zgrat | db095ae406f75b62e5d37408aa744fa4373249383b377a391bb31b551f095dd7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe
Size

811KB
MD5

fdc4abf2e1c2e105b0fa96ccfc96a9b1
SHA1

4cff46ba63bf0437bc3e64107ca175ce09b5dc8e
SHA256

db095ae406f75b62e5d37408aa744fa4373249383b377a391bb31b551f095dd7
SHA512

251382140f53f9d6ba7f421cff7a2edb899d36c7b7f4857614f93101e9abd2b3aa27dc1a8bc6f5361c58e66ce99a14aa5587b37c2fbe16d2fcb8aa304f40aea8
SSDEEP

12288:9VLFvth+w7GodQpbelTL3P8oDP/qDHNmzkmx61RVvriwUE47DRC3QVfF62Ud:9vv/Nv+kTTVPaHFmIBv7IfR8Qo

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral2/memory/2724-317-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-318-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-320-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-322-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-324-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-326-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-328-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-330-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-332-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-348-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-346-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-344-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-350-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-342-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-340-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-352-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-338-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-354-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-362-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-360-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-358-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-356-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-370-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-368-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-366-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-364-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-336-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-374-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-378-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-380-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-376-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-372-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-334-0x00000000014B0000-0x0000000001512000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
5024	powershell.exe
5024	powershell.exe
4108	powershell.exe
4108	powershell.exe
4868	powershell.exe
4868	powershell.exe
4868	powershell.exe
2308	powershell.exe
2308	powershell.exe
2308	powershell.exe
1472	powershell.exe
1472	powershell.exe
1472	powershell.exe
4736	powershell.exe
4736	powershell.exe
4736	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
2008	powershell.exe
2008	powershell.exe
1304	powershell.exe
1304	powershell.exe
1368	powershell.exe
1368	powershell.exe
4848	powershell.exe
4848	powershell.exe
4924	powershell.exe
4924	powershell.exe
752	powershell.exe
752	powershell.exe
3052	powershell.exe
3052	powershell.exe
224	powershell.exe
224	powershell.exe
4896	powershell.exe
4896	powershell.exe
1012	powershell.exe
1012	powershell.exe
3620	powershell.exe
3620	powershell.exe
540	powershell.exe
540	powershell.exe
868	powershell.exe
868	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeIncreaseQuotaPrivilege	5024	powershell.exe
Token: SeSecurityPrivilege	5024	powershell.exe
Token: SeTakeOwnershipPrivilege	5024	powershell.exe
Token: SeLoadDriverPrivilege	5024	powershell.exe
Token: SeSystemProfilePrivilege	5024	powershell.exe
Token: SeSystemtimePrivilege	5024	powershell.exe
Token: SeProfSingleProcessPrivilege	5024	powershell.exe
Token: SeIncBasePriorityPrivilege	5024	powershell.exe
Token: SeCreatePagefilePrivilege	5024	powershell.exe
Token: SeBackupPrivilege	5024	powershell.exe
Token: SeRestorePrivilege	5024	powershell.exe
Token: SeShutdownPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeSystemEnvironmentPrivilege	5024	powershell.exe
Token: SeRemoteShutdownPrivilege	5024	powershell.exe
Token: SeUndockPrivilege	5024	powershell.exe
Token: SeManageVolumePrivilege	5024	powershell.exe
Token: 33	5024	powershell.exe
Token: 34	5024	powershell.exe
Token: 35	5024	powershell.exe
Token: 36	5024	powershell.exe
Token: SeIncreaseQuotaPrivilege	5024	powershell.exe
Token: SeSecurityPrivilege	5024	powershell.exe
Token: SeTakeOwnershipPrivilege	5024	powershell.exe
Token: SeLoadDriverPrivilege	5024	powershell.exe
Token: SeSystemProfilePrivilege	5024	powershell.exe
Token: SeSystemtimePrivilege	5024	powershell.exe
Token: SeProfSingleProcessPrivilege	5024	powershell.exe
Token: SeIncBasePriorityPrivilege	5024	powershell.exe
Token: SeCreatePagefilePrivilege	5024	powershell.exe
Token: SeBackupPrivilege	5024	powershell.exe
Token: SeRestorePrivilege	5024	powershell.exe
Token: SeShutdownPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeSystemEnvironmentPrivilege	5024	powershell.exe
Token: SeRemoteShutdownPrivilege	5024	powershell.exe
Token: SeUndockPrivilege	5024	powershell.exe
Token: SeManageVolumePrivilege	5024	powershell.exe
Token: 33	5024	powershell.exe
Token: 34	5024	powershell.exe
Token: 35	5024	powershell.exe
Token: 36	5024	powershell.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeIncreaseQuotaPrivilege	4108	powershell.exe
Token: SeSecurityPrivilege	4108	powershell.exe
Token: SeTakeOwnershipPrivilege	4108	powershell.exe
Token: SeLoadDriverPrivilege	4108	powershell.exe
Token: SeSystemProfilePrivilege	4108	powershell.exe
Token: SeSystemtimePrivilege	4108	powershell.exe
Token: SeProfSingleProcessPrivilege	4108	powershell.exe
Token: SeIncBasePriorityPrivilege	4108	powershell.exe
Token: SeCreatePagefilePrivilege	4108	powershell.exe
Token: SeBackupPrivilege	4108	powershell.exe
Token: SeRestorePrivilege	4108	powershell.exe
Token: SeShutdownPrivilege	4108	powershell.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeSystemEnvironmentPrivilege	4108	powershell.exe
Token: SeRemoteShutdownPrivilege	4108	powershell.exe
Token: SeUndockPrivilege	4108	powershell.exe
Token: SeManageVolumePrivilege	4108	powershell.exe
Token: 33	4108	powershell.exe
Token: 34	4108	powershell.exe
Token: 35	4108	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 5024	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	87
PID 2724 wrote to memory of 5024	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	87
PID 2724 wrote to memory of 5024	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	87
PID 2724 wrote to memory of 4108	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	95
PID 2724 wrote to memory of 4108	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	95
PID 2724 wrote to memory of 4108	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	95
PID 2724 wrote to memory of 4868	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	100
PID 2724 wrote to memory of 4868	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	100
PID 2724 wrote to memory of 4868	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	100
PID 2724 wrote to memory of 2308	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	103
PID 2724 wrote to memory of 2308	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	103
PID 2724 wrote to memory of 2308	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	103
PID 2724 wrote to memory of 1472	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	106
PID 2724 wrote to memory of 1472	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	106
PID 2724 wrote to memory of 1472	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	106
PID 2724 wrote to memory of 4736	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	108
PID 2724 wrote to memory of 4736	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	108
PID 2724 wrote to memory of 4736	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	108
PID 2724 wrote to memory of 4760	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	110
PID 2724 wrote to memory of 4760	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	110
PID 2724 wrote to memory of 4760	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	110
PID 2724 wrote to memory of 2008	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	112
PID 2724 wrote to memory of 2008	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	112
PID 2724 wrote to memory of 2008	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	112
PID 2724 wrote to memory of 1304	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	114
PID 2724 wrote to memory of 1304	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	114
PID 2724 wrote to memory of 1304	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	114
PID 2724 wrote to memory of 1368	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	119
PID 2724 wrote to memory of 1368	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	119
PID 2724 wrote to memory of 1368	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	119
PID 2724 wrote to memory of 4848	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	124
PID 2724 wrote to memory of 4848	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	124
PID 2724 wrote to memory of 4848	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	124
PID 2724 wrote to memory of 4924	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	126
PID 2724 wrote to memory of 4924	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	126
PID 2724 wrote to memory of 4924	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	126
PID 2724 wrote to memory of 752	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	128
PID 2724 wrote to memory of 752	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	128
PID 2724 wrote to memory of 752	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	128
PID 2724 wrote to memory of 3052	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	130
PID 2724 wrote to memory of 3052	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	130
PID 2724 wrote to memory of 3052	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	130
PID 2724 wrote to memory of 224	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	132
PID 2724 wrote to memory of 224	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	132
PID 2724 wrote to memory of 224	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	132
PID 2724 wrote to memory of 4896	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	138
PID 2724 wrote to memory of 4896	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	138
PID 2724 wrote to memory of 4896	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	138
PID 2724 wrote to memory of 1012	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	140
PID 2724 wrote to memory of 1012	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	140
PID 2724 wrote to memory of 1012	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	140
PID 2724 wrote to memory of 3620	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	142
PID 2724 wrote to memory of 3620	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	142
PID 2724 wrote to memory of 3620	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	142
PID 2724 wrote to memory of 540	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	144
PID 2724 wrote to memory of 540	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	144
PID 2724 wrote to memory of 540	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	144
PID 2724 wrote to memory of 868	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	151
PID 2724 wrote to memory of 868	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	151
PID 2724 wrote to memory of 868	2724	fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe	151

C:\Users\Admin\AppData\Local\Temp\fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5024
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4736
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2008
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1304
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1368
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4848
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4924
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:752
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3052
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:224
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4896
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1012
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:540
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
d296542d2609f1b29f981ec23be58bf4

SHA1
d3b998a7d63095dab7d29232a06feead87cca8e0

SHA256
6b6f2e279a85c2565b7a4d857fd87459fcb54db6efa1f97b90bd6985e0948ac1

SHA512
0a1624e44d1f0bc4c3510a6949dfb8d1c82160c0bce2bd776a231280ccbc6fe182d94b60f5d5f61ecfeede2e803869fc7f685a7624c331a707e9c7defa79d82c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
34bf0218b33f260f3f87557a98b13b27

SHA1
30c43e4451893d2fd6169bc0a9ed712824c4c224

SHA256
c1e55885d40e12e0880c51f8701d1ff51532af1e503c24fa5012a7677c17c4c8

SHA512
bd164f078a4507c2de9ccba1c7b994be757360c78b000d030fe502b80c7e29147d5647f7d5d42cb9291ec474d7c85c76889c1f82de83a27b398ecce239550502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
0563658041b8970fc873ae600795985f

SHA1
405ca5fbeb89287fa71f1f3936773cd9c6d42232

SHA256
4604e991735110cbb509121f170969e799e1e46bc75590d66e0ffc0989cfdbc2

SHA512
de39a73853f7e110fa8e9b530866f2fa1c1e21e9e5862939e89cf3b74d2130705d8cfe74575f7c1b2098662e0e03abcb09cb6f7314b5ed39746ad6545131bcad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
aa5a785652164723272690e701c9cb67

SHA1
e36fadc831266aad7580c120cccae58e7f7166df

SHA256
47dab0799fa634bf843faf5e847bd919dba08fba9fc4ba755c7c07278d4869c4

SHA512
184405c6471bfddf9f3b7c4e74c409aa39e1dca7f90894f2e051d30a0b3dd6d5fd7b73bd59898b924740d29909fabd113295baf8519a8fa5cc763c6122349c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
70645fafc67f3c197bdf3b8155f77825

SHA1
3ba9ea0a0679ce5be49baeb19bf36a217ac1889e

SHA256
1a9b42240b4f87fed6011a34ab6299495a41f97eb89aa1542f255322986ebc25

SHA512
86a3028f750d455a8d0b0b93634b17efa702c2f75a003e99e22a5ac39408dc39d078313ad09111b3280fa6c9bd7a4b93b0d67ba5c1e21386d1ec9f250d02f49a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
9c0a9c3d0a9c23efa0b19a7d9b8bccec

SHA1
2f80319635c91a4f7435d793b859a8319e9340e8

SHA256
52da95aeb2845879f17a81da9ae956ff4ac65e583f0abff45da4ca287d2ff62d

SHA512
0fbe7724752cf3e558153eaf9f99546fa71bb4e78a857fe01b78532f68d42a50a26d3360a1fcb9eccbd16a2cede85baa60a9d768eb0a4f430016f91e7e6b365e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
f3e5f86ec7544f0ca885dcb9bdb70b94

SHA1
13f91bd3bd64c01d74761bd2b65ebc1acbd3c47e

SHA256
54beef18738d43eac878c23557f61f0c73d675bbc50b78597b383e12b5bac8f2

SHA512
949267e9f0fe974f72cc6ab8bd9d99cb3db94740588e1d01ed11d9770f523ef560d1a2a074ace3b6cc4d82217bdf5e1b4b38161dabad327e1ff0c65f67fc2534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
99009be90faa96a7194f5e4459655f9d

SHA1
1df0a95d74b0b7852bb0be6425ab482233eac206

SHA256
7dcb102905484cd901e1f4edfb04294b370f6270f337d6ffb1e0cc8b51cc6889

SHA512
f5a4e78ad175b3dfc04f16202e47cb2914d7ff2b7bc09404c108662e2fdf709ca62fa5d28481d519f1285c062562cbd31a55a76f2a3b6a03c81eb03eb9f3243c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
789d1cc8cc2f8ccb217f825d74aa8e68

SHA1
b4174e41171356b8d7bcf12f28b281153af6536a

SHA256
d17805cf17f7c7c730a494d25fb513d935f60f904dab4f5a72d8f1dc1ef35b71

SHA512
13d1f8d4142fbc5eae134278d7dda4cc0341cb527e7ac729503daaecca8bbbceb02a017f6b902151aba63f56c793f0e2fc3ad990274270e1ecee56a9a6f44fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
516cdc032f8bbf2ca5e002f99a7402a1

SHA1
cce4abf0885130630edbf28dd3eaa14b5fdf2257

SHA256
051c3a8700fe9af53d2823af5972215a0fa9754be626bb924cbb337b59fa24d5

SHA512
69f2333205598d8284591928080f7d85ad94c0da605375a7fd4a588cf783d55cf7be65b2bf6b0a5fbde37f97323acca36c9a1a11c6c344b2af0ca30bbf9a3511

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
3db21c60eb171fe2b373d62e92208f6f

SHA1
595ee445434a285db83f3b708411f39b11b5cbe8

SHA256
2c408d2ffc258e2b8b70f22015288d2c7c61edd97e8f4916a698791ab41a36c3

SHA512
810073ef7898a8db62e9c96216e5dd7b90a0701307b7d9a46cb58b9e5c5922d2eadc6493ffac659629220745af45df5ccfe71bd1dbea53e77ee2fef5785161f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
b032470124d1516f37d96868221a1b7e

SHA1
83f456fb8989b131432fe7c5658b43f1853fadfa

SHA256
61d56c787a6765c64c66899cf4e97cf8b00463e158a978b29686c92610fabe21

SHA512
632c3dd020bbcfbf83a55789e612810aaac993c065a6d740d94f1eade8a4a10b7cb7ef5dfd0def45557b59cba7cda2c8f2011e15478b7bc6e54461571abe8b95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
5247dc196042755479564edda21bb9b5

SHA1
108149766a3941f906cf0e95ae31ac4f86811747

SHA256
0fe4ed6f6700a2306d89ab1ef05c0f3c8f597f619190755962a6599cef7793bc

SHA512
82d94bd516b0383dd1c8f88fa61f74ab5860288923d4d64b415a555e9a3f651c566e8f699e492274b1eecde85cb81a3f8a3721516e183d4a8e78f5d2ee7dd068

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
1ac849831aa899167170dfa1dd295b39

SHA1
fdf17b0439035026d2ddbb812abe3c1ecf896a14

SHA256
25ec95893e2455a452e92a99ff640be6d7c489f229e0b0f421254b6fe477d84d

SHA512
e2b309253c301201cb335de83b7fec1fd82e885335b2ab92f8b976033effa37d925c8851a186f29f51ee668271f34e7f9b67546fc0b0ad51eb1b3adfd9129a17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
90cf21b14adad3a72a35e8890de59521

SHA1
c43213f57616c5a2d060c988ed22b10a39333601

SHA256
cda48964c1d82d16a1175b6fd616fa4cdc0b1b00c9611ac18d136939322a4cfd

SHA512
7e6f7efa54eaa6dbe9f6f75b48be0f75b08890c927b0eb0042b9cad92f48ece4e1878bf0b8b4984d72aca1b70aa772215f7cf645d224c7eb5896321751fa3d6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
a7a7ab2c5317e25e8aa4f7b4f06a452b

SHA1
b4828b2b8b44b18856a6daf81ac7f49a9381da18

SHA256
eae2a2e0add86df12e262ee1d99381a34744e87217174142051e17a5b65a760d

SHA512
311ac6fd8cd1de4988640d4850c89afc49a9f812755b8a0b3a41a30198769135264223febeb4ddc0905690ac6f87773d32bd0196b796004727e549ca12d438a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
183a94b84dc8c971b7182603e8063d75

SHA1
c86c5bdc8745843fb2df74ead74917feb8b2e20d

SHA256
8055f75731e21cdb437a875781b6624cb3500d93ca3672cdd3c21d25374efdbd

SHA512
b54e470bcd674d1782d4b1885f4789b9dc35251dc3515c332db492707cf6372730e523dc0bb17325151d7bab07f3a24dd838907eeae6178ec33e6d0ddaee9576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
4d2b72217b799a66f47aaf829016bed0

SHA1
67df65eff39b9d8844ff0a97a759102815351ad1

SHA256
fb0ec29244fc439d54bfcb7a6e509f1e7792301fc21cd6e202f370906c808b96

SHA512
ba93304d13cc24a0ffa6757572eed7bd0d3c9a97bcba15ccaaeaf35fa21d4cff1f2e4f08ecdaa43e0c37e9f22644befa21456910ac51440ee613ee65db01891f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
f88695f34fff38d291e5774c820d42b0

SHA1
80da8aa06474e3f596df3a8e5c613f088e489772

SHA256
826b2f19ffbbc05a298672ea3ccfd4f0a6feba677dc63bcb850ab73d8250e687

SHA512
785e6e4f9d69faa8a60b8debdb45a77ddbcfc71743a03b6eb8c1eb628b92c4529eb96d6ee9fdd6492a7fd59daf966c340af6ca06c3a9265630204daf85fc2e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vwnympjn.q0o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1304-143-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/1304-144-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/1304-156-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/1368-170-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/1368-158-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/1368-157-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/1472-96-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/1472-84-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download
memory/1472-83-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download
memory/1472-82-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/2008-127-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/2008-128-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/2008-129-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/2008-139-0x0000000005B80000-0x0000000005ED4000-memory.dmp

Filesize
3.3MB

Download
memory/2008-142-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/2308-81-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/2308-67-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/2308-68-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/2308-69-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/2724-48-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/2724-342-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-334-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-372-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-376-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-380-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-49-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/2724-378-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-374-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-0-0x0000000000A40000-0x0000000000B0E000-memory.dmp

Filesize
824KB

Download
memory/2724-336-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-364-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-366-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-368-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-370-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-356-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-358-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-360-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-362-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-354-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-338-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-352-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-340-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-350-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-344-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-346-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-348-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-332-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-330-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-328-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-326-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-324-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-322-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-320-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-318-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-317-0x00000000014B0000-0x0000000001512000-memory.dmp

Filesize
392KB

Download
memory/2724-1-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/2724-2-0x00000000059B0000-0x0000000005F54000-memory.dmp

Filesize
5.6MB

Download
memory/2724-3-0x00000000054B0000-0x0000000005542000-memory.dmp

Filesize
584KB

Download
memory/2724-6-0x0000000005590000-0x00000000055E4000-memory.dmp

Filesize
336KB

Download
memory/2724-5-0x0000000005580000-0x000000000558A000-memory.dmp

Filesize
40KB

Download
memory/2724-4-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/4108-51-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4108-36-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/4108-46-0x0000000006650000-0x00000000069A4000-memory.dmp

Filesize
3.3MB

Download
memory/4108-35-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4736-110-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4736-98-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/4736-97-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4760-114-0x00000000054D0000-0x0000000005824000-memory.dmp

Filesize
3.3MB

Download
memory/4760-111-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4760-113-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/4760-112-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/4760-126-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4848-171-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4848-172-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/4848-184-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4868-52-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4868-66-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4868-53-0x0000000004840000-0x0000000004850000-memory.dmp

Filesize
64KB

Download
memory/4868-54-0x0000000004840000-0x0000000004850000-memory.dmp

Filesize
64KB

Download
memory/4924-185-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/5024-12-0x0000000005A90000-0x0000000005AB2000-memory.dmp

Filesize
136KB

Download
memory/5024-33-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/5024-30-0x0000000008E50000-0x00000000094CA000-memory.dmp

Filesize
6.5MB

Download
memory/5024-29-0x0000000006F00000-0x0000000006F22000-memory.dmp

Filesize
136KB

Download
memory/5024-28-0x0000000006EB0000-0x0000000006ECA000-memory.dmp

Filesize
104KB

Download
memory/5024-27-0x00000000079C0000-0x0000000007A56000-memory.dmp

Filesize
600KB

Download
memory/5024-26-0x0000000006A70000-0x0000000006ABC000-memory.dmp

Filesize
304KB

Download
memory/5024-25-0x00000000069E0000-0x00000000069FE000-memory.dmp

Filesize
120KB

Download
memory/5024-20-0x0000000006350000-0x00000000066A4000-memory.dmp

Filesize
3.3MB

Download
memory/5024-13-0x0000000006270000-0x00000000062D6000-memory.dmp

Filesize
408KB

Download
memory/5024-14-0x00000000062E0000-0x0000000006346000-memory.dmp

Filesize
408KB

Download
memory/5024-7-0x0000000003070000-0x00000000030A6000-memory.dmp

Filesize
216KB

Download
memory/5024-11-0x0000000003060000-0x0000000003070000-memory.dmp

Filesize
64KB

Download
memory/5024-10-0x0000000003060000-0x0000000003070000-memory.dmp

Filesize
64KB

Download
memory/5024-9-0x0000000005B90000-0x00000000061B8000-memory.dmp

Filesize
6.2MB

Download
memory/5024-8-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download