5293e722ecf4aa4b69f8b01bb782bf514c623ec63e22949410fcb938a1a3d8b0

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RealtimeBoard.exe
Size

136KB
MD5

40a78bf9882e1d7b99352fdda1eef11a
SHA1

ed8f7830235a5be40d5af83fd55415b29b517f3a
SHA256

f3516fc05db7effe77ed049b0982018184e53a60315c773dbb57c25ceff6f094
SHA512

0ed063f74efa1b9436568b21132ff66118013a5444bc2c453e1d5b478709ac1495447b2b0dd009e35ba28e0faa98b7e83965df9e1c2ca2b34a6f45a5c55d5240
SSDEEP

1536:3ZtYtHQknoQI8Cp5i1Np1IWT+l6G77YRmxV:3ZzQcfiJGYO

Score

5^/10

execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	RealtimeBoard.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4500	powershell.exe
4280	powershell.exe
2384	powershell.exe
1068	powershell.exe
2540	powershell.exe
4728	powershell.exe
5028	powershell.exe
4608	powershell.exe
2316	powershell.exe
664	powershell.exe
2532	powershell.exe
1300	powershell.exe
4416	powershell.exe
4448	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Miro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Miro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Miro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Miro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Miro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Miro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Miro.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\miroapp\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Miro.exe\" \"%1\""	Miro.exe
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\miroapp	Miro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\miroapp\URL Protocol	Miro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\miroapp\ = "URL:miroapp"	Miro.exe
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\miroapp\shell\open\command	Miro.exe
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\miroapp\shell	Miro.exe
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\miroapp\shell\open	Miro.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4416	powershell.exe
4416	powershell.exe
4448	powershell.exe
4448	powershell.exe
4728	powershell.exe
4728	powershell.exe
1300	powershell.exe
1300	powershell.exe
664	powershell.exe
664	powershell.exe
2532	powershell.exe
2532	powershell.exe
2532	powershell.exe
2384	powershell.exe
2384	powershell.exe
4416	powershell.exe
4728	powershell.exe
1300	powershell.exe
4448	powershell.exe
2384	powershell.exe
664	powershell.exe
2316	powershell.exe
2316	powershell.exe
4500	powershell.exe
4500	powershell.exe
5028	powershell.exe
5028	powershell.exe
2540	powershell.exe
2540	powershell.exe
1068	powershell.exe
1068	powershell.exe
4608	powershell.exe
4608	powershell.exe
4280	powershell.exe
4280	powershell.exe
1068	powershell.exe
2316	powershell.exe
5028	powershell.exe
4608	powershell.exe
2540	powershell.exe
4280	powershell.exe
4500	powershell.exe
1752	Miro.exe
1752	Miro.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeShutdownPrivilege	1748	Miro.exe
Token: SeCreatePagefilePrivilege	1748	Miro.exe
Token: SeShutdownPrivilege	1748	Miro.exe
Token: SeCreatePagefilePrivilege	1748	Miro.exe
Token: SeIncreaseQuotaPrivilege	4416	powershell.exe
Token: SeSecurityPrivilege	4416	powershell.exe
Token: SeTakeOwnershipPrivilege	4416	powershell.exe
Token: SeLoadDriverPrivilege	4416	powershell.exe
Token: SeSystemProfilePrivilege	4416	powershell.exe
Token: SeSystemtimePrivilege	4416	powershell.exe
Token: SeProfSingleProcessPrivilege	4416	powershell.exe
Token: SeIncBasePriorityPrivilege	4416	powershell.exe
Token: SeCreatePagefilePrivilege	4416	powershell.exe
Token: SeBackupPrivilege	4416	powershell.exe
Token: SeRestorePrivilege	4416	powershell.exe
Token: SeShutdownPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeSystemEnvironmentPrivilege	4416	powershell.exe
Token: SeRemoteShutdownPrivilege	4416	powershell.exe
Token: SeUndockPrivilege	4416	powershell.exe
Token: SeManageVolumePrivilege	4416	powershell.exe
Token: 33	4416	powershell.exe
Token: 34	4416	powershell.exe
Token: 35	4416	powershell.exe
Token: 36	4416	powershell.exe
Token: SeIncreaseQuotaPrivilege	4728	powershell.exe
Token: SeSecurityPrivilege	4728	powershell.exe
Token: SeTakeOwnershipPrivilege	4728	powershell.exe
Token: SeLoadDriverPrivilege	4728	powershell.exe
Token: SeSystemProfilePrivilege	4728	powershell.exe
Token: SeSystemtimePrivilege	4728	powershell.exe
Token: SeProfSingleProcessPrivilege	4728	powershell.exe
Token: SeIncBasePriorityPrivilege	4728	powershell.exe
Token: SeCreatePagefilePrivilege	4728	powershell.exe
Token: SeBackupPrivilege	4728	powershell.exe
Token: SeRestorePrivilege	4728	powershell.exe
Token: SeShutdownPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeSystemEnvironmentPrivilege	4728	powershell.exe
Token: SeRemoteShutdownPrivilege	4728	powershell.exe
Token: SeUndockPrivilege	4728	powershell.exe
Token: SeManageVolumePrivilege	4728	powershell.exe
Token: 33	4728	powershell.exe
Token: 34	4728	powershell.exe
Token: 35	4728	powershell.exe
Token: 36	4728	powershell.exe
Token: SeIncreaseQuotaPrivilege	2532	powershell.exe
Token: SeSecurityPrivilege	2532	powershell.exe
Token: SeTakeOwnershipPrivilege	2532	powershell.exe
Token: SeLoadDriverPrivilege	2532	powershell.exe
Token: SeSystemProfilePrivilege	2532	powershell.exe
Token: SeSystemtimePrivilege	2532	powershell.exe
Token: SeProfSingleProcessPrivilege	2532	powershell.exe
Token: SeIncBasePriorityPrivilege	2532	powershell.exe
Token: SeCreatePagefilePrivilege	2532	powershell.exe
Token: SeBackupPrivilege	2532	powershell.exe
Token: SeRestorePrivilege	2532	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1748	5072	RealtimeBoard.exe	85
PID 5072 wrote to memory of 1748	5072	RealtimeBoard.exe	85
PID 1748 wrote to memory of 3424	1748	Miro.exe	86
PID 1748 wrote to memory of 3424	1748	Miro.exe	86
PID 3424 wrote to memory of 1908	3424	cmd.exe	88
PID 3424 wrote to memory of 1908	3424	cmd.exe	88
PID 1748 wrote to memory of 2992	1748	Miro.exe	89
PID 1748 wrote to memory of 2992	1748	Miro.exe	89
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 528	1748	Miro.exe	90
PID 1748 wrote to memory of 1472	1748	Miro.exe	91
PID 1748 wrote to memory of 1472	1748	Miro.exe	91
PID 1748 wrote to memory of 2384	1748	Miro.exe	92
PID 1748 wrote to memory of 2384	1748	Miro.exe	92
PID 1748 wrote to memory of 664	1748	Miro.exe	93
PID 1748 wrote to memory of 664	1748	Miro.exe	93
PID 1748 wrote to memory of 4728	1748	Miro.exe	94
PID 1748 wrote to memory of 4728	1748	Miro.exe	94
PID 1748 wrote to memory of 2532	1748	Miro.exe	95
PID 1748 wrote to memory of 2532	1748	Miro.exe	95
PID 1748 wrote to memory of 1300	1748	Miro.exe	96
PID 1748 wrote to memory of 1300	1748	Miro.exe	96
PID 1748 wrote to memory of 4416	1748	Miro.exe	97
PID 1748 wrote to memory of 4416	1748	Miro.exe	97
PID 1748 wrote to memory of 4448	1748	Miro.exe	98
PID 1748 wrote to memory of 4448	1748	Miro.exe	98
PID 1748 wrote to memory of 2500	1748	Miro.exe	108
PID 1748 wrote to memory of 2500	1748	Miro.exe	108
PID 1748 wrote to memory of 5028	1748	Miro.exe	109
PID 1748 wrote to memory of 5028	1748	Miro.exe	109
PID 1748 wrote to memory of 1068	1748	Miro.exe	110
PID 1748 wrote to memory of 1068	1748	Miro.exe	110
PID 1748 wrote to memory of 2540	1748	Miro.exe	111
PID 1748 wrote to memory of 2540	1748	Miro.exe	111
PID 1748 wrote to memory of 4608	1748	Miro.exe	112
PID 1748 wrote to memory of 4608	1748	Miro.exe	112

C:\Users\Admin\AppData\Local\Temp\RealtimeBoard.exe
"C:\Users\Admin\AppData\Local\Temp\RealtimeBoard.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\Miro.exe
  "C:\Users\Admin\AppData\Local\Temp\Miro.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:1908
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    C:\Users\Admin\AppData\Local\Temp\Miro.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\RealtimeBoard /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\RealtimeBoard\Crashpad --url=https://f.a.k/e --annotation=_productName=RealtimeBoard --annotation=_version=0.8.68 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=30.0.2 --initial-client-data=0x520,0x524,0x528,0x514,0x52c,0x7ff615050e58,0x7ff615050e64,0x7ff615050e70
    3⤵
    PID:2992
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    "C:\Users\Admin\AppData\Local\Temp\Miro.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\RealtimeBoard" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1856,i,7077646927744612257,7617783868563141524,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1828 /prefetch:2
    3⤵
    PID:528
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    "C:\Users\Admin\AppData\Local\Temp\Miro.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\RealtimeBoard" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --field-trial-handle=2028,i,7077646927744612257,7617783868563141524,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2020 /prefetch:3
    3⤵
    PID:1472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4448
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    "C:\Users\Admin\AppData\Local\Temp\Miro.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RealtimeBoard" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=3008,i,7077646927744612257,7617783868563141524,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3004 /prefetch:1
    3⤵
    PID:2500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4280
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    "C:\Users\Admin\AppData\Local\Temp\Miro.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RealtimeBoard" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3472,i,7077646927744612257,7617783868563141524,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3600 /prefetch:1
    3⤵
    PID:3960
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    "C:\Users\Admin\AppData\Local\Temp\Miro.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RealtimeBoard" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3428,i,7077646927744612257,7617783868563141524,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3456 /prefetch:1
    3⤵
    PID:3608
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    "C:\Users\Admin\AppData\Local\Temp\Miro.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RealtimeBoard" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3508,i,7077646927744612257,7617783868563141524,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3668 /prefetch:1
    3⤵
    PID:4500
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    "C:\Users\Admin\AppData\Local\Temp\Miro.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RealtimeBoard" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3572,i,7077646927744612257,7617783868563141524,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3672 /prefetch:1
    3⤵
    PID:624
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    "C:\Users\Admin\AppData\Local\Temp\Miro.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RealtimeBoard" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3036,i,7077646927744612257,7617783868563141524,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3084 /prefetch:1
    3⤵
    PID:2268
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    "C:\Users\Admin\AppData\Local\Temp\Miro.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RealtimeBoard" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --enable-blink-features --disable-blink-features --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3784,i,7077646927744612257,7617783868563141524,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3780 /prefetch:1
    3⤵
    PID:4660
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    "C:\Users\Admin\AppData\Local\Temp\Miro.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\RealtimeBoard" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=924,i,7077646927744612257,7617783868563141524,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3764 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
7a1e03fe1039bf494d77070f2c583626

SHA1
bb6b31d644873fea13cb3c37e6225670b5682c8b

SHA256
53bb6e31c2534c61d2bb23c0ef4d9550c1b9361610bd01ef1816a97297147ed2

SHA512
e45c36ab8a4ba0c84783b2ddb2c26a9ab66cd5d26f1f0999b1288656288b1f8f33922a92c05641e6dfad03fac708525a1a37815d8ce1088ed0c72217e2f82827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
8fb51ba590bd534a6d0ae0093c552a74

SHA1
53dec2b84b3bb61c5978b3909e3df6f4ac10776c

SHA256
297170c78414efb1293f1ee6451fee46162771a2a17ca4c9901cc1edd2712443

SHA512
d54bc1311220608cac5d1de1ac89784dd9c084e3b278b8d311aa71f91bc44f6e726858ed697fd6b54bbe3dd61f5a3ef7ad42b24c92c0d2b21ad444e7217321d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
14b7be381e7661f431779bbe048dfef9

SHA1
920ee805cc4dab4fec17dc723ae06edc6751c85c

SHA256
7287ebb4edd2f6b7a644f5e0805cf6074bedd05de26b6c6b3ce49d4022907a56

SHA512
a7a39d16494d0a1b50abe7b6dab5977a85c46bde5f2f988580cbbc628171a9606659312d78e328fe10ae0f124152f8b759add849654ab503135decc5c7886584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
15cda6ea2afb03c187b69320a18d6ed1

SHA1
786518529ca5c242938f53b672f36b6ec7b2ac4a

SHA256
34d842739a4f4d574d9eef4085cb65c4b09661dd24ece726e6d8b00fe5964260

SHA512
4cd16d61b1109ac5803a3e9c00def9a0473505f8786eb18b6c63c92cd744255ebfd3ba59afa6c28a5f5b88fffa1bbeaa83688f5827d82bfe267a80606c49e455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
96ca7ea2d369d7f4caf2fc5c6691f22d

SHA1
48e943c1f01ad69264c06e1a3553c1448407254a

SHA256
91e940b94ed753996c117f479e9ddbed052f82cb3042f30b8d2a7bd844400a48

SHA512
0d661d817e3f2f7f114d4267b46b12c821a4a24a83f6a0f3d05f440fa91f4a8f87bae4b59a1a5d8cae145c406401b78baa6ef7f5478c53ea05d666973a055a45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
7bc3461a383f3dc2ba38f92f82c08200

SHA1
19f73f5feb1c674bf2167703067fb62fcc41cfae

SHA256
81319228a4470e0c00f09a4bd7d9496281f570db08ae0800a9a076bd9f9c424b

SHA512
13074d4196c9cd90016433e24fe00ad8be3b85c6075a7757c28f47268ce5746078090d70f19848a1bd9081645955ffc387c2713bcccd14f5144d07d83112dd3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sof5al1w.sow.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\09ec8091-d729-4e9f-8df5-c8e18ae5033e.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
fe0dcbea858185ceb59f2fee42822960

SHA1
55f996b55e627e1b2f90abe6277ff2b026503534

SHA256
22b07085cbf5298c89e982a25dff7af03cb17ddf873e4dd01f8e5168942106d8

SHA512
f5c43afba4ec56cebc2dc3623466ee8f3237162e64aaacf8a15e3f23a533ee2200eb4bbdafa56ba2e34eecfd0add3d4aff1b94775a75a56b76495d0052146029

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
f3708e2eb341501f979bfce5fd8ddc8e

SHA1
b195ced89b2f755055c46eae9425804278a8c2c7

SHA256
c69bb3309296b1a632cfa535c6b96b0d5f46766c14c872bc4a2be9b9dc294ab9

SHA512
ec3ab62151074a5452afeae5cee5529974127eabcc051068dc10f363fe4ae9321c5d76c854a9b015e20b62788415b32fed5f5fd526b01b7b43fd64bee9cd7e20

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Network\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Network\Network Persistent State

Filesize
2KB

MD5
b417ff3e6c7f7dfa1008ededaf48586f

SHA1
e1befd4cca3872dd50dad56c06b3faba8196cdda

SHA256
7d11fb811c93475358b7a6c2d400061a638fac9950aa5e65d881b3787a087feb

SHA512
1d2af940421107cef1d2ee720d3fb6a1045d385cded7de1270ba47701e43745c802f543bfbad26ca348f71223c81abf2fba8b624e8850d68f9185f0c3a5ae559

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Network\Network Persistent State

Filesize
2KB

MD5
4b7f8e0f3ae530de3590b5d1a8cd7310

SHA1
cdec6586263bd4a4723d1ccf8f7d14e7392f8b04

SHA256
cc5cb5a7c54b60110f1d9b7985c1dcdbd8dbd6cfe396beac12cfe907037881d9

SHA512
b2aca687e32c9b9f68613fd6fed22c96f00d227ac9d6806edce039c7c281a3d82650e3bdfc21265848450113c4b9dc4cce20f505cf28abb0c11fad8eb1494528

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Network\Network Persistent State~RFe581ad6.TMP

Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Network\TransportSecurity

Filesize
1KB

MD5
4ed766cf714594b00cbd9049b3ef2f5f

SHA1
00b9c652d33096a5c9fa9f5048d7dbc92507e35b

SHA256
ce00340251779790d01283e9766fb7b91bd96f93c0d732a3a7e0894e84534958

SHA512
17d22402bf89edbaa4e6af2e6bd7b1aca5e4eb52eb639703f2fafbcdc8b437b9057508a0e45ab173b5b34b45d47b80eee0bd66cd09bce7afa9104c7f71435ae7

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Network\TransportSecurity

Filesize
1KB

MD5
417b33d199bd2e7163742f0f49b1b6b4

SHA1
4433beebe23f9ceee48cc39ea1666889a7cb93f5

SHA256
bc0dfca50ddfd0e01340be587d262d3e192e9cf28b060c38305950572c51478d

SHA512
b9531508482d3a42361744b316f547fb4bcbea7e1ac54cd674b7808e4b90da6d0ba0309fc104c116085955f63cb309781c56d6f427a5f25d0a4dbfd2a99571fa

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Network\TransportSecurity

Filesize
1KB

MD5
121fbb51088204c1327a4c7809230eba

SHA1
c7a1761abb97b21fcd236285f0c2bd1dd83c92d5

SHA256
a87167e88c4b9be403a4bcbcd378e76b97680fea32b0d534f88e5be6ba288217

SHA512
4429a2dd80c83f713e4b377d92e415aa29b87e930a303f60f204005f060679035dcb650046104a9a6383d2a497663ec2e93b017f467378e38d930d07c46a72d6

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Network\TransportSecurity~RFe583d04.TMP

Filesize
1024B

MD5
61bb029e3e467f0ef532981be2b1fea6

SHA1
168e727b7f9a0a703354c130513276b266c07f4d

SHA256
a338ceb0e26d3dd44954c90efdec78105bd41075528e25a316a43cc880d82666

SHA512
3d706a417a735bf6fb61c9340f412eb58c72c6db46dce141b77c59c4f748d30266442c627c64255c4d09f701c5b2d477a5c1901ff6ab9dc5bb2b686e64253e3f

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\settings.json

Filesize
201B

MD5
dd8d798e719a89d60f6cab00bba8e394

SHA1
a1570b02c3205d2ea80853d0d2c19aa38e152881

SHA256
aa1dbee7ceefbf25248befe3e40bef9ddbac4320b7a2082f55176bd9812ee8ba

SHA512
77ada68d0b316e7794931c55dcb3f4207e1566fdcfc59602a9dcd8b8fc3bde8e5085c39505b0d85b91a5ad993f4da300cb7373c3123540e520ce64a9357a068d

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\settings.json

Filesize
182B

MD5
2a8138d260045691ba83da50e4bedb92

SHA1
e0fcd9e202cccc75a8ad30423909bd71af590052

SHA256
3b39e0204da4d06775de04046416c11d381275b5e29712e5e753af943906bbf3

SHA512
d48813886a2c10b4585509c0da24f8f9ad41aa53b0b9bb7132b86ed0526eb2cc3b1cb16e53a7535a34e926ac52e0afc63844a1267fa2ac2c403e3295d932abd6

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\settings.json

Filesize
283B

MD5
3bb82f62f2ae2eccdc8db2a026c63d28

SHA1
34fb0617a3e76f93fe89aab702ea14b048ecea6e

SHA256
80e7283b4901ceede0b47b71b2f0b750ed84b1aebcd9ef8b9d5b352b1088e38c

SHA512
ea0edd5074952ff824e10d62f4592409637b3bf79bcf0e42d81cf0cba1fdbfb78e5899c24fe225cb2205af67aaea2801100772125ef9d81954705c205e951b24

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\settings.json

Filesize
221B

MD5
d06446b006cd179794cc818f99268e47

SHA1
64e33416d072eb99f03ac6c8dcfa7d0d2e3a2a55

SHA256
2ce0addd87b732fec8df0982ad05c61b103826065cb33bac52a346a76361c295

SHA512
a47256fb09fb41c93d025ad16c7167a548af11bb73cab274fa20c8f07c905cfa538c928bad244d2670de9c801026470a7e09c5726213e2150fe9828059f8c214

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\settings.json

Filesize
139B

MD5
e7b2933fbfb7f6e4e6114c025500fcee

SHA1
c3c7e3f37b5ef4dc933199c6e660081bee98c2c7

SHA256
bef7467620457cf0aff69b43b97f19ce40a7c104994b874c66bc1195454924ba

SHA512
72061b135929a9fce7437d671e5ea5ac588afe40a3425713ab92a74c2c0d162a5ba5afbeb4614f14e3e7dca31d62f5fdd9aea3e8015eb7c3b6ae909f82d169f7

Download Submit
memory/1752-488-0x00000178C8B40000-0x00000178C8B41000-memory.dmp

Filesize
4KB

Download
memory/1752-487-0x00000178C8B40000-0x00000178C8B41000-memory.dmp

Filesize
4KB

Download
memory/1752-489-0x00000178C8B40000-0x00000178C8B41000-memory.dmp

Filesize
4KB

Download
memory/1752-490-0x00000178C8B40000-0x00000178C8B41000-memory.dmp

Filesize
4KB

Download
memory/1752-491-0x00000178C8B40000-0x00000178C8B41000-memory.dmp

Filesize
4KB

Download
memory/1752-492-0x00000178C8B40000-0x00000178C8B41000-memory.dmp

Filesize
4KB

Download
memory/1752-480-0x00000178C8B40000-0x00000178C8B41000-memory.dmp

Filesize
4KB

Download
memory/1752-482-0x00000178C8B40000-0x00000178C8B41000-memory.dmp

Filesize
4KB

Download
memory/1752-481-0x00000178C8B40000-0x00000178C8B41000-memory.dmp

Filesize
4KB

Download
memory/1752-486-0x00000178C8B40000-0x00000178C8B41000-memory.dmp

Filesize
4KB

Download
memory/2532-115-0x000001D475AC0000-0x000001D475B36000-memory.dmp

Filesize
472KB

Download
memory/2532-114-0x000001D475630000-0x000001D475674000-memory.dmp

Filesize
272KB

Download
memory/4416-122-0x0000025D436D0000-0x0000025D436FA000-memory.dmp

Filesize
168KB

Download
memory/4416-123-0x0000025D436D0000-0x0000025D436F4000-memory.dmp

Filesize
144KB

Download
memory/4416-53-0x0000025D434A0000-0x0000025D434C2000-memory.dmp

Filesize
136KB

Download
memory/4660-434-0x00007FF854590000-0x00007FF854591000-memory.dmp

Filesize
4KB

Download
memory/4660-435-0x00007FF854C80000-0x00007FF854C81000-memory.dmp

Filesize
4KB

Download
memory/5072-0-0x000000007522E000-0x000000007522F000-memory.dmp

Filesize
4KB

Download
memory/5072-1-0x0000000000570000-0x0000000000596000-memory.dmp

Filesize
152KB

Download