9e871595e30e5d22e58325d8c069cb48612ae07689dff680228af33911e55a27

Resubmissions

15/03/2024, 14:40

240315-r127esba6z 7

15/03/2024, 14:33

240315-rw21vsda32 7

15/03/2024, 14:30

240315-rvhktsah3x 3

Analysis

max time kernel
134s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
15/03/2024, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VIRUS DO NOT OPEN.rar
Size

13.5MB
MD5

d78c6d4e78955a325452674d32bc7be6
SHA1

3d27759d5ba0f1067ca62e7c9ce061db1017681f
SHA256

9e871595e30e5d22e58325d8c069cb48612ae07689dff680228af33911e55a27
SHA512

7b6f5b4397ede6026193604505bca1d03b765f6d79d9d2f816a665b175371f3d7f12b82c62b3b4999d325bab4d6822fe3037cf61dd770e88208a881b425ece7e
SSDEEP

393216:LJFSF15WwTui+xUn1n24bYdhvNeltrNaD:LJFjyuin2zb1OpNC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3552	Latzerus.exe
1508	Latzerus.exe
2956	Latzerus.exe
1200	Latzerus.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe
1920	powershell.exe
1920	powershell.exe
3720	powershell.exe
3720	powershell.exe
1920	powershell.exe
3720	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
4380	powershell.exe
4380	powershell.exe
4380	powershell.exe
4220	powershell.exe
4220	powershell.exe
1012	powershell.exe
1012	powershell.exe
4220	powershell.exe
1012	powershell.exe
2348	powershell.exe
2348	powershell.exe
2348	powershell.exe
3992	powershell.exe
3992	powershell.exe
3992	powershell.exe
824	powershell.exe
824	powershell.exe
1424	powershell.exe
1424	powershell.exe
824	powershell.exe
1424	powershell.exe
2332	powershell.exe
2332	powershell.exe
2332	powershell.exe
3840	powershell.exe
3840	powershell.exe
3840	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
668	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	668	7zFM.exe
Token: 35	668	7zFM.exe
Token: SeSecurityPrivilege	668	7zFM.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeSecurityPrivilege	668	7zFM.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeIncreaseQuotaPrivilege	3720	powershell.exe
Token: SeSecurityPrivilege	3720	powershell.exe
Token: SeTakeOwnershipPrivilege	3720	powershell.exe
Token: SeLoadDriverPrivilege	3720	powershell.exe
Token: SeSystemProfilePrivilege	3720	powershell.exe
Token: SeSystemtimePrivilege	3720	powershell.exe
Token: SeProfSingleProcessPrivilege	3720	powershell.exe
Token: SeIncBasePriorityPrivilege	3720	powershell.exe
Token: SeCreatePagefilePrivilege	3720	powershell.exe
Token: SeBackupPrivilege	3720	powershell.exe
Token: SeRestorePrivilege	3720	powershell.exe
Token: SeShutdownPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeSystemEnvironmentPrivilege	3720	powershell.exe
Token: SeRemoteShutdownPrivilege	3720	powershell.exe
Token: SeUndockPrivilege	3720	powershell.exe
Token: SeManageVolumePrivilege	3720	powershell.exe
Token: 33	3720	powershell.exe
Token: 34	3720	powershell.exe
Token: 35	3720	powershell.exe
Token: 36	3720	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeIncreaseQuotaPrivilege	1008	powershell.exe
Token: SeSecurityPrivilege	1008	powershell.exe
Token: SeTakeOwnershipPrivilege	1008	powershell.exe
Token: SeLoadDriverPrivilege	1008	powershell.exe
Token: SeSystemProfilePrivilege	1008	powershell.exe
Token: SeSystemtimePrivilege	1008	powershell.exe
Token: SeProfSingleProcessPrivilege	1008	powershell.exe
Token: SeIncBasePriorityPrivilege	1008	powershell.exe
Token: SeCreatePagefilePrivilege	1008	powershell.exe
Token: SeBackupPrivilege	1008	powershell.exe
Token: SeRestorePrivilege	1008	powershell.exe
Token: SeShutdownPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeSystemEnvironmentPrivilege	1008	powershell.exe
Token: SeRemoteShutdownPrivilege	1008	powershell.exe
Token: SeUndockPrivilege	1008	powershell.exe
Token: SeManageVolumePrivilege	1008	powershell.exe
Token: 33	1008	powershell.exe
Token: 34	1008	powershell.exe
Token: 35	1008	powershell.exe
Token: 36	1008	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeIncreaseQuotaPrivilege	4380	powershell.exe
Token: SeSecurityPrivilege	4380	powershell.exe
Token: SeTakeOwnershipPrivilege	4380	powershell.exe
Token: SeLoadDriverPrivilege	4380	powershell.exe
Token: SeSystemProfilePrivilege	4380	powershell.exe
Token: SeSystemtimePrivilege	4380	powershell.exe
Token: SeProfSingleProcessPrivilege	4380	powershell.exe
Token: SeIncBasePriorityPrivilege	4380	powershell.exe
Token: SeCreatePagefilePrivilege	4380	powershell.exe
Token: SeBackupPrivilege	4380	powershell.exe
Token: SeRestorePrivilege	4380	powershell.exe
Token: SeShutdownPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
668	7zFM.exe
668	7zFM.exe
668	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 668	1536	cmd.exe	74
PID 1536 wrote to memory of 668	1536	cmd.exe	74
PID 668 wrote to memory of 3552	668	7zFM.exe	76
PID 668 wrote to memory of 3552	668	7zFM.exe	76
PID 3552 wrote to memory of 2148	3552	Latzerus.exe	78
PID 3552 wrote to memory of 2148	3552	Latzerus.exe	78
PID 2148 wrote to memory of 3832	2148	cmd.exe	80
PID 2148 wrote to memory of 3832	2148	cmd.exe	80
PID 3552 wrote to memory of 4584	3552	Latzerus.exe	81
PID 3552 wrote to memory of 4584	3552	Latzerus.exe	81
PID 4584 wrote to memory of 1916	4584	powershell.exe	82
PID 4584 wrote to memory of 1916	4584	powershell.exe	82
PID 1916 wrote to memory of 2084	1916	csc.exe	83
PID 1916 wrote to memory of 2084	1916	csc.exe	83
PID 1508 wrote to memory of 1708	1508	Latzerus.exe	87
PID 1508 wrote to memory of 1708	1508	Latzerus.exe	87
PID 1708 wrote to memory of 2332	1708	cmd.exe	89
PID 1708 wrote to memory of 2332	1708	cmd.exe	89
PID 1508 wrote to memory of 1920	1508	Latzerus.exe	90
PID 1508 wrote to memory of 1920	1508	Latzerus.exe	90
PID 1508 wrote to memory of 4300	1508	Latzerus.exe	91
PID 1508 wrote to memory of 4300	1508	Latzerus.exe	91
PID 1508 wrote to memory of 3720	1508	Latzerus.exe	92
PID 1508 wrote to memory of 3720	1508	Latzerus.exe	92
PID 1920 wrote to memory of 4456	1920	powershell.exe	94
PID 1920 wrote to memory of 4456	1920	powershell.exe	94
PID 4456 wrote to memory of 4880	4456	csc.exe	98
PID 4456 wrote to memory of 4880	4456	csc.exe	98
PID 1508 wrote to memory of 1008	1508	Latzerus.exe	97
PID 1508 wrote to memory of 1008	1508	Latzerus.exe	97
PID 1508 wrote to memory of 4380	1508	Latzerus.exe	100
PID 1508 wrote to memory of 4380	1508	Latzerus.exe	100
PID 2956 wrote to memory of 3568	2956	Latzerus.exe	104
PID 2956 wrote to memory of 3568	2956	Latzerus.exe	104
PID 3568 wrote to memory of 4504	3568	cmd.exe	106
PID 3568 wrote to memory of 4504	3568	cmd.exe	106
PID 2956 wrote to memory of 4220	2956	Latzerus.exe	107
PID 2956 wrote to memory of 4220	2956	Latzerus.exe	107
PID 2956 wrote to memory of 4364	2956	Latzerus.exe	108
PID 2956 wrote to memory of 4364	2956	Latzerus.exe	108
PID 2956 wrote to memory of 1012	2956	Latzerus.exe	109
PID 2956 wrote to memory of 1012	2956	Latzerus.exe	109
PID 4220 wrote to memory of 5104	4220	powershell.exe	111
PID 4220 wrote to memory of 5104	4220	powershell.exe	111
PID 5104 wrote to memory of 3728	5104	csc.exe	112
PID 5104 wrote to memory of 3728	5104	csc.exe	112
PID 2956 wrote to memory of 2348	2956	Latzerus.exe	113
PID 2956 wrote to memory of 2348	2956	Latzerus.exe	113
PID 2956 wrote to memory of 3992	2956	Latzerus.exe	115
PID 2956 wrote to memory of 3992	2956	Latzerus.exe	115
PID 1200 wrote to memory of 2148	1200	Latzerus.exe	119
PID 1200 wrote to memory of 2148	1200	Latzerus.exe	119
PID 2148 wrote to memory of 828	2148	cmd.exe	121
PID 2148 wrote to memory of 828	2148	cmd.exe	121
PID 1200 wrote to memory of 824	1200	Latzerus.exe	122
PID 1200 wrote to memory of 824	1200	Latzerus.exe	122
PID 1200 wrote to memory of 4764	1200	Latzerus.exe	123
PID 1200 wrote to memory of 4764	1200	Latzerus.exe	123
PID 1200 wrote to memory of 1424	1200	Latzerus.exe	124
PID 1200 wrote to memory of 1424	1200	Latzerus.exe	124
PID 824 wrote to memory of 1576	824	powershell.exe	126
PID 824 wrote to memory of 1576	824	powershell.exe	126
PID 1576 wrote to memory of 3708	1576	csc.exe	127
PID 1576 wrote to memory of 3708	1576	csc.exe	127

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\VIRUS DO NOT OPEN.rar"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\VIRUS DO NOT OPEN.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Users\Admin\AppData\Local\Temp\7zOC92342B7\Latzerus.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC92342B7\Latzerus.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "chcp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c "Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport(\"Kernel32.dll\")] public static extern IntPtr GetConsoleWindow(); [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); ' $consolePtr = [Console.Window]::GetConsoleWindow() #0 hide [Console.Window]::ShowWindow($consolePtr, 0) "
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4584
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4asomugz\4asomugz.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1916
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC16B.tmp" "c:\Users\Admin\AppData\Local\Temp\4asomugz\CSCF5301851BAB34724BC8430A039D17FEE.TMP"
        6⤵
        
        PID:2084

C:\Users\Admin\Desktop\Latzerus.exe
"C:\Users\Admin\Desktop\Latzerus.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -c "Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport(\"Kernel32.dll\")] public static extern IntPtr GetConsoleWindow(); [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); ' $consolePtr = [Console.Window]::GetConsoleWindow() #0 hide [Console.Window]::ShowWindow($consolePtr, 0) "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\divouir1\divouir1.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF03C.tmp" "c:\Users\Admin\AppData\Local\Temp\divouir1\CSC9D45F4A05C9141EF96BB4F4B98D94E9.TMP"
      4⤵
      PID:4880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""undefined\VBoxManage.exe" list vms --long"
  2⤵
  PID:4300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1008
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4380

C:\Users\Admin\Desktop\Latzerus.exe
"C:\Users\Admin\Desktop\Latzerus.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:4504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -c "Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport(\"Kernel32.dll\")] public static extern IntPtr GetConsoleWindow(); [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); ' $consolePtr = [Console.Window]::GetConsoleWindow() #0 hide [Console.Window]::ShowWindow($consolePtr, 0) "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ts3lmyf\5ts3lmyf.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B8.tmp" "c:\Users\Admin\AppData\Local\Temp\5ts3lmyf\CSCADE9AE1AC1B54962AC61AA3C4C7A6B.TMP"
      4⤵
      PID:3728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""undefined\VBoxManage.exe" list vms --long"
  2⤵
  PID:4364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3992

C:\Users\Admin\Desktop\Latzerus.exe
"C:\Users\Admin\Desktop\Latzerus.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -c "Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport(\"Kernel32.dll\")] public static extern IntPtr GetConsoleWindow(); [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); ' $consolePtr = [Console.Window]::GetConsoleWindow() #0 hide [Console.Window]::ShowWindow($consolePtr, 0) "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ylx14p5l\ylx14p5l.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1681.tmp" "c:\Users\Admin\AppData\Local\Temp\ylx14p5l\CSC449BF80431474AFB9F8A9DA6C18D75DC.TMP"
      4⤵
      PID:3708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""undefined\VBoxManage.exe" list vms --long"
  2⤵
  PID:4764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
05ff4b32a83be7a1546287030ad5c483

SHA1
82909ac4ea182e7f5f41fa0a1789f8b4ff166486

SHA256
674f8240dc0b10ac747cd2fc269311a72275ed5fe72983276f352db720b19f9c

SHA512
6d49b550b64cb1d4a26cfc5257e762fc263fa06ccce436a7d4a0ea35be0fb2c3cb8ee9c704a5c036846c03e32ea7f20ea8e4a14dfb4cae810c724a699630624d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d84deb9288e581ebd99f25217636eb20

SHA1
09a58155b3411fa370a14a21258abcc2cfd57e43

SHA256
60742d04ac20a2a626b4cfd422ec4fead0def57910de183bc43e3010ee7a299e

SHA512
45707770beddc7d217266ad1e757c05280d66b022247520b7999d4b86f8656effd57e0d343c908c60909876c4b744099fd5e03ec6e2092b6bf6ef8936cf61d26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
b278f17317bfa85a3fa9b0f6d8b4371d

SHA1
47920f8226e3e3f2a4a5e394a0105d64f642ae26

SHA256
1434e9dc3e9eb464df209692be2d0bff81b3a425d00c6a77ec564acd9e4446bd

SHA512
bc270cce082124d6bdefd32bca07bba645704276889fd4230ff06d8f9497ba2d0a4eb8ee226edde72f1dbe6041091fdd20a2a244ee8605f6edde483313c3a69e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
0fec429648d18c58d3652426b3bf78dc

SHA1
4d8dd9dd56ef50e73814ff713cb9ebb49d172d07

SHA256
83288ad6fca706ff21bdd7d95b30e47a96cf27b83b01e64a88543fbabe901e4c

SHA512
bff8447245f2447a16f42788600dfc7a6f142201e443469e0c5cf00584ac4872fcf8519e5f4fa08e9d7bcd93da63e12670988a34c447f569829a7154ea12bced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
58e041e1c7ff281b665975564999e7a1

SHA1
2307cd5a26cf92aab47728efcc678f3202594282

SHA256
a8585142edd581c45df8cc37d60ba3fc44dc0041b84497c5f49f98c70b067df5

SHA512
f6ba05e21f3cbf933a14d9d63ef7b5bd6e92f3bfa3a553923bb23bb7418ec301857f902866bc69a4b596f91d54ba4137ca9fe7de218222613d4dadeaf8a3a7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
c373cdb8236bb363319af570bd628dfc

SHA1
4f756c7d4a6f6e8494bd884bb9e00646e84e119b

SHA256
68d7a477b2bc5a4bf0f3894860999fa442a5b8653579f8173391dcc43dcbaf47

SHA512
cf8b041f6bfa9608191750a577bd86573656a017af61882db73f3e1f639411855038e3b761965cf04b26a0c0bbec1b6320482e787b7d667e0450c8ffb9ef1ee9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
15ce6be4651a0b2ab164329cc539af7e

SHA1
f8ed6153c4572dd8596197d670c8ee7d3066a673

SHA256
b9b18e938e9630150389d9b5e7689f11877492d92acac53404f928305ad49908

SHA512
6267a28e6e5123e182de8ee231f6ddd4f6c57735b5a8bd420eae9d13caa0774eb489272cf85abe59980c450048b7fb2b1c3e5fd7e466a8569c8206702b3c8649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
ee70906544eccc7e64c198acac391c76

SHA1
90ddb4eb3de41e1f3d46181a5528f3ea8c6fc8a5

SHA256
41581f90d287979641f10fbb06784edc3c6023900acefbc6e3bd8817c66b6db4

SHA512
89c85df5922b769c7dc30cd9f911b35364a6c874b70ce98748fc7cb9a8c972b7ca345be2f57386bf850cdf389c66a6128253b3e5af100184d857327294a2e278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fbc3b4ba70ebf5e4c033fb75dfb73b11

SHA1
dd86b901d008c0bcd58253ec64bab7edfba701b0

SHA256
433861d4a1bd5125ac5dcda495d594456b94012c96532c892b5c3478b1ef5ef3

SHA512
00b75346711c6237021cf13eaa7ad61403791c3cbeea4ae0465ee76bb4dbeaece5e454db6d42cd2cf4edd1c5112981e53acf62bd328f467a78d1857e369d8665

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c7cac0f2a17dc05030f337b160f2d2d8

SHA1
ec064f87e3f2a4f949a19b2ef82bd8555d76bc47

SHA256
5706de0d63418999c8553500c96b5252199d6d1260acb7b3d513669c4273df8c

SHA512
401bb87048facfc8a7e1b8b651b15832b091c358d490950f517f0119cf98b968fb50ad7332b6bb7d4e071ca48c0447d7f167e51adb5bcf40297ab24573b8a487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1896a8626daeb015113710718c307be0

SHA1
2818821532ab5c0d3f39ceba09df1347c508d0c3

SHA256
c1e2d05ec38c26f49c9a455f7a67d5e8dd67e19c5dd03e79e4208c9a6da6b4a1

SHA512
7f8bbe261e3936951642a3502b4b7f11921df13709cb3a13832088f945a15050637db46022a231ee14cbb6a9e8a41b6ed047dbf68635e3dbd1ad18d6620437a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4asomugz\4asomugz.dll

Filesize
3KB

MD5
7fdb299aef9863d10a8c5bb70a2bf5e2

SHA1
dc57891b5d8febda84e64c0c950f670b678c9b0d

SHA256
fedbd0bec6a09f809874734c3896b059f736bd52e3aae7a3b5ca6496484058f1

SHA512
a9048767c0e121acf500a97ab6ae2847f1642b0ccc4570bdf5e8bff7031791548980bf5352e07121437d4bb438860606712073e9feefd2145f6f4a0f6aae47a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ts3lmyf\5ts3lmyf.dll

Filesize
3KB

MD5
cc63e000e81f514b98045a0ccd472af4

SHA1
49f24f01de8db6ff83cb5ab76c0ccd17eadc4930

SHA256
d8979a0a3c2525ee86d38feec62be1b50ae901523c4e134119f49a5d0d616599

SHA512
0b32b30fd03a38955cc255366e3df6bb7e46a6eda3287abe9b626311e9ed487dbf8e89be1863322c7cfc2e3094e288ceff4914eb1d6b85cd43d9df662665aeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zEC92E2FF7\Latzerus.exe

Filesize
42.3MB

MD5
51b92dcd1f0bebfb8e5dfe430743d567

SHA1
7e8c16dc90ce4ccc93834206623b4ad96b107aab

SHA256
3e7cb1f449eed03063e63882523ef0ddc3d7ca909406314be9dde9a804177500

SHA512
5ad35b8756386cddd529b5145a90a12882711afba34338da11378b3b239d4b028ac76ba81918510567bcd5ed7b17d331de0cfbc53bec0932f2ab9ab4827f344c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC92342B7\Latzerus.exe

Filesize
9.6MB

MD5
d6f89039438d2cd1465ffc00533f7382

SHA1
8b438d0d56d40dedd7d945496f83a010b3050eb4

SHA256
fcc6721465ac23dae0b4446152028bf3deb310aec9ac8ab9198a10025e38688b

SHA512
716f650e79e74d8e434fedd196cb9539ee7a84977b050df4e14778871bf5049f7ffea494e0f35e751dde3965d418fe98e2ea7eb2de5c6e7ef1d43634bd031802

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC92342B7\Latzerus.exe

Filesize
6.4MB

MD5
109ca531f39ae5b5308ec32b49254acb

SHA1
1de83b408110bd2b488f8f761f743f57d13369f8

SHA256
5cc8d4624177040e92c55c5e6ff356dc0cdee63a7b2ca66cabd995a5cb80d437

SHA512
00d8cbabe690f51a73ce36841c241e1850998fb07e886d48e31f1ab730419d47f5db108bbae670e528ea1e98751c5bab292346c1fd694a0852ca2096b7549954

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1681.tmp

Filesize
1KB

MD5
1bbf8dd288a58c3e09a0277c00cbddfe

SHA1
f8c6c8038bc8d0055a1923f06515eee0647423f6

SHA256
e10ac7e5c1b12a3e23f9a937b6a2beee2d40b8ba2dac6244468ef0fe126f2923

SHA512
bc975acb4ad386d67ffa7089f6b699767e655d512476d5eeb8dfe49d5c47f16b06852baf7419fcfaf9f030f2d91f3d0f59b00d3bde65c73da5034393b5b5eef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5B8.tmp

Filesize
1KB

MD5
9115d3fc90ff23abf2b998ed8400e6cb

SHA1
a7814df517d3a46fdde5dec67acb9caf00dc3e36

SHA256
bfe2c67eb867b901cd4a93f019f65fc66e3a7e2c9135f3f19cabde46f700c77f

SHA512
74c2860bf89934e6053a7debd7ef4351779cf38b16c4aa4eec9c3bc195b712bd2c12bac223fd80bd44526fd152e6c42ad239131960c573bebdab816c70a06a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC16B.tmp

Filesize
1KB

MD5
c84a6beefd064aa47888f1712dc4762c

SHA1
21f4855e900ecf11141f7b505f16e1c1aee6acad

SHA256
a2e5e1b63f2334f3d772ef2f33562504ceba98939e026428e7b2b0a4e969ec85

SHA512
6139df90a1e5197fdcad133de86e7e1c48120ccdbf4e73ff5079ba5ca3602998743437c5e0b4b30e04c3d8d35fb0c1fd1d6bc5c091bcb59c7f2105e41939f4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF03C.tmp

Filesize
1KB

MD5
1150deb169d0f3692fd8d762394ac9ff

SHA1
9ea55d55ca077a596b9d15813904cac9d53cb4fa

SHA256
86e52ea0bf3012e586b8360966e3a9284198b78df06ef546ee2dba80be1e546c

SHA512
f26afc9ce4bce9d028ad711739f7e1240b5b2bba14b390b9b3a12995a36bb756d0ece5b4fd27b4a51a45e298e61032d5b6a27b486ef0c8ec1c78c8fc168c736b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ojraonae.1pf.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\divouir1\divouir1.dll

Filesize
3KB

MD5
589e2b532a9b3ce0bf7e376d6452056a

SHA1
8a1130dea898e27a719a899f5214e420fc8a693c

SHA256
0256db4151eaa5b6aeb37be9f8abdf83c45160c6b4f6a184ffcaced6db85b4c2

SHA512
4b84219d3c2140f1db1f7107cd32343f4cf4f09302f3a829f39d3dfe9641b73fddc65a72eed933387f0fb46a2f678f5293310623f344fa7c3cf86cc413f5508a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ylx14p5l\ylx14p5l.dll

Filesize
3KB

MD5
2107b5f61dbbf4e49745fd121e611413

SHA1
abe4fbca4b3da0ea15aa99fb539c4a4b71fe1ec6

SHA256
0d2be357d31e3eacd7f07f145ad3d88ee9356fc0a4e0dd14d93dd44fd119425d

SHA512
3ae6ae2b52e951b985b3d4957db3837cc3997bc493abd3f6823b8e0b649d602219f1563ad5ff2b63b0e6a5f33261d4198e6aaa1043eb8a5c3e83d33a035375bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
4c6133b67450cf3271a48b5a156b459b

SHA1
662bd3e8afcb62090673c1eaa6564d93f2008cd3

SHA256
bc23786977684bd2bf25ccea7ea8136496e94aedb40ebebed0720b529fb05395

SHA512
2b6d8bd840554f8bb9970a76a56c334c737677ed5e71e1bce5bc77bffa3bbf9d3ea82c05a116277753213dfef2b77e29ab817a478d95d756685a3e89b9b957f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
b3570dfe439fb30c6aacc6b1eabeee2f

SHA1
5df614c41a93ceb12723354860e1b3bb3b192727

SHA256
dfe3f9ef0c66a138aad1800d3dd3a89269901b3d58340208de36f81c46cac3f0

SHA512
d733f26a3b8c0b1e2be3c38cd7890cd29aa4d7ec0abcba203ee5983e812521386adb671a9fb7539e3be443e0ef46548de2e8eb5f48cd4a0f2a7d2b382ef9b81c

Download Submit
C:\Users\Admin\Desktop\Latzerus.exe

Filesize
1.8MB

MD5
c6d6a0d273ecc3158fcb073478d36052

SHA1
fc0e6cb3c7c07afef65bb0b1e821b7907cf15ed4

SHA256
790a88823b7615e5d70035705009bf42d315d2e02bec273229cc9640382522f7

SHA512
9a4f26546bfa2edb075760ed861bb5c572218ec8a89e46626a2c712fdea828aafd610202864e249958198f07277c0c5f1b59cbea37b8bbb6e2cac30cea7e6988

Download Submit
C:\Users\Admin\Desktop\Latzerus.exe

Filesize
10.0MB

MD5
3ba535e1e0082cf95281b1f9c4b0feb1

SHA1
0e87180fd39ef2f213ba72a0a029988fa1d59936

SHA256
fd0096ffc47e7a37267030095717e6f629e99b999b38e87bbb4a5e039b84aaf5

SHA512
75348e755024fd32aca8321bbac1e0a7a3255cd1067d31b0f2e6c6c37f408152854606aaf65410b19ca79b9b6b7903485b348e7fe321c1d47442adce0cce790e

Download Submit
C:\Users\Admin\Desktop\Latzerus.exe

Filesize
6.3MB

MD5
ba7c434d84eb46058d658e73cf888155

SHA1
4362dd5bc7a2c5ca15d58fd79584c96e1e4c73b6

SHA256
2118b2e16aeae8a943e72a10351df4792ae33eec757f3ed7651559b38a51ef9c

SHA512
3d610533c37caa2f9fb97a6d96c2cccd8648215f2c072ff085f152ce4d3edee1a62e7cd071c09b9fa792392b6001b8c3d7b54fea6ebe57c5da8d6fffec6ab444

Download Submit
C:\Users\Admin\Desktop\Latzerus.exe

Filesize
3.7MB

MD5
2a7afdc176435db30eb3ca66b9ddc8b2

SHA1
3fe312b04b0cdfa8c0c3a4025af37e787ecf0030

SHA256
8f2c75c39b78f9ec4b7749315f0f6920caa78544ba96ccc208d577714ba48923

SHA512
e4324edd5f6340285b241a9c9cbea0e97044e67cfaf58e9b3222aabd7d4361988b8249a1a0daa9f630a304e3673a9cef03d10875ee2f8c5c3c2ed8a4827476c5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4asomugz\4asomugz.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4asomugz\4asomugz.cmdline

Filesize
369B

MD5
614a3afda3b3922a5d6a6584dfe80a37

SHA1
1ae6f9e66b50aecefdc45cad68ac2cff74b20c69

SHA256
357f67eea1ee88004b03f72200ebf84dbb2bc2f0d083110b25bbb6f872084a13

SHA512
682d3964e19e02d942d661a1ef14ec2c5fa20923f4a9335b94c28cb1636ecbeef491de1b2c3b06d92897649bceb0fb891d7e6c658a392f6659b7a7c4a45abeb4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4asomugz\CSCF5301851BAB34724BC8430A039D17FEE.TMP

Filesize
652B

MD5
b593e05d1c04fa5ba5966d7f3b74f031

SHA1
3fdbdb5789fcbf30a5cda4bd1b5ea81131a9e4c8

SHA256
a27ff2638330915ccefedc3ef634888da3f9670930ea65f10f922faa7e1ee55a

SHA512
cae163796ec8dd9d9bc355aacfbeb23c3fc122bf5cd77fdfb8971e6d0bc7010a427b8835ede9fe1559ae78075ceb556c5f63070dc49ab6a3fc13e1c27fae7cfa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5ts3lmyf\5ts3lmyf.cmdline

Filesize
369B

MD5
17c4735db479fb0e4bf9e38447c8232c

SHA1
700aae42d01b3c430bc4b59c99f03443f1b2623b

SHA256
d64c07dc8b3487941822c2e0fed3c4b40cb049df27637aee658ddd6838095dcd

SHA512
b6a1295eefe8496d20b5b596ad1fdf6456096ffbc1c6c6b5663462a9aa63e70c7130f5963bf6c65ca1c590959373ea78ae236a5ff3b24611177eb4db5e855d43

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5ts3lmyf\CSCADE9AE1AC1B54962AC61AA3C4C7A6B.TMP

Filesize
652B

MD5
963c909faf44c47f47f4c458288de840

SHA1
df7a68dcefdf6f20aba2d24de80970a9deaf3525

SHA256
bdc7ccab822261535d77286926839a16420bc1ccbc2bf4353383757c92390626

SHA512
4dc0cecee9e7a8e5783e87fac062115f2f1053283858055097f28a4f9b3a8d670c8ea416571a14c14655d59464ffa59ae4d61208cd94d35ebcc7b7cde6984d96

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\divouir1\CSC9D45F4A05C9141EF96BB4F4B98D94E9.TMP

Filesize
652B

MD5
031e2e2321aa82678b2137e6e995aae6

SHA1
14dddb719e3ba25657f62cdc9b383d61ad225063

SHA256
236d96bcf1d3921e7521e4f190f84df4481ac81a549ab2327e1862c4ab458c14

SHA512
c7ca540fd7ca52dde31f6006ffec898317db6fdc8d67e8c42e6729f26b8bea9d9ca295758267ce04aa57e6680ed8528372a196bfc3eff09d3feb8c2de25ec921

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\divouir1\divouir1.cmdline

Filesize
369B

MD5
198056bf8e0294c2df4b61aaa8ba7fe4

SHA1
32fb49140b6f64603ddedc8ed5b0f07ff68da1ea

SHA256
cf0dbba5014bd52dd2e1e796356870a2dbd7d2a20d3b87d30c1311ef86e9fbd6

SHA512
639c5661ae862f8b858ef745dbdca0286be568487fcb7d393b69a75e7c976f046ffb7fc046e66ab5e1b1ad2447f6470ba9d325b0183afea4133571a7c5c1ef55

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ylx14p5l\CSC449BF80431474AFB9F8A9DA6C18D75DC.TMP

Filesize
652B

MD5
3a655612e36b7bd4f1af7515b4cfd6de

SHA1
eeb72bdc2d3571784bd0dbb6b0312acd6add415e

SHA256
a7059ce63e2ed6bb7e993e032b2975e2576d0e559a49c70ae39dbffcb6f807fa

SHA512
e67fa3fde5120985c516efc9821be4f77bdc76619f397af5dddc7e8cc904bccbf93c06f65f2286d6c6b13cc770f9ae6671df7cd0823d295147d74b876b9427ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ylx14p5l\ylx14p5l.cmdline

Filesize
369B

MD5
80d1d63a805fcafcbcbe50d43c2ef59d

SHA1
e133de7a297e827a4bb960f1b535a947b9c432cd

SHA256
e63f176acbbf5867a1f38f0a38aca71347e1919aa873d103525ca130f9bc73e1

SHA512
4ddb63a74cc5e53ef9e4edfcbeb3749b93e820ac65b339902206f48d34d32a3cff89d6ee0b8807e25dc16aa4fa8cd8f77833a6082612093932da6d781d48c923

Download Submit
memory/824-1779-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/824-1706-0x000002249B0A0000-0x000002249B0B0000-memory.dmp

Filesize
64KB

Download
memory/824-1777-0x000002249B0A0000-0x000002249B0B0000-memory.dmp

Filesize
64KB

Download
memory/824-1769-0x0000022482EE0000-0x0000022482EE8000-memory.dmp

Filesize
32KB

Download
memory/824-1701-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/824-1708-0x000002249B0A0000-0x000002249B0B0000-memory.dmp

Filesize
64KB

Download
memory/1008-375-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1008-377-0x00000200AA120000-0x00000200AA130000-memory.dmp

Filesize
64KB

Download
memory/1008-378-0x00000200AA120000-0x00000200AA130000-memory.dmp

Filesize
64KB

Download
memory/1008-605-0x00000200AA120000-0x00000200AA130000-memory.dmp

Filesize
64KB

Download
memory/1008-622-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1012-1183-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1012-1177-0x000001FC575B0000-0x000001FC575C0000-memory.dmp

Filesize
64KB

Download
memory/1012-903-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1012-904-0x000001FC575B0000-0x000001FC575C0000-memory.dmp

Filesize
64KB

Download
memory/1424-1996-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1424-1711-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1424-1992-0x00000225CA1A0000-0x00000225CA1B0000-memory.dmp

Filesize
64KB

Download
memory/1424-1715-0x00000225CA1A0000-0x00000225CA1B0000-memory.dmp

Filesize
64KB

Download
memory/1424-1714-0x00000225CA1A0000-0x00000225CA1B0000-memory.dmp

Filesize
64KB

Download
memory/1920-83-0x000002118D930000-0x000002118D940000-memory.dmp

Filesize
64KB

Download
memory/1920-77-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1920-79-0x000002118D930000-0x000002118D940000-memory.dmp

Filesize
64KB

Download
memory/1920-151-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1920-140-0x00000211A5D90000-0x00000211A5D98000-memory.dmp

Filesize
32KB

Download
memory/1920-149-0x000002118D930000-0x000002118D940000-memory.dmp

Filesize
64KB

Download
memory/2332-2003-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2348-1436-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2348-1435-0x000001C73F020000-0x000001C73F030000-memory.dmp

Filesize
64KB

Download
memory/2348-1191-0x000001C73F020000-0x000001C73F030000-memory.dmp

Filesize
64KB

Download
memory/2348-1189-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2348-1190-0x000001C73F020000-0x000001C73F030000-memory.dmp

Filesize
64KB

Download
memory/3720-82-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/3720-370-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/3720-85-0x000001BAEAEA0000-0x000001BAEAEB0000-memory.dmp

Filesize
64KB

Download
memory/3720-86-0x000001BAEAEA0000-0x000001BAEAEB0000-memory.dmp

Filesize
64KB

Download
memory/3720-144-0x000001BAEB410000-0x000001BAEB44C000-memory.dmp

Filesize
240KB

Download
memory/3720-324-0x000001BAEB480000-0x000001BAEB4AA000-memory.dmp

Filesize
168KB

Download
memory/3720-343-0x000001BAEB480000-0x000001BAEB4A2000-memory.dmp

Filesize
136KB

Download
memory/3720-352-0x000001BAEAEA0000-0x000001BAEAEB0000-memory.dmp

Filesize
64KB

Download
memory/3992-1447-0x0000023AF1DF0000-0x0000023AF1E00000-memory.dmp

Filesize
64KB

Download
memory/3992-1444-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/3992-1689-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/3992-1677-0x0000023AF1DF0000-0x0000023AF1E00000-memory.dmp

Filesize
64KB

Download
memory/3992-1445-0x0000023AF1DF0000-0x0000023AF1E00000-memory.dmp

Filesize
64KB

Download
memory/4220-890-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/4220-973-0x000001E53F200000-0x000001E53F210000-memory.dmp

Filesize
64KB

Download
memory/4220-965-0x000001E53F1F0000-0x000001E53F1F8000-memory.dmp

Filesize
32KB

Download
memory/4220-895-0x000001E53F200000-0x000001E53F210000-memory.dmp

Filesize
64KB

Download
memory/4220-894-0x000001E53F200000-0x000001E53F210000-memory.dmp

Filesize
64KB

Download
memory/4220-974-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/4380-631-0x0000023A3F0D0000-0x0000023A3F0E0000-memory.dmp

Filesize
64KB

Download
memory/4380-629-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/4380-630-0x0000023A3F0D0000-0x0000023A3F0E0000-memory.dmp

Filesize
64KB

Download
memory/4380-872-0x0000023A3F0D0000-0x0000023A3F0E0000-memory.dmp

Filesize
64KB

Download
memory/4380-876-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/4584-55-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download
memory/4584-50-0x00000210FED80000-0x00000210FED90000-memory.dmp

Filesize
64KB

Download
memory/4584-48-0x00000210FEEB0000-0x00000210FEEB8000-memory.dmp

Filesize
32KB

Download
memory/4584-21-0x00000210FF170000-0x00000210FF1E6000-memory.dmp

Filesize
472KB

Download
memory/4584-18-0x00000210FEEC0000-0x00000210FEEE2000-memory.dmp

Filesize
136KB

Download
memory/4584-17-0x00000210FED80000-0x00000210FED90000-memory.dmp

Filesize
64KB

Download
memory/4584-16-0x00000210FED80000-0x00000210FED90000-memory.dmp

Filesize
64KB

Download
memory/4584-15-0x00007FF9272E0000-0x00007FF927CCC000-memory.dmp

Filesize
9.9MB

Download