894c46b031cc83e8403cc2f81215ca4fb38ef9725409c0c385637f5a45c03962

Analysis

max time kernel
153s
max time network
58s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/01/2024, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PlanetsBeta.exe
Size

139.5MB
MD5

ffd70cd22ce1e72d24a75763301b73ba
SHA1

cdfafef2ab213946efffc543b3fbd69d1fc24339
SHA256

f72c07820e5db527d6f12355900344edc6b29c86af80f934a5d92b7fa43e82f0
SHA512

4067c5533da72c07c331588ef49ce1867b0d016537c204f51e236e1468e6099e8f1046afdbe7c8ad05d3ddc203944a7afec3e714a1ceefe60ff3a26a82185000
SSDEEP

786432:n14w5ThzHwQBgmoLWv+K18nCzKdo5DTdvfMQr6SSmPuvh8tSIW68:n14kpHwQjCWv+K18CedmVvEQEpcJW

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2416	PlanetsBeta.exe
2416	PlanetsBeta.exe
2416	PlanetsBeta.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PlanetsBeta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	PlanetsBeta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	PlanetsBeta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	PlanetsBeta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	PlanetsBeta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PlanetsBeta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PlanetsBeta.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
6652	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
3472	tasklist.exe
4292	tasklist.exe
3848	tasklist.exe
3456	tasklist.exe
1708	tasklist.exe
2752	tasklist.exe
3388	tasklist.exe
4044	tasklist.exe
4148	tasklist.exe
1980	tasklist.exe
2584	tasklist.exe
3616	tasklist.exe
4024	tasklist.exe
4180	tasklist.exe
3320	tasklist.exe
3164	tasklist.exe
2828	tasklist.exe
4372	tasklist.exe
4280	tasklist.exe
560	tasklist.exe
4704	tasklist.exe
4120	tasklist.exe
5584	tasklist.exe
2224	tasklist.exe
1916	tasklist.exe
4480	tasklist.exe
4524	tasklist.exe
3156	tasklist.exe
848	tasklist.exe
904	tasklist.exe
4052	tasklist.exe
4156	tasklist.exe
4656	tasklist.exe
3628	tasklist.exe
5576	tasklist.exe
3148	tasklist.exe
2732	tasklist.exe
4772	tasklist.exe
4532	tasklist.exe
3496	tasklist.exe
3464	tasklist.exe
5512	tasklist.exe
3356	tasklist.exe
6200	tasklist.exe
6184	tasklist.exe
4064	tasklist.exe
4092	tasklist.exe
4140	tasklist.exe
4412	tasklist.exe
4720	tasklist.exe
5544	tasklist.exe
2488	tasklist.exe
4072	tasklist.exe
4624	tasklist.exe
4260	tasklist.exe
3504	tasklist.exe
1668	tasklist.exe
2844	tasklist.exe
3752	tasklist.exe
2824	tasklist.exe
1212	tasklist.exe
3200	tasklist.exe
3532	tasklist.exe
4192	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2416	PlanetsBeta.exe
2416	PlanetsBeta.exe
3764	PlanetsBeta.exe
3764	PlanetsBeta.exe
3764	PlanetsBeta.exe
3764	PlanetsBeta.exe
3764	PlanetsBeta.exe
3764	PlanetsBeta.exe
3764	PlanetsBeta.exe
3764	PlanetsBeta.exe
3764	PlanetsBeta.exe
3764	PlanetsBeta.exe
3764	PlanetsBeta.exe
3764	PlanetsBeta.exe
6732	powershell.exe
6732	powershell.exe
2416	PlanetsBeta.exe
2416	PlanetsBeta.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2416	PlanetsBeta.exe
Token: SeShutdownPrivilege	2416	PlanetsBeta.exe
Token: SeDebugPrivilege	2752	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2856	WMIC.exe
Token: SeSecurityPrivilege	2856	WMIC.exe
Token: SeTakeOwnershipPrivilege	2856	WMIC.exe
Token: SeLoadDriverPrivilege	2856	WMIC.exe
Token: SeSystemProfilePrivilege	2856	WMIC.exe
Token: SeSystemtimePrivilege	2856	WMIC.exe
Token: SeProfSingleProcessPrivilege	2856	WMIC.exe
Token: SeIncBasePriorityPrivilege	2856	WMIC.exe
Token: SeCreatePagefilePrivilege	2856	WMIC.exe
Token: SeBackupPrivilege	2856	WMIC.exe
Token: SeRestorePrivilege	2856	WMIC.exe
Token: SeShutdownPrivilege	2856	WMIC.exe
Token: SeDebugPrivilege	2856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2856	WMIC.exe
Token: SeRemoteShutdownPrivilege	2856	WMIC.exe
Token: SeUndockPrivilege	2856	WMIC.exe
Token: SeManageVolumePrivilege	2856	WMIC.exe
Token: 33	2856	WMIC.exe
Token: 34	2856	WMIC.exe
Token: 35	2856	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2856	WMIC.exe
Token: SeSecurityPrivilege	2856	WMIC.exe
Token: SeTakeOwnershipPrivilege	2856	WMIC.exe
Token: SeLoadDriverPrivilege	2856	WMIC.exe
Token: SeSystemProfilePrivilege	2856	WMIC.exe
Token: SeSystemtimePrivilege	2856	WMIC.exe
Token: SeProfSingleProcessPrivilege	2856	WMIC.exe
Token: SeIncBasePriorityPrivilege	2856	WMIC.exe
Token: SeCreatePagefilePrivilege	2856	WMIC.exe
Token: SeBackupPrivilege	2856	WMIC.exe
Token: SeRestorePrivilege	2856	WMIC.exe
Token: SeShutdownPrivilege	2856	WMIC.exe
Token: SeDebugPrivilege	2856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2856	WMIC.exe
Token: SeRemoteShutdownPrivilege	2856	WMIC.exe
Token: SeUndockPrivilege	2856	WMIC.exe
Token: SeManageVolumePrivilege	2856	WMIC.exe
Token: 33	2856	WMIC.exe
Token: 34	2856	WMIC.exe
Token: 35	2856	WMIC.exe
Token: SeDebugPrivilege	2844	tasklist.exe
Token: SeDebugPrivilege	1668	tasklist.exe
Token: SeDebugPrivilege	1296	tasklist.exe
Token: SeDebugPrivilege	2828	tasklist.exe
Token: SeDebugPrivilege	1708	tasklist.exe
Token: SeDebugPrivilege	1796	tasklist.exe
Token: SeShutdownPrivilege	2416	PlanetsBeta.exe
Token: SeShutdownPrivilege	2416	PlanetsBeta.exe
Token: SeDebugPrivilege	1916	tasklist.exe
Token: SeDebugPrivilege	904	tasklist.exe
Token: SeDebugPrivilege	1968	tasklist.exe
Token: SeDebugPrivilege	2208	tasklist.exe
Token: SeDebugPrivilege	2488	tasklist.exe
Token: SeDebugPrivilege	848	tasklist.exe
Token: SeDebugPrivilege	2700	tasklist.exe
Token: SeDebugPrivilege	2732	tasklist.exe
Token: SeDebugPrivilege	2824	tasklist.exe
Token: SeDebugPrivilege	2972	tasklist.exe
Token: SeDebugPrivilege	2224	tasklist.exe
Token: SeDebugPrivilege	2584	tasklist.exe
Token: SeDebugPrivilege	1212	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2768	2416	PlanetsBeta.exe	28
PID 2416 wrote to memory of 2768	2416	PlanetsBeta.exe	28
PID 2416 wrote to memory of 2768	2416	PlanetsBeta.exe	28
PID 2768 wrote to memory of 2752	2768	cmd.exe	31
PID 2768 wrote to memory of 2752	2768	cmd.exe	31
PID 2768 wrote to memory of 2752	2768	cmd.exe	31
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2896	2416	PlanetsBeta.exe	30
PID 2416 wrote to memory of 2832	2416	PlanetsBeta.exe	58
PID 2416 wrote to memory of 2832	2416	PlanetsBeta.exe	58
PID 2416 wrote to memory of 2832	2416	PlanetsBeta.exe	58
PID 2832 wrote to memory of 2856	2832	conhost.exe	34
PID 2832 wrote to memory of 2856	2832	conhost.exe	34
PID 2832 wrote to memory of 2856	2832	conhost.exe	34
PID 2416 wrote to memory of 796	2416	PlanetsBeta.exe	337
PID 2416 wrote to memory of 796	2416	PlanetsBeta.exe	337
PID 2416 wrote to memory of 796	2416	PlanetsBeta.exe	337
PID 2416 wrote to memory of 1160	2416	PlanetsBeta.exe	336
PID 2416 wrote to memory of 1160	2416	PlanetsBeta.exe	336
PID 2416 wrote to memory of 1160	2416	PlanetsBeta.exe	336
PID 2416 wrote to memory of 460	2416	PlanetsBeta.exe	335
PID 2416 wrote to memory of 460	2416	PlanetsBeta.exe	335
PID 2416 wrote to memory of 460	2416	PlanetsBeta.exe	335
PID 2416 wrote to memory of 2028	2416	PlanetsBeta.exe	334
PID 2416 wrote to memory of 2028	2416	PlanetsBeta.exe	334

C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe
"C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe
  "C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 --field-trial-handle=1116,2403730657581423650,15310680259726026484,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2416 get ExecutablePath"
  2⤵
  PID:2832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:440
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1676
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1628
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1584
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:620
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2052
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1488
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:688
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2340
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1104
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2576
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1048
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1976
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\bind\main.exe"
  2⤵
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe
  "C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=3116 --field-trial-handle=1116,2403730657581423650,15310680259726026484,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3764
- C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe
  "C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1088 --field-trial-handle=1116,2403730657581423650,15310680259726026484,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:5640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:6540
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:6576
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:6564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  PID:6620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:6712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  PID:1248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  PID:2992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:796

C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=2416 get ExecutablePath
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:2664

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14850093871403971099-19756160-806616441-1690633025-507738645-1655678721613326353"
1⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3288

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3388

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3472

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3532

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3616

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3672

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4072

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4064

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4092

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4084

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4052

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4044

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:876

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4036

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4156

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4192

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4236

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4148

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4140

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4292

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4412

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4540

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4576

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4656

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4644

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4704

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4720

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4668

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4624

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4532

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4524

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4372

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4280

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4260

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4120

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3628

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3604

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3848

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3504

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3496

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3456

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:5544

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:5536

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:5528

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:5512

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
1⤵
PID:5604

C:\Windows\system32\more.com
more +1
1⤵
PID:5836

C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
1⤵
PID:5820

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:5584

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:5568

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:5560

C:\Windows\system32\net.exe
net session
1⤵
PID:5496
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 session
  2⤵
  PID:6088

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3408

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3356

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3320

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6116

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:1980

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3752

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6200

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6192

C:\Windows\system32\more.com
more +1
1⤵
PID:6668

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
1⤵
- Detects videocard installed
PID:6652

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6184

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:1148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-255600475-1065244653677530629-612226186-695121815-1145518325-2001698646-416863887"
1⤵
PID:1696

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3184

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3156

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3164

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3148

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\2f2c22bd-33bf-46d8-8ecf-148f1ffec1a1.tmp.node

Filesize
558KB

MD5
194aba044ab38805f1fd906ac178477f

SHA1
b3f0a66b0d6ba55343d7fd25431894847f99305f

SHA256
8b692b7ae6f5530e1630802573e6d196f3b211a70736635685335132ed4ce9f2

SHA512
9eb36908d384bde5c133a9f3d14f5c8c2ef3e8d22cfa3347190aedf0c2cad0fbb85eba036eab192aa3bd2bd2593bfe1c9c5e55260ac2b6bba190bcbfdcb2f8c3

Download Submit
\Users\Admin\AppData\Local\Temp\611fd8be-7f20-46e3-8051-17f8b873aed1.tmp.node

Filesize
663KB

MD5
af80cdd074270ab4ae3183f3da076288

SHA1
a8fa9bdfe919b86502b5015ebb1c17121cf0e162

SHA256
71a6bea0e2cafb3b44a652961da96b9b2342f206680af2e49ded1c0e34a783b6

SHA512
12e7d41a3b511fb828e584a00d363ed69ab1a2aa670c1cd3eedcf8b860d5b5fefde378cb269c3a1bb2570fff9f448d39c81aa120130d4102fc914439de6f3f88

Download Submit
\Users\Admin\AppData\Local\Temp\8a66f5f8-18f4-4e9f-b609-51fb72743ef4.tmp.node

Filesize
550KB

MD5
1ea9f289049e7e5505b378e979cc0edf

SHA1
0fd867fe8b0965d898e75ed186b3b4ac270d0caa

SHA256
938e764e5bb0a889761bd40734af2f774250cb3930332bae095444fa62ac851a

SHA512
b14188ce931ed3d903c1e7d00abeaa40ac9b499ae8e9b26b6c0ac77a604bfc9cc32b3e82b2e4240f8a02273500b417bea3f3e2616ffdff3bad792b80541b272a

Download Submit
memory/2896-13-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2896-46-0x0000000077DF0000-0x0000000077DF1000-memory.dmp

Filesize
4KB

Download
memory/6732-125-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/6732-123-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/6732-124-0x000007FEF3A20000-0x000007FEF43BD000-memory.dmp

Filesize
9.6MB

Download
memory/6732-122-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

Filesize
2.9MB

Download
memory/6732-128-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/6732-129-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/6732-127-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/6732-126-0x000007FEF3A20000-0x000007FEF43BD000-memory.dmp

Filesize
9.6MB

Download
memory/6732-213-0x000007FEF3A20000-0x000007FEF43BD000-memory.dmp

Filesize
9.6MB

Download
memory/6732-214-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/6732-215-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/6732-217-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/6732-216-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download