3eids0a\v3eids0a.cmdline
              Filesize

              235B

              MD5

              242d9eff2221fe9ddad20f5acd7a4b83

              SHA1

              d0f4e494da53a5e29d7e7aacba58a0d8a0d240ad

              SHA256

              e96e2b599e620e4c4b400919aef6459c2d4f2963521074ef520841f6ccd1c997

              SHA512

              b86e129e03008ab4e1a3302952e9bb1d200247165fbf75f6057b69289ad3d5f857ad9d76f97db2c1dee48776714b214a1586b891382e4877f27b906739f0e57b

              Download Submit

            • \??\c:\Users\Admin\AppData\Roaming\CSCF9712FE1C10C4444B0B354C193C55F8B.TMP
              Filesize

              1KB

              MD5

              b9076fe9de0b2263d16ee2f5b19125c0

              SHA1

              3b35fc16ec8a6419ed86a1ad6ef911d68677d3a4

              SHA256

              232a697019ab9d44feac5a6ff974123c0923ea51befa766de160d9e6cbcda8f7

              SHA512

              9a46696b66ae218d438e6f860ff3144e38f575a85612024c4bc8b725684cd82166c2778b445a5ee9e525e96f9213695606168dab1a34e2adaa829062bf6388d1

              Download Submit

            • \??\c:\Windows\System32\CSCD7528C2BCC5243DE9A1FAE238949250.TMP
              Filesize

              1KB

              MD5

              b7890074c0676df846c8d319664a263c

              SHA1

              282b65c3ece5648ff1e2bca3fd63c81976f50578

              SHA256

              6f8f38bce1f63faeddbdf63cac6f27c360964fb4ab63aa611acc1e3ba9a55853

              SHA512

              5bee1cf30abb475f9170399688191287b598d51eeb5905fb6a6930d49ae9c1fe831a68d3679747c47efc8cd363bda6ec9330dbdece4de5b77acd4d53fa9f980a

              Download Submit

            • memory/792-370-0x00000000007F0000-0x00000000007F8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1880-68-0x000000006FC60000-0x000000006FCAC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1880-56-0x0000000005850000-0x0000000005BA7000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1880-78-0x0000000006E70000-0x0000000006F13000-memory.dmp

              Filesize

              652KB

              Download

            • memory/1880-80-0x0000000074620000-0x0000000074DD1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1880-55-0x0000000074620000-0x0000000074DD1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1880-53-0x0000000074620000-0x0000000074DD1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1880-52-0x0000000074620000-0x0000000074DD1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1880-67-0x0000000006220000-0x000000000626C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1964-128-0x000001D2751B0000-0x000001D2751D2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1964-133-0x000001D274E60000-0x000001D27507D000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/1964-132-0x000001D274DF0000-0x000001D274E3C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/3192-106-0x00000000066A0000-0x00000000066EC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/3192-117-0x00000000075B0000-0x0000000007653000-memory.dmp

              Filesize

              652KB

              Download

            • memory/3192-107-0x000000006F0A0000-0x000000006F0EC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/3192-104-0x0000000005E90000-0x00000000061E7000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/3268-376-0x0000000000750000-0x0000000000758000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3880-187-0x00000000008B0000-0x00000000008E4000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3948-40-0x0000000007A20000-0x0000000007AC3000-memory.dmp

              Filesize

              652KB

              Download

            • memory/3948-12-0x0000000005940000-0x00000000059A6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/3948-7-0x00000000031C0000-0x00000000031F6000-memory.dmp

              Filesize

              216KB

              Download

            • memory/3948-8-0x0000000074620000-0x0000000074DD1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3948-9-0x0000000074620000-0x0000000074DD1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3948-48-0x0000000074620000-0x0000000074DD1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3948-45-0x0000000074620000-0x0000000074DD1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3948-44-0x0000000007DD0000-0x0000000007E66000-memory.dmp

              Filesize

              600KB

              Download

            • memory/3948-43-0x0000000007BB0000-0x0000000007BBA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3948-42-0x0000000007B50000-0x0000000007B6A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/3948-10-0x0000000005A10000-0x00000000060DA000-memory.dmp

              Filesize

              6.8MB

              Download

            • memory/3948-11-0x00000000058A0000-0x00000000058C2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/3948-22-0x00000000061D0000-0x0000000006527000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/3948-23-0x0000000006810000-0x000000000682E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/3948-24-0x0000000006830000-0x000000000687C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/3948-27-0x0000000074620000-0x0000000074DD1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3948-26-0x00000000701A0000-0x00000000701EC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/3948-41-0x00000000081A0000-0x000000000881A000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/3948-25-0x00000000079C0000-0x00000000079F2000-memory.dmp

              Filesize

              200KB

              Download

            • memory/3948-39-0x0000000074620000-0x0000000074DD1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3948-37-0x0000000074620000-0x0000000074DD1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3948-38-0x0000000007A00000-0x0000000007A1E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4148-54-0x0000000074620000-0x0000000074DD1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4148-1-0x0000000000890000-0x0000000000898000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4148-2-0x00000000056B0000-0x0000000005C56000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4148-3-0x00000000051A0000-0x0000000005232000-memory.dmp

              Filesize

              584KB

              Download

            • memory/4148-0-0x000000007462E000-0x000000007462F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4148-4-0x0000000005150000-0x000000000515A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4148-5-0x0000000074620000-0x0000000074DD1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4148-6-0x00000000070F0000-0x0000000007156000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4148-51-0x000000007462E000-0x000000007462F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4624-94-0x0000000000C30000-0x0000000000C48000-memory.dmp

              Filesize

              96KB

              Download

            • memory/4624-172-0x000000001CBA0000-0x000000001CBAC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/5104-234-0x000000001B860000-0x000000001B8B0000-memory.dmp

              Filesize

              320KB

              Download

            • memory/5104-229-0x0000000000A80000-0x0000000000C66000-memory.dmp

              Filesize

              1.9MB

              Download

            • memory/5104-231-0x0000000001430000-0x000000000143E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/5104-233-0x000000001B7B0000-0x000000001B7CC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/5104-236-0x000000001B7D0000-0x000000001B7E8000-memory.dmp

              Filesize

              96KB

              Download

            • memory/5104-238-0x0000000001440000-0x000000000144E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/5104-240-0x00000000014E0000-0x00000000014EC000-memory.dmp

              Filesize

              48KB

              Download