azorult | 75811ee3e3c7908fc2804cee757e25aefa4bec5f5aa7ae15f45313f000fa0074

Analysis

max time kernel
149s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4825d64fc548637adedb9b4b808ed7cd.exe
Size

1.4MB
MD5

4825d64fc548637adedb9b4b808ed7cd
SHA1

0deb418a6c28e89dd31ea69f0edb112162fe91c8
SHA256

75811ee3e3c7908fc2804cee757e25aefa4bec5f5aa7ae15f45313f000fa0074
SHA512

a7530571caed90ec71ec17439afe89030fcbfbfa12d029d9e21de302bd54fc933ab6acb41975b28718d44b372105b34a3cf3becfdf0484765179cc516b939675
SSDEEP

24576:ckJ57Lut19vrBg9qm+BZkvgt7DYOl+FbSoLCwcpN5tgLG6OI8mMe2WLPFouzt:T7LG1V/dBZkY1Yo+X+tgLGPi2WLPFoup

Score

10^/10

azorult oski zgrat infostealer rat spyware stealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1636-226-0x0000000009C00000-0x0000000009D1E000-memory.dmp	family_zgrat_v1
behavioral2/memory/1636-225-0x0000000009C00000-0x0000000009D1E000-memory.dmp	family_zgrat_v1

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Hsbvhggsqlrfmuvyptooonsoleapp5.exe4825d64fc548637adedb9b4b808ed7cd.exeOggnfkemtibcinconsoleapp16.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	4825d64fc548637adedb9b4b808ed7cd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	Oggnfkemtibcinconsoleapp16.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 4 IoCs

Processes:

Oggnfkemtibcinconsoleapp16.exeOggnfkemtibcinconsoleapp16.exeHsbvhggsqlrfmuvyptooonsoleapp5.exeHsbvhggsqlrfmuvyptooonsoleapp5.exe

pid	process
4304	Oggnfkemtibcinconsoleapp16.exe
3856	Oggnfkemtibcinconsoleapp16.exe
4264	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
4140	Hsbvhggsqlrfmuvyptooonsoleapp5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 3 IoCs

Processes:

4825d64fc548637adedb9b4b808ed7cd.exeOggnfkemtibcinconsoleapp16.exeHsbvhggsqlrfmuvyptooonsoleapp5.exe

description	pid	process	target process
PID 1636 set thread context of 548	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 4304 set thread context of 3856	4304	Oggnfkemtibcinconsoleapp16.exe	Oggnfkemtibcinconsoleapp16.exe
PID 4264 set thread context of 4140	4264	Hsbvhggsqlrfmuvyptooonsoleapp5.exe	Hsbvhggsqlrfmuvyptooonsoleapp5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2528 4140 WerFault.exe Hsbvhggsqlrfmuvyptooonsoleapp5.exe

pid	pid_target	process	target process
2528	4140	WerFault.exe	Hsbvhggsqlrfmuvyptooonsoleapp5.exe

Modifies registry class 2 IoCs

Processes:

4825d64fc548637adedb9b4b808ed7cd.exeOggnfkemtibcinconsoleapp16.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	4825d64fc548637adedb9b4b808ed7cd.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	Oggnfkemtibcinconsoleapp16.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeConhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe4825d64fc548637adedb9b4b808ed7cd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeOggnfkemtibcinconsoleapp16.exe

pid	process
224	powershell.exe
224	powershell.exe
1308	powershell.exe
1308	powershell.exe
4464	powershell.exe
4464	powershell.exe
5104	Conhost.exe
5104	Conhost.exe
4868	powershell.exe
4868	powershell.exe
1444	powershell.exe
1444	powershell.exe
3528	powershell.exe
3528	powershell.exe
1712	powershell.exe
1712	powershell.exe
776	powershell.exe
776	powershell.exe
2924	powershell.exe
2924	powershell.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
1636	4825d64fc548637adedb9b4b808ed7cd.exe
224	powershell.exe
224	powershell.exe
900	powershell.exe
900	powershell.exe
1960	powershell.exe
1960	powershell.exe
2296	powershell.exe
2296	powershell.exe
3628	powershell.exe
3628	powershell.exe
4560	powershell.exe
4560	powershell.exe
2980	powershell.exe
2980	powershell.exe
1840	powershell.exe
1840	powershell.exe
1080	powershell.exe
1080	powershell.exe
2264	powershell.exe
2264	powershell.exe
4304	Oggnfkemtibcinconsoleapp16.exe
4304	Oggnfkemtibcinconsoleapp16.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeConhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe4825d64fc548637adedb9b4b808ed7cd.exe

description	pid	process
Token: SeDebugPrivilege	224	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	5104	Conhost.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeIncreaseQuotaPrivilege	776	powershell.exe
Token: SeSecurityPrivilege	776	powershell.exe
Token: SeTakeOwnershipPrivilege	776	powershell.exe
Token: SeLoadDriverPrivilege	776	powershell.exe
Token: SeSystemProfilePrivilege	776	powershell.exe
Token: SeSystemtimePrivilege	776	powershell.exe
Token: SeProfSingleProcessPrivilege	776	powershell.exe
Token: SeIncBasePriorityPrivilege	776	powershell.exe
Token: SeCreatePagefilePrivilege	776	powershell.exe
Token: SeBackupPrivilege	776	powershell.exe
Token: SeRestorePrivilege	776	powershell.exe
Token: SeShutdownPrivilege	776	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeSystemEnvironmentPrivilege	776	powershell.exe
Token: SeRemoteShutdownPrivilege	776	powershell.exe
Token: SeUndockPrivilege	776	powershell.exe
Token: SeManageVolumePrivilege	776	powershell.exe
Token: 33	776	powershell.exe
Token: 34	776	powershell.exe
Token: 35	776	powershell.exe
Token: 36	776	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeIncreaseQuotaPrivilege	2924	powershell.exe
Token: SeSecurityPrivilege	2924	powershell.exe
Token: SeTakeOwnershipPrivilege	2924	powershell.exe
Token: SeLoadDriverPrivilege	2924	powershell.exe
Token: SeSystemProfilePrivilege	2924	powershell.exe
Token: SeSystemtimePrivilege	2924	powershell.exe
Token: SeProfSingleProcessPrivilege	2924	powershell.exe
Token: SeIncBasePriorityPrivilege	2924	powershell.exe
Token: SeCreatePagefilePrivilege	2924	powershell.exe
Token: SeBackupPrivilege	2924	powershell.exe
Token: SeRestorePrivilege	2924	powershell.exe
Token: SeShutdownPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeSystemEnvironmentPrivilege	2924	powershell.exe
Token: SeRemoteShutdownPrivilege	2924	powershell.exe
Token: SeUndockPrivilege	2924	powershell.exe
Token: SeManageVolumePrivilege	2924	powershell.exe
Token: 33	2924	powershell.exe
Token: 34	2924	powershell.exe
Token: 35	2924	powershell.exe
Token: 36	2924	powershell.exe
Token: SeDebugPrivilege	1636	4825d64fc548637adedb9b4b808ed7cd.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeIncreaseQuotaPrivilege	224	powershell.exe
Token: SeSecurityPrivilege	224	powershell.exe
Token: SeTakeOwnershipPrivilege	224	powershell.exe
Token: SeLoadDriverPrivilege	224	powershell.exe
Token: SeSystemProfilePrivilege	224	powershell.exe
Token: SeSystemtimePrivilege	224	powershell.exe
Token: SeProfSingleProcessPrivilege	224	powershell.exe
Token: SeIncBasePriorityPrivilege	224	powershell.exe
Token: SeCreatePagefilePrivilege	224	powershell.exe
Token: SeBackupPrivilege	224	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4825d64fc548637adedb9b4b808ed7cd.exeConhost.exeOggnfkemtibcinconsoleapp16.exe

description	pid	process	target process
PID 1636 wrote to memory of 224	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 224	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 224	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 1308	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 1308	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 1308	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 4464	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 4464	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 4464	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 5104	1636	4825d64fc548637adedb9b4b808ed7cd.exe	Conhost.exe
PID 1636 wrote to memory of 5104	1636	4825d64fc548637adedb9b4b808ed7cd.exe	Conhost.exe
PID 1636 wrote to memory of 5104	1636	4825d64fc548637adedb9b4b808ed7cd.exe	Conhost.exe
PID 1636 wrote to memory of 4868	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 4868	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 4868	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 1444	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 1444	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 1444	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 3528	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 3528	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 3528	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 1712	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 1712	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 1712	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 776	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 776	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 776	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 2924	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 2924	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 2924	1636	4825d64fc548637adedb9b4b808ed7cd.exe	powershell.exe
PID 1636 wrote to memory of 4972	1636	4825d64fc548637adedb9b4b808ed7cd.exe	Conhost.exe
PID 1636 wrote to memory of 4972	1636	4825d64fc548637adedb9b4b808ed7cd.exe	Conhost.exe
PID 1636 wrote to memory of 4972	1636	4825d64fc548637adedb9b4b808ed7cd.exe	Conhost.exe
PID 1636 wrote to memory of 1936	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 1936	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 1936	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 3032	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 3032	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 3032	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 1884	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 1884	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 1884	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 5072	1636	4825d64fc548637adedb9b4b808ed7cd.exe	Conhost.exe
PID 1636 wrote to memory of 5072	1636	4825d64fc548637adedb9b4b808ed7cd.exe	Conhost.exe
PID 1636 wrote to memory of 5072	1636	4825d64fc548637adedb9b4b808ed7cd.exe	Conhost.exe
PID 1636 wrote to memory of 3256	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 3256	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 3256	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 548	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 548	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 548	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 548	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 548	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 548	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 548	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 548	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 1636 wrote to memory of 548	1636	4825d64fc548637adedb9b4b808ed7cd.exe	4825d64fc548637adedb9b4b808ed7cd.exe
PID 4972 wrote to memory of 4304	4972	Conhost.exe	Oggnfkemtibcinconsoleapp16.exe
PID 4972 wrote to memory of 4304	4972	Conhost.exe	Oggnfkemtibcinconsoleapp16.exe
PID 4972 wrote to memory of 4304	4972	Conhost.exe	Oggnfkemtibcinconsoleapp16.exe
PID 4304 wrote to memory of 224	4304	Oggnfkemtibcinconsoleapp16.exe	powershell.exe
PID 4304 wrote to memory of 224	4304	Oggnfkemtibcinconsoleapp16.exe	powershell.exe
PID 4304 wrote to memory of 224	4304	Oggnfkemtibcinconsoleapp16.exe	powershell.exe
PID 4304 wrote to memory of 900	4304	Oggnfkemtibcinconsoleapp16.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\4825d64fc548637adedb9b4b808ed7cd.exe
"C:\Users\Admin\AppData\Local\Temp\4825d64fc548637adedb9b4b808ed7cd.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  PID:224
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5104
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4464
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  PID:5104
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dewgkwlbhkrsncbybkhtfpkb.vbs"
  2⤵
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
    "C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:224
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:900
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1960
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2296
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3628
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4560
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2980
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1840
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1080
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2264
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ddmmvlnwvosotwcisp.vbs"
      4⤵
      Checks computer location settings
      PID:2284
    - - C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4264
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        6⤵
        
        PID:2052
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        6⤵
        
        PID:4388
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        6⤵
        
        PID:4740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5072
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        6⤵
        
        PID:5092
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        6⤵
        
        PID:3284
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        6⤵
        
        PID:2252
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        6⤵
        
        PID:2300
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        6⤵
        
        PID:3416
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        6⤵
        
        PID:3308
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        6⤵
        
        PID:3056
      - C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe
        
        C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe
        6⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1316
        7⤵
        Program crash
        
        PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
      C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
      4⤵
      Executes dropped EXE
      PID:3856
- C:\Users\Admin\AppData\Local\Temp\4825d64fc548637adedb9b4b808ed7cd.exe
  C:\Users\Admin\AppData\Local\Temp\4825d64fc548637adedb9b4b808ed7cd.exe
  2⤵
  PID:1884
- C:\Users\Admin\AppData\Local\Temp\4825d64fc548637adedb9b4b808ed7cd.exe
  C:\Users\Admin\AppData\Local\Temp\4825d64fc548637adedb9b4b808ed7cd.exe
  2⤵
  PID:548
- C:\Users\Admin\AppData\Local\Temp\4825d64fc548637adedb9b4b808ed7cd.exe
  C:\Users\Admin\AppData\Local\Temp\4825d64fc548637adedb9b4b808ed7cd.exe
  2⤵
  PID:3256
- C:\Users\Admin\AppData\Local\Temp\4825d64fc548637adedb9b4b808ed7cd.exe
  C:\Users\Admin\AppData\Local\Temp\4825d64fc548637adedb9b4b808ed7cd.exe
  2⤵
  PID:5072
- C:\Users\Admin\AppData\Local\Temp\4825d64fc548637adedb9b4b808ed7cd.exe
  C:\Users\Admin\AppData\Local\Temp\4825d64fc548637adedb9b4b808ed7cd.exe
  2⤵
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\4825d64fc548637adedb9b4b808ed7cd.exe
  C:\Users\Admin\AppData\Local\Temp\4825d64fc548637adedb9b4b808ed7cd.exe
  2⤵
  PID:1936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4140 -ip 4140
1⤵
PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ddmmvlnwvosotwcisp.vbs

Filesize
118B

MD5
8e6ed0e063f11f70636a3f17f2a6ff0a

SHA1
4eb2da6280255683781c4b2e3e2e77de09d7d3ba

SHA256
bfd0eeb6d76e800e9fc6ffc2924ed0f8a4562bd2446ec503362ed325094e7561

SHA512
061a55f826961a96609717eb173b3f4bade372e4e26f9eae6b84f45b2bcdb97687e7d79b6d450f6a92a9805c799f623a04c7bb59550e2027ba3cf5d172a34e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dewgkwlbhkrsncbybkhtfpkb.vbs

Filesize
114B

MD5
eedf5b01d8c6919df80fb4eeef481b96

SHA1
c2f13824ede4e9781aa1d231c3bfe65ee57a5202

SHA256
c470d243098a7051aa0914fcda227fa4ae3b752556a5de16da5d73a169005aa4

SHA512
c9db4dff46d7517270dda041eca132368edc87bac7d0926b5179d7c385696a7b648c2b99bb444a08c60c95fd4dbd01700f17a8c9cb678bef680a8f681d248822

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe

Filesize
122KB

MD5
d5f746c29badf0ef7c5411208d6bbafe

SHA1
aa7bd6a8e54b0be51440a01d197ebf5960929004

SHA256
6b6f2352c105fe0d64b5f954fac09e6e30f2bcc2f040aa613bf484910d7ad5a0

SHA512
5cf90b809167be948e8f288ca6ecd43b3e0d991d46286bfd1c6a5355e98f43088ec69124794a9bade9d62f4fffeccde62556dcf866ad454dd91ffcc52545ce98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe

Filesize
112KB

MD5
251be722c20739bd71ef1bef82213d12

SHA1
f4f37ec65ff8dcdb3912ae64c1d50b98ff846eed

SHA256
e304a548754b26c93a01208dd16b0597a1406c8bde784d611dec1fbd865c41f6

SHA512
13904ba0c830c586c33b424089600883c2eaed54a5ee310a68088a13d1137691386becfddcefbaa30d1bfc5573f650bfc6ca5cbaf1f80a249091f5ab1377806a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe

Filesize
367KB

MD5
81b52a797709cd2b43a567beb918f288

SHA1
91f7feded933ff4861dd2c00f971595d7dd89513

SHA256
ce7db669ec00c7169451964b79a5b3ac018e87c5dfd2ed0c89482c30f74d4bae

SHA512
70cfe54f9bf63e5d639b377efbb530b0983dcaaf6f09b0ac74b349ab1640a5eeeb98d9f22f4241a5e2da28868f183574393ffd6823bdfab00c5b102ae9443123

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe

Filesize
92KB

MD5
863f87d2ea16a32b0d3ec064a8780df0

SHA1
026da0470abcc3ac8de9d6ee20ebd111785f327f

SHA256
687aa44ec90435a26ef1276133af50807755ddbf32f38da668cff6ccd4653fb3

SHA512
b1741638d29d9e9ba678361d9b33f062ad293273ce108cbeead41a56a0e5d6a3d3d25c4fdc7fa1f50cce988613803969b3ced45db0487afb18fdac187f5f4b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe

Filesize
47KB

MD5
10ae7be5d2bc8f44221430ab264d9bce

SHA1
4ea26f9575b33a4da990eb0d111f14f303cfed32

SHA256
b51440dac80c45afbe3c81eeb8c5c61a9ffff7e93d7c85948ee394682a0b903d

SHA512
a53cffe224c338f5705156573ff3e59eb48c11f73c9c94bd7b29c23fea5f0598be6ca59f7cccb832a835a448e4531a0165bf04ef2a3669b70e540ca2f73c6196

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe

Filesize
202KB

MD5
3b94faedad67c05a967ee4594fa2e670

SHA1
177fbd2bc7279fcfb8af1aaa39ed82d96a8d0dac

SHA256
f643d558fdfe789181bc7c4e2fcfbf5a3d29cc1c56839964f695da1ffeaa70bc

SHA512
1bd548fd554cc8f5b567933814784475c3e457665a0e580de2e2dfc0ca96672258acbaa7de977a396c208222c7814789da8bea6f7810bdb211f996e0ae73023a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4zmgb5i.y5u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/224-7-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/224-26-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/224-12-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/224-13-0x0000000005780000-0x00000000057E6000-memory.dmp

Filesize
408KB

Download
memory/224-10-0x0000000004F40000-0x0000000005568000-memory.dmp

Filesize
6.2MB

Download
memory/224-11-0x0000000004E00000-0x0000000004E22000-memory.dmp

Filesize
136KB

Download
memory/224-23-0x00000000059D0000-0x0000000005D24000-memory.dmp

Filesize
3.3MB

Download
memory/224-24-0x0000000005DD0000-0x0000000005DEE000-memory.dmp

Filesize
120KB

Download
memory/224-25-0x0000000005E20000-0x0000000005E6C000-memory.dmp

Filesize
304KB

Download
memory/224-8-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/224-27-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/224-9-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/224-6-0x00000000024A0000-0x00000000024D6000-memory.dmp

Filesize
216KB

Download
memory/776-134-0x00000000046E0000-0x00000000046F0000-memory.dmp

Filesize
64KB

Download
memory/776-132-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/776-144-0x0000000005760000-0x0000000005AB4000-memory.dmp

Filesize
3.3MB

Download
memory/776-133-0x00000000046E0000-0x00000000046F0000-memory.dmp

Filesize
64KB

Download
memory/1308-29-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/1308-41-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/1308-45-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/1308-28-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/1308-36-0x00000000061C0000-0x0000000006514000-memory.dmp

Filesize
3.3MB

Download
memory/1308-30-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/1444-112-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/1444-99-0x0000000002D60000-0x0000000002D70000-memory.dmp

Filesize
64KB

Download
memory/1444-87-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/1444-89-0x0000000002D60000-0x0000000002D70000-memory.dmp

Filesize
64KB

Download
memory/1444-88-0x0000000002D60000-0x0000000002D70000-memory.dmp

Filesize
64KB

Download
memory/1636-162-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-194-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-164-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-168-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-172-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-174-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-226-0x0000000009C00000-0x0000000009D1E000-memory.dmp

Filesize
1.1MB

Download
memory/1636-225-0x0000000009C00000-0x0000000009D1E000-memory.dmp

Filesize
1.1MB

Download
memory/1636-61-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/1636-57-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/1636-182-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-184-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-188-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-5-0x00000000050D0000-0x00000000050DA000-memory.dmp

Filesize
40KB

Download
memory/1636-192-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-214-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-0-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/1636-216-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-218-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-222-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-220-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-212-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-198-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-202-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-4-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/1636-3-0x0000000004F30000-0x0000000004FC2000-memory.dmp

Filesize
584KB

Download
memory/1636-2-0x0000000005400000-0x00000000059A4000-memory.dmp

Filesize
5.6MB

Download
memory/1636-1-0x00000000003D0000-0x000000000053C000-memory.dmp

Filesize
1.4MB

Download
memory/1636-161-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-166-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-170-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-176-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-180-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-178-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-186-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-190-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-196-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-200-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-204-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-206-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-208-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1636-210-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/1712-115-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/1712-131-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/1712-129-0x0000000006D50000-0x0000000006D6A000-memory.dmp

Filesize
104KB

Download
memory/1712-130-0x0000000006DA0000-0x0000000006DC2000-memory.dmp

Filesize
136KB

Download
memory/1712-128-0x00000000079C0000-0x0000000007A56000-memory.dmp

Filesize
600KB

Download
memory/1712-127-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/1712-116-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/1712-114-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/3528-126-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/3528-113-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/3528-100-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/3528-101-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/3528-102-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/4464-56-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/4464-42-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/4464-43-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/4464-44-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/4464-55-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/4868-86-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/4868-72-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/4868-74-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

Filesize
64KB

Download
memory/4868-73-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

Filesize
64KB

Download
memory/4868-84-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

Filesize
64KB

Download
memory/5104-71-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/5104-58-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/5104-59-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/5104-60-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/5104-85-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download