e44229e925d7bcb00773fba75910ea74f5470627a68431f157b24413faae94c5

Analysis

max time kernel
106s
max time network
98s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MAS_1.4_AIO_CRC32_9A7B5B05.cmd
Size

2.3MB
MD5

35f17dcf189ff654276cbd3777c474c5
SHA1

d0106953bb6026d874ca5f09fdec59e57b483b36
SHA256

e44229e925d7bcb00773fba75910ea74f5470627a68431f157b24413faae94c5
SHA512

dfcccbe815da154d9059bed85dc1740b360a8196f7005e61655d0677e1341d930d60ed24f347dd65fbf97c0baca305303d75edd76be421d126db2ead3b6ba8aa
SSDEEP

49152:g+ay1I0JxlXsyZ6tmDbR56nAfl5P/r/SI:rp/eyZ6tmDlTfbX

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2992	powershell.exe
5	1820	powershell.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Launches sc.exe 12 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1168	sc.exe
2796	sc.exe
908	sc.exe
1756	sc.exe
1888	sc.exe
2128	sc.exe
2200	sc.exe
1536	sc.exe
1080	sc.exe
1656	sc.exe
2076	sc.exe
1928	sc.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2900	timeout.exe

Modifies registry key 1 TTPs 8 IoCs

Modify Registry

T1112

pid	Process
1676	reg.exe
2504	reg.exe
1816	reg.exe
2696	reg.exe
1596	reg.exe
1936	reg.exe
2864	reg.exe
2820	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2972	powershell.exe
2996	powershell.exe
112	powershell.exe
2484	powershell.exe
2992	powershell.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
1820	powershell.exe
2000	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	704	taskmgr.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeIncreaseQuotaPrivilege	1616	WMIC.exe
Token: SeSecurityPrivilege	1616	WMIC.exe
Token: SeTakeOwnershipPrivilege	1616	WMIC.exe
Token: SeLoadDriverPrivilege	1616	WMIC.exe
Token: SeSystemProfilePrivilege	1616	WMIC.exe
Token: SeSystemtimePrivilege	1616	WMIC.exe
Token: SeProfSingleProcessPrivilege	1616	WMIC.exe
Token: SeIncBasePriorityPrivilege	1616	WMIC.exe
Token: SeCreatePagefilePrivilege	1616	WMIC.exe
Token: SeBackupPrivilege	1616	WMIC.exe
Token: SeRestorePrivilege	1616	WMIC.exe
Token: SeShutdownPrivilege	1616	WMIC.exe
Token: SeDebugPrivilege	1616	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1616	WMIC.exe
Token: SeRemoteShutdownPrivilege	1616	WMIC.exe
Token: SeUndockPrivilege	1616	WMIC.exe
Token: SeManageVolumePrivilege	1616	WMIC.exe
Token: 33	1616	WMIC.exe
Token: 34	1616	WMIC.exe
Token: 35	1616	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1616	WMIC.exe
Token: SeSecurityPrivilege	1616	WMIC.exe
Token: SeTakeOwnershipPrivilege	1616	WMIC.exe
Token: SeLoadDriverPrivilege	1616	WMIC.exe
Token: SeSystemProfilePrivilege	1616	WMIC.exe
Token: SeSystemtimePrivilege	1616	WMIC.exe
Token: SeProfSingleProcessPrivilege	1616	WMIC.exe
Token: SeIncBasePriorityPrivilege	1616	WMIC.exe
Token: SeCreatePagefilePrivilege	1616	WMIC.exe
Token: SeBackupPrivilege	1616	WMIC.exe
Token: SeRestorePrivilege	1616	WMIC.exe
Token: SeShutdownPrivilege	1616	WMIC.exe
Token: SeDebugPrivilege	1616	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1616	WMIC.exe
Token: SeRemoteShutdownPrivilege	1616	WMIC.exe
Token: SeUndockPrivilege	1616	WMIC.exe
Token: SeManageVolumePrivilege	1616	WMIC.exe
Token: 33	1616	WMIC.exe
Token: 34	1616	WMIC.exe
Token: 35	1616	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1696	WMIC.exe
Token: SeSecurityPrivilege	1696	WMIC.exe
Token: SeTakeOwnershipPrivilege	1696	WMIC.exe
Token: SeLoadDriverPrivilege	1696	WMIC.exe
Token: SeSystemProfilePrivilege	1696	WMIC.exe
Token: SeSystemtimePrivilege	1696	WMIC.exe
Token: SeProfSingleProcessPrivilege	1696	WMIC.exe
Token: SeIncBasePriorityPrivilege	1696	WMIC.exe
Token: SeCreatePagefilePrivilege	1696	WMIC.exe
Token: SeBackupPrivilege	1696	WMIC.exe
Token: SeRestorePrivilege	1696	WMIC.exe
Token: SeShutdownPrivilege	1696	WMIC.exe
Token: SeDebugPrivilege	1696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1696	WMIC.exe
Token: SeRemoteShutdownPrivilege	1696	WMIC.exe
Token: SeUndockPrivilege	1696	WMIC.exe
Token: SeManageVolumePrivilege	1696	WMIC.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe

Suspicious use of SendNotifyMessage 37 IoCs

pid	Process
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe
704	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2696	2072	cmd.exe	30
PID 2072 wrote to memory of 2696	2072	cmd.exe	30
PID 2072 wrote to memory of 2696	2072	cmd.exe	30
PID 2072 wrote to memory of 2856	2072	cmd.exe	31
PID 2072 wrote to memory of 2856	2072	cmd.exe	31
PID 2072 wrote to memory of 2856	2072	cmd.exe	31
PID 2072 wrote to memory of 2864	2072	cmd.exe	32
PID 2072 wrote to memory of 2864	2072	cmd.exe	32
PID 2072 wrote to memory of 2864	2072	cmd.exe	32
PID 2072 wrote to memory of 2912	2072	cmd.exe	33
PID 2072 wrote to memory of 2912	2072	cmd.exe	33
PID 2072 wrote to memory of 2912	2072	cmd.exe	33
PID 2072 wrote to memory of 2592	2072	cmd.exe	34
PID 2072 wrote to memory of 2592	2072	cmd.exe	34
PID 2072 wrote to memory of 2592	2072	cmd.exe	34
PID 2072 wrote to memory of 2304	2072	cmd.exe	35
PID 2072 wrote to memory of 2304	2072	cmd.exe	35
PID 2072 wrote to memory of 2304	2072	cmd.exe	35
PID 2072 wrote to memory of 2876	2072	cmd.exe	36
PID 2072 wrote to memory of 2876	2072	cmd.exe	36
PID 2072 wrote to memory of 2876	2072	cmd.exe	36
PID 2072 wrote to memory of 2748	2072	cmd.exe	37
PID 2072 wrote to memory of 2748	2072	cmd.exe	37
PID 2072 wrote to memory of 2748	2072	cmd.exe	37
PID 2072 wrote to memory of 2620	2072	cmd.exe	38
PID 2072 wrote to memory of 2620	2072	cmd.exe	38
PID 2072 wrote to memory of 2620	2072	cmd.exe	38
PID 2072 wrote to memory of 2980	2072	cmd.exe	39
PID 2072 wrote to memory of 2980	2072	cmd.exe	39
PID 2072 wrote to memory of 2980	2072	cmd.exe	39
PID 2072 wrote to memory of 2972	2072	cmd.exe	40
PID 2072 wrote to memory of 2972	2072	cmd.exe	40
PID 2072 wrote to memory of 2972	2072	cmd.exe	40
PID 2972 wrote to memory of 2660	2972	powershell.exe	41
PID 2972 wrote to memory of 2660	2972	powershell.exe	41
PID 2972 wrote to memory of 2660	2972	powershell.exe	41
PID 2660 wrote to memory of 1952	2660	csc.exe	42
PID 2660 wrote to memory of 1952	2660	csc.exe	42
PID 2660 wrote to memory of 1952	2660	csc.exe	42
PID 2972 wrote to memory of 392	2972	powershell.exe	43
PID 2972 wrote to memory of 392	2972	powershell.exe	43
PID 2972 wrote to memory of 392	2972	powershell.exe	43
PID 2072 wrote to memory of 2996	2072	cmd.exe	44
PID 2072 wrote to memory of 2996	2072	cmd.exe	44
PID 2072 wrote to memory of 2996	2072	cmd.exe	44
PID 2072 wrote to memory of 1428	2072	cmd.exe	45
PID 2072 wrote to memory of 1428	2072	cmd.exe	45
PID 2072 wrote to memory of 1428	2072	cmd.exe	45
PID 1428 wrote to memory of 2012	1428	cmd.exe	46
PID 1428 wrote to memory of 2012	1428	cmd.exe	46
PID 1428 wrote to memory of 2012	1428	cmd.exe	46
PID 1428 wrote to memory of 2780	1428	cmd.exe	47
PID 1428 wrote to memory of 2780	1428	cmd.exe	47
PID 1428 wrote to memory of 2780	1428	cmd.exe	47
PID 1428 wrote to memory of 2880	1428	cmd.exe	48
PID 1428 wrote to memory of 2880	1428	cmd.exe	48
PID 1428 wrote to memory of 2880	1428	cmd.exe	48
PID 1428 wrote to memory of 112	1428	cmd.exe	49
PID 1428 wrote to memory of 112	1428	cmd.exe	49
PID 1428 wrote to memory of 112	1428	cmd.exe	49
PID 1428 wrote to memory of 2968	1428	cmd.exe	50
PID 1428 wrote to memory of 2968	1428	cmd.exe	50
PID 1428 wrote to memory of 2968	1428	cmd.exe	50
PID 2968 wrote to memory of 2924	2968	cmd.exe	51

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MAS_1.4_AIO_CRC32_9A7B5B05.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:2696
- C:\Windows\system32\reg.exe
  reg query HKU\S-1-5-19
  2⤵
  PID:2856
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:2864
- C:\Windows\system32\choice.exe
  choice /C:123456789 /N /M "> Enter Your Choice in the Keyboard [1,2,3,4,5,6,7,8,9] : "
  2⤵
  PID:2912
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:2592
- C:\Windows\system32\choice.exe
  choice /C:1234 /N /M "> Enter Your Choice [1,2,3,4] : "
  2⤵
  PID:2304
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:2876
- C:\Windows\system32\choice.exe
  choice /C:123456789 /N /M "> Enter Your Choice in the Keyboard [1,2,3,4,5,6,7,8,9] : "
  2⤵
  PID:2748
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:2620
- C:\Windows\system32\choice.exe
  choice /C:1234 /N /M "> Enter Your Choice [1,2,3,4] : "
  2⤵
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_1.4_AIO_CRC32_9A7B5B05.cmd') -split ':cleanospp\:.*';iex ($f[1]);X 1;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zlrwh4pm.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0E9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB0E8.tmp"
      4⤵
      PID:1952
- - C:\Windows\system32\expand.exe
    "C:\Windows\system32\expand.exe" -R 1._ -F:* .
    3⤵
    - Drops file in Windows directory
    PID:392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_1.4_AIO_CRC32_9A7B5B05.cmd') -split \":KMStxt\:.*`r`n\"; [io.file]::WriteAllText('C:\Windows\Temp\_MAS\Activate.cmd',$f[1].Trim(),[System.Text.Encoding]::ASCII);"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\system32\cmd.exe
  cmd /c "C:\Windows\Temp\_MAS\Activate.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2012
- - C:\Windows\system32\reg.exe
    reg query HKU\S-1-5-19
    3⤵
    PID:2780
- - C:\Windows\system32\mode.com
    mode con: cols=98 lines=30
    3⤵
    PID:2880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "&{$H=get-host;$W=$H.ui.rawui;$B=$W.buffersize;$B.height=150;$W.buffersize=$B;}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:2924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "If([Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]'{DCB00C01-570F-4A9B-8D69-199FDBA5723B}')).IsConnectedToInternet){Exit 0}Else{Exit 1}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "$t = New-Object Net.Sockets.TcpClient;try{$t.Connect("""kms.loli.beer""", 1688)}catch{};$t.Connected"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- - C:\Windows\System32\findstr.exe
    findstr /i true
    3⤵
    PID:3064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "$t = New-Object Net.Sockets.TcpClient;try{$t.Connect("""kms.srv.crsoo.com""", 1688)}catch{};$t.Connected"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- - C:\Windows\System32\findstr.exe
    findstr /i true
    3⤵
    PID:2540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\skus
    3⤵
    PID:1784
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:1928
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:1536
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:1860
- - C:\Windows\System32\net.exe
    net stop sppsvc /y
    3⤵
    PID:944
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc /y
      4⤵
      PID:1356
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:1168
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:1064
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:2796
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:1044
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:908
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:592
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d kms.srv.crsoo.com
    3⤵
    PID:3032
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d 1688
    3⤵
    PID:684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k 2>nul | FIND /I "CurrentVersion"
    3⤵
    PID:1028
  - - C:\Windows\System32\reg.exe
      REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k
      4⤵
      PID:1540
  - - C:\Windows\System32\find.exe
      FIND /I "CurrentVersion"
      4⤵
      PID:1080
- - C:\Windows\System32\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-UltimateEdition~31bf3856ad364e35~amd64~~6.1.7601.17514" /v "CurrentState"
    3⤵
    PID:2172
- - C:\Windows\System32\find.exe
    FIND /I "0x70"
    3⤵
    PID:2244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ECHO Microsoft-Windows-UltimateEdition~31bf3856ad364e35~amd64~~6.1.7601.17514
    3⤵
    PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC PATH SoftwareLicensingProduct WHERE (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE" 2>nul
    3⤵
    PID:2236
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC PATH SoftwareLicensingProduct WHERE (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:2476
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:2444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Ultimate"
    3⤵
    PID:1804
- - C:\Windows\System32\findstr.exe
    findstr /I /E Eval
    3⤵
    PID:1328
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:2504
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:1816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:2512
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:2696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:2856
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:1596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:1592
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:1936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:1588
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:2904
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:2820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:2164
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:1676
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (Description like '%KMSCLIENT%') get Name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\System32\findstr.exe
    findstr /i Windows
    3⤵
    PID:2828
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where (Description like '%KMSCLIENT%' AND NOT Name like '%MondoR_KMS_Automation%') get Name
    3⤵
    PID:2840
- - C:\Windows\System32\find.exe
    find /i "Office 19" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:2584
- - C:\Windows\System32\find.exe
    find /i "Office 16" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:2580
- - C:\Windows\System32\find.exe
    find /i "Office 15" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:1872
- - C:\Windows\System32\find.exe
    find /i "Office 14" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:2708
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND NOT Name like '%O365%') get Name
    3⤵
    PID:1944
- - C:\Windows\System32\find.exe
    find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:2664
- - C:\Windows\System32\find.exe
    find /i "Office 19"
    3⤵
    PID:2812
- - C:\Windows\System32\find.exe
    find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:2568
- - C:\Windows\System32\find.exe
    find /i "Office 16"
    3⤵
    PID:2508
- - C:\Windows\System32\find.exe
    find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:1836
- - C:\Windows\System32\find.exe
    find /i "Office 15"
    3⤵
    PID:2956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionProduct where (LicenseFamily='OfficeVisioPrem-MAK') get LicenseStatus /VALUE" 2>nul
    3⤵
    PID:2792
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path OfficeSoftwareProtectionProduct where (LicenseFamily='OfficeVisioPrem-MAK') get LicenseStatus /VALUE
      4⤵
      PID:3000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionProduct where (LicenseFamily='OfficeVisioPro-MAK') get LicenseStatus /VALUE" 2>nul
    3⤵
    PID:2984
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path OfficeSoftwareProtectionProduct where (LicenseFamily='OfficeVisioPro-MAK') get LicenseStatus /VALUE
      4⤵
      PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionService get Version /VALUE" 2>nul
    3⤵
    PID:3004
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path OfficeSoftwareProtectionService get Version /VALUE
      4⤵
      PID:1136
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionService where version='14.0.370.400' call SetKeyManagementServiceMachine MachineName="kms.srv.crsoo.com"
    3⤵
    PID:1460
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionService where version='14.0.370.400' call SetKeyManagementServicePort 1688
    3⤵
    PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionProduct where (Description like '%KMSCLIENT%') get ID /VALUE"
    3⤵
    PID:1956
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path OfficeSoftwareProtectionProduct where (Description like '%KMSCLIENT%') get ID /VALUE
      4⤵
      PID:1852
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where ID='6f327760-8c5c-417c-9b61-836a98287e0c' get Name
    3⤵
    PID:2656
- - C:\Windows\System32\find.exe
    find /i "Office 14" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:2960
- - C:\Windows\System32\find.exe
    find /i "Office 15" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:2176
- - C:\Windows\System32\find.exe
    find /i "Office 16" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:2808
- - C:\Windows\System32\find.exe
    find /i "Office 19" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:2952
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where (PartialProductKey is not NULL) get ID
    3⤵
    PID:1720
- - C:\Windows\System32\findstr.exe
    findstr /i "6f327760-8c5c-417c-9b61-836a98287e0c"
    3⤵
    PID:2916
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where ID='6f327760-8c5c-417c-9b61-836a98287e0c' call ClearKeyManagementServiceMachine
    3⤵
    PID:1624
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where ID='6f327760-8c5c-417c-9b61-836a98287e0c' call ClearKeyManagementServicePort
    3⤵
    PID:1520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionProduct where ID='6f327760-8c5c-417c-9b61-836a98287e0c' get Name /VALUE"
    3⤵
    PID:1604
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path OfficeSoftwareProtectionProduct where ID='6f327760-8c5c-417c-9b61-836a98287e0c' get Name /VALUE
      4⤵
      PID:856
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where ID='6f327760-8c5c-417c-9b61-836a98287e0c' call Activate
    3⤵
    PID:2096
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:1756
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:2100
- - C:\Windows\System32\net.exe
    net stop osppsvc /y
    3⤵
    PID:552
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop osppsvc /y
      4⤵
      PID:556
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:1888
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where ID='6f327760-8c5c-417c-9b61-836a98287e0c' call Activate
    3⤵
    PID:380
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionProduct where ID='6f327760-8c5c-417c-9b61-836a98287e0c' get GracePeriodRemaining /VALUE"
    3⤵
    PID:988
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path OfficeSoftwareProtectionProduct where ID='6f327760-8c5c-417c-9b61-836a98287e0c' get GracePeriodRemaining /VALUE
      4⤵
      PID:440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell write-host -back Black -fore Green Product Activation Successful
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2000
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionService where version='14.0.370.400' call DisableKeyManagementServiceDnsPublishing 0
    3⤵
    PID:1380
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionService where version='14.0.370.400' call DisableKeyManagementServiceHostCaching 0
    3⤵
    PID:2336
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:2128
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:2144
- - C:\Windows\System32\net.exe
    net stop sppsvc /y
    3⤵
    PID:2844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc /y
      4⤵
      PID:1356
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:2200
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:864
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:1656
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:1016
- - C:\Windows\System32\net.exe
    net stop osppsvc /y
    3⤵
    PID:904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop osppsvc /y
      4⤵
      PID:620
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:2076
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:1732
- - C:\Windows\System32\sc.exe
    sc start sppsvc trigger=timer;sessionid=0
    3⤵
    - Launches sc.exe
    PID:1080
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2900
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:1616
- C:\Windows\system32\choice.exe
  choice /C:1234 /N /M "> Enter Your Choice [1,2,3,4] : "
  2⤵
  PID:2236

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB0E9.tmp

Filesize
1KB

MD5
ef2de1860788b089a93006b152c88a67

SHA1
06e624c7b5941f78b43855953ae535934477c3e1

SHA256
80965f6e3691622e66e6e73ad3f8d57bac30f70265450b57ce40492cfc852623

SHA512
be4c5b714b4692562c10704ec9a4a8027dd7be3415c91bbcd68b82659e8c9808405d214e106ec0b580eaea01876162856c2c1a3c82b4ff3620932a80151956e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlrwh4pm.dll

Filesize
4KB

MD5
980905efca8e0f2e6d3798614183cf9c

SHA1
719b5341b0730a3edf19fb3cdc7055efc22b5b91

SHA256
cd250120ed8f7759f5b1713eeccdac36266108fc103e19070ae15c2243dcbf87

SHA512
80a35619ae5563d1d2529210f71b70f2fa2717f65d60914633d48e34695937329ce345515e1a7b2b580511fd0f909acf5068fd942ce8364fb4fb80dd46157389

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlrwh4pm.pdb

Filesize
11KB

MD5
563df69ac5fb166f65387caaa0f59563

SHA1
949f0eb0bc8ba9634b3985f9cff9bf48fb68df94

SHA256
8d4a345a8fc9945d73a0b1f7c727c10b8277a1e49d6213e5b1d6a84499d4a01e

SHA512
cf5f571427e88a4abe335e6061e16029785ac02ae82e316b57e4adce23aae92904bf597b0f0c5f2bf43ae215abb3ad33eee02f914c1ba9d9a0ace20ddaec8b2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ea32ad293cb88ba187631fdd58b60a82

SHA1
b0a68454a832905d32c1e9d79f069f966ce56747

SHA256
636874dd13d76ee0f59df2de99a02d1fe79eee11e8ed6615ac1e16436fd9054c

SHA512
668477bb03c5bd1310db9ba1fc0ec26c9c630b42376f62ece158efe5a2fffe71e20fca063205cfca4cb5bf41b4fad11f37c2ae29821702be3865cb460a4fdb84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2cd53a95bd67fa365370083298c8acd3

SHA1
e7d08ba3862d07693c2f8b2582d134fe5d5fb3d9

SHA256
a4231252638a1cb238994aa230428dbfb73bd29fb6e8fbe126bcbbe042a28551

SHA512
cb82d2fcbebf0d5884eda8f56d47bb75ef9e86c7dc652e11b7ed3b9a4d45a89ea53e3ff9d2a933270a807fd9c6d169fbfcb60c3ff2b551a966efd41ce15e3109

Download Submit
C:\Windows\Temp\_MAS\1._

Filesize
14KB

MD5
050ea0eaf253fa38914ce62386c2b6bb

SHA1
6b8b01c748e3bdee36a10d6fa2abc2b1555539d5

SHA256
abd98fa1238ae8e66e8125d1cd3f9678cf49c9a507acf4950e8273df8b4a1dcb

SHA512
0d717e188e0c3b8f1d7f123d04072cd8635b5d4620ea7aab1c581a23f58935ef0b698d373abfbd79b8f8d7af173dcc345aa76f46beeb84edaca5ec421cb864c7

Download Submit
C:\Windows\Temp\_MAS\Activate.cmd

Filesize
88KB

MD5
864cf3f1539e2b6deb6003c08054d401

SHA1
1c0c8c24a70d211e1a74c91aa80e11ed97c0d661

SHA256
57955e698b9f3d55f364cb0fefe0aa56693532dcd81704abe6b89bb73eaf2d77

SHA512
5447310c26d1abb5ce86a2dd89d291bdf47bba7e534fa636367372429ac46e92d5c330574378be5e4ebc17f11b98f6e1901dd2b4e5605dad4a173006d6b822e6

Download Submit
C:\Windows\Temp\_MAS\BIN\CLEANO~1.EXE

Filesize
19KB

MD5
162ab955cb2f002a73c1530aa796477f

SHA1
d30a0e4e5911d3ca705617d17225372731c770e2

SHA256
5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e

SHA512
e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e

Download Submit
C:\Windows\Temp\_MAS\BIN\CLEANO~2.EXE

Filesize
17KB

MD5
5fd363d52d04ac200cd24f3bcc903200

SHA1
39ed8659e7ca16aaccb86def94ce6cec4c847dd6

SHA256
3fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9

SHA512
f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3

Download Submit
C:\Windows\Temp\_MAS\BIN\_Info.txt

Filesize
896B

MD5
d0a2dcedb5a970e057e075722e0937bb

SHA1
9d5b4b3e761cca9531d64200dfbbfa0dec94f5b0

SHA256
be84ead20bf2bee7985eadc83a91c3cbe19f77637ecb9f353bec53e57b57e897

SHA512
607bebd0e712abeae7184594c7d46d07468ccab9c45c64e2ec8d2291749a52083dc4c0c8e7aa883ac09906de06e26aebe81558357bb8cae1e1e0360704f51b0e

Download Submit
C:\Windows\Temp\sppchk.txt

Filesize
190B

MD5
15f5daae829d2a8e069cbc3ceb78ffd5

SHA1
c6f9ec7539c5441cc2e6ed2d5edbd2f95a507f7e

SHA256
bb5ca7fee7406759501f0055904511e282f44f7a4123bd737bc9083448a23ca2

SHA512
b89bec57706488e1ba3b5cadb134488aeea351ebdd800830c3a2f4a0c00fe0f0db02cffbda0162e8aaff54a68b06a15331480f7b1eacd0457fe6d4dbc0249939

Download Submit
C:\Windows\Temp\sppchk.txt

Filesize
32B

MD5
b65e9213dae00101a52d72b56120ff81

SHA1
d52caec94e56a19cca2bcc6e38dc780b1cb90027

SHA256
dfa7c49d13da53cc057bce84a0944d83258bf61671f92b2f7d0d9ee3e3896740

SHA512
09daf8969898babaaaa9ae8959b5345e204a27ff7b84f0bfb696b1e25130a9f659519a040eeaeae74c8c091586e76a6150743b30f419c0b1952c24c6c227584e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB0E8.tmp

Filesize
652B

MD5
17b04a0d48edd720b4be1966c1b10d49

SHA1
a616d8d26b4536c36165dad2e5f248bb22745715

SHA256
46a08ce4d2e83c7cbd7ea26974d95b5271af7b10a346cb9bf0c981f747f41fd3

SHA512
abef8129b523530920c8334e50f57ba761bc91318c99891e3f3385718cc92a9384b997d84b31e4b5943ead115058baf0c1b6da3953baaf7a94720d66ff3fe6be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zlrwh4pm.0.cs

Filesize
884B

MD5
eafbb318108fc62a15b458ebba405940

SHA1
0c5f45d0cab61ef4fa12f13f020ca45cba04863a

SHA256
45ee3dd57aa47fcf92c09a44276de5ef1688bb0563e09206d8e882528e6de9d2

SHA512
bac80550d7fedc768522907ba72f2802ac2fead886015356a417533f9fc0e2a767b992c58010e67160b4ee071971c7cc6a5337ffb948cf685dca0811ccaa52f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zlrwh4pm.cmdline

Filesize
309B

MD5
c88d618b6e56e1cb67b35acbc25257a9

SHA1
5d3f2b20e7ee8ab28f446ea13d51764890f44c41

SHA256
cf3c3d1a16d80ff77fa898592bb62efdf9ed101f007a154c86067e034e79259c

SHA512
99c963a6b25a52cbcb3b6bb40624a873b111da81f9beef31832527f94c389580e70af1cefd30f793e80981f25c5a071255252c95afe42764ed7ce6a9a5a99593

Download Submit
memory/112-65-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/112-64-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/112-67-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/112-68-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/112-69-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/112-66-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/112-70-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/704-95-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/704-94-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1820-114-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/1820-113-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/1820-112-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/1820-111-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/1820-108-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/1820-110-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/1820-109-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2000-133-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/2000-129-0x000007FEF5170000-0x000007FEF5B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2000-130-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/2000-131-0x000007FEF5170000-0x000007FEF5B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2000-132-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/2000-135-0x000007FEF5170000-0x000007FEF5B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2000-134-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/2000-128-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

Filesize
2.9MB

Download
memory/2484-79-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2484-77-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2484-81-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2484-82-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2484-78-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2484-80-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2484-76-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2660-17-0x0000000002230000-0x00000000022B0000-memory.dmp

Filesize
512KB

Download
memory/2972-8-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2972-5-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2972-6-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2972-9-0x00000000022D0000-0x0000000002350000-memory.dmp

Filesize
512KB

Download
memory/2972-10-0x00000000022D0000-0x0000000002350000-memory.dmp

Filesize
512KB

Download
memory/2972-11-0x00000000022D0000-0x0000000002350000-memory.dmp

Filesize
512KB

Download
memory/2972-41-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2972-7-0x00000000022D0000-0x0000000002350000-memory.dmp

Filesize
512KB

Download
memory/2972-4-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/2972-26-0x00000000029B0000-0x00000000029B8000-memory.dmp

Filesize
32KB

Download
memory/2992-100-0x0000000001F80000-0x0000000002000000-memory.dmp

Filesize
512KB

Download
memory/2992-101-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2992-99-0x0000000001F80000-0x0000000002000000-memory.dmp

Filesize
512KB

Download
memory/2992-98-0x0000000001F80000-0x0000000002000000-memory.dmp

Filesize
512KB

Download
memory/2992-97-0x0000000001F80000-0x0000000002000000-memory.dmp

Filesize
512KB

Download
memory/2992-96-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2992-93-0x0000000001F80000-0x0000000002000000-memory.dmp

Filesize
512KB

Download
memory/2992-92-0x0000000001F80000-0x0000000002000000-memory.dmp

Filesize
512KB

Download
memory/2992-91-0x0000000001F80000-0x0000000002000000-memory.dmp

Filesize
512KB

Download
memory/2992-90-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2992-89-0x0000000001F80000-0x0000000002000000-memory.dmp

Filesize
512KB

Download
memory/2992-88-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2996-56-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2996-54-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2996-53-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2996-48-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/2996-52-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2996-51-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2996-50-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2996-49-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2996-47-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download