Overview

overview

10

Static

static

3

02db784841...6N.exe

windows7-x64

10

02db784841...6N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2024 22:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe

  • Size

    4.9MB

  • MD5

    9f28672d5f9616c0ba11631392dbf180

  • SHA1

    fdfb05bd604067b16bdf10aa0e98530424ab0b0d

  • SHA256

    02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666

  • SHA512

    bfa229a6c0aea13eb148f2f78b5de7cd1d035b474c1508c4c9bfe12739dc0006052a2f7d441bb0ea2760b02db170bb55a2090760e5c3869f608137a1982cce9b

  • SSDEEP

    49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
colibridcratbuild1discoveryevasionexecutioninfostealerloaderrattrojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 36 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 12 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 40 IoCs
  • Checks whether UAC is enabled 1 TTPs 24 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 11 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 12 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 36 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
    "C:\Users\Admin\AppData\Local\Temp\02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3024
    • C:\Users\Admin\AppData\Local\Temp\tmpE284.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpE284.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Users\Admin\AppData\Local\Temp\tmpE284.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmpE284.tmp.exe"
        3⤵
        • Executes dropped EXE
        PID:4640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1660
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2716
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4900
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2280
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3236
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:452
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3716
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4636
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:532
    • C:\Users\Default User\winlogon.exe
      "C:\Users\Default User\winlogon.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:60
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1add5cea-9c11-4278-99f1-684f9d0f7fc4.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1128
        • C:\Users\Default User\winlogon.exe
          "C:\Users\Default User\winlogon.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2860
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d6d2066-c537-45b3-989a-ab1da1fcc372.vbs"
            5⤵
              PID:2188
              • C:\Users\Default User\winlogon.exe
                "C:\Users\Default User\winlogon.exe"
                6⤵
                • UAC bypass
                • Checks computer location settings
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • System policy modification
                PID:4936
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3378a566-96c6-44b0-ad25-d2f0479ff720.vbs"
                  7⤵
                    PID:4484
                    • C:\Users\Default User\winlogon.exe
                      "C:\Users\Default User\winlogon.exe"
                      8⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • System policy modification
                      PID:1488
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e52a588-cf4f-4853-853b-bc9e0efc4307.vbs"
                        9⤵
                          PID:2680
                          • C:\Users\Default User\winlogon.exe
                            "C:\Users\Default User\winlogon.exe"
                            10⤵
                            • UAC bypass
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Checks whether UAC is enabled
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • System policy modification
                            PID:4656
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38c7f4b7-e9d2-4f36-a5c7-69d236731373.vbs"
                              11⤵
                                PID:4708
                                • C:\Users\Default User\winlogon.exe
                                  "C:\Users\Default User\winlogon.exe"
                                  12⤵
                                  • UAC bypass
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • System policy modification
                                  PID:3580
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e543ad5-4558-4b9a-9ba1-6ede98a93318.vbs"
                                    13⤵
                                      PID:2036
                                      • C:\Users\Default User\winlogon.exe
                                        "C:\Users\Default User\winlogon.exe"
                                        14⤵
                                        • UAC bypass
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Checks whether UAC is enabled
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • System policy modification
                                        PID:4436
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbf6a50b-dada-448c-93d9-74dc53307453.vbs"
                                          15⤵
                                            PID:4160
                                            • C:\Users\Default User\winlogon.exe
                                              "C:\Users\Default User\winlogon.exe"
                                              16⤵
                                              • UAC bypass
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Checks whether UAC is enabled
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • System policy modification
                                              PID:1840
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c64d567c-a0ec-4821-8a31-81d96c79592e.vbs"
                                                17⤵
                                                  PID:2508
                                                  • C:\Users\Default User\winlogon.exe
                                                    "C:\Users\Default User\winlogon.exe"
                                                    18⤵
                                                    • UAC bypass
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Checks whether UAC is enabled
                                                    • Modifies registry class
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • System policy modification
                                                    PID:2316
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f17fc679-8f2d-45b8-a42b-05de9e535052.vbs"
                                                      19⤵
                                                        PID:316
                                                        • C:\Users\Default User\winlogon.exe
                                                          "C:\Users\Default User\winlogon.exe"
                                                          20⤵
                                                          • UAC bypass
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Checks whether UAC is enabled
                                                          • Modifies registry class
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • System policy modification
                                                          PID:544
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e4eda68-4b20-47bd-b701-486b2b4e36b0.vbs"
                                                            21⤵
                                                              PID:336
                                                              • C:\Users\Default User\winlogon.exe
                                                                "C:\Users\Default User\winlogon.exe"
                                                                22⤵
                                                                • UAC bypass
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Checks whether UAC is enabled
                                                                • Modifies registry class
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                • System policy modification
                                                                PID:824
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c3c6853-c34e-485e-b99e-63641ba4ac34.vbs"
                                                                  23⤵
                                                                    PID:1052
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\469c222e-1133-4620-ae8e-3c217697c571.vbs"
                                                                    23⤵
                                                                      PID:4800
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp95FD.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp95FD.tmp.exe"
                                                                      23⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:4904
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp95FD.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp95FD.tmp.exe"
                                                                        24⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetThreadContext
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:3496
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp95FD.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmp95FD.tmp.exe"
                                                                          25⤵
                                                                          • Executes dropped EXE
                                                                          PID:3868
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f378b488-fcd6-4544-9be1-87f9531e3a40.vbs"
                                                                  21⤵
                                                                    PID:4368
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp799B.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp799B.tmp.exe"
                                                                    21⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of SetThreadContext
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:4192
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp799B.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp799B.tmp.exe"
                                                                      22⤵
                                                                      • Executes dropped EXE
                                                                      PID:1796
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a897fc3-34a0-4ddd-871b-2af3a8fe1a42.vbs"
                                                                19⤵
                                                                  PID:3880
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp49A2.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp49A2.tmp.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:1436
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp49A2.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp49A2.tmp.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    PID:2400
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f286df80-17a3-4555-8cfe-127c93d60686.vbs"
                                                              17⤵
                                                                PID:1748
                                                              • C:\Users\Admin\AppData\Local\Temp\tmp2C75.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmp2C75.tmp.exe"
                                                                17⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                PID:3328
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp2C75.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp2C75.tmp.exe"
                                                                  18⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:2676
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp2C75.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp2C75.tmp.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    PID:4064
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4d25d73-729e-4594-bd3f-7b9ef88e449a.vbs"
                                                            15⤵
                                                              PID:740
                                                            • C:\Users\Admin\AppData\Local\Temp\tmpFB72.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmpFB72.tmp.exe"
                                                              15⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetThreadContext
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2152
                                                              • C:\Users\Admin\AppData\Local\Temp\tmpFB72.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmpFB72.tmp.exe"
                                                                16⤵
                                                                • Executes dropped EXE
                                                                PID:1768
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0df2237-b606-42c7-bf37-6700e28d50f9.vbs"
                                                          13⤵
                                                            PID:368
                                                          • C:\Users\Admin\AppData\Local\Temp\tmpDE93.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmpDE93.tmp.exe"
                                                            13⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:544
                                                            • C:\Users\Admin\AppData\Local\Temp\tmpDE93.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmpDE93.tmp.exe"
                                                              14⤵
                                                              • Executes dropped EXE
                                                              PID:3332
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4815c372-d822-416a-8f72-daf82107df45.vbs"
                                                        11⤵
                                                          PID:4204
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9428e6d-2e8a-4ada-bd14-c54f64ba1242.vbs"
                                                      9⤵
                                                        PID:856
                                                      • C:\Users\Admin\AppData\Local\Temp\tmp7D59.tmp.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\tmp7D59.tmp.exe"
                                                        9⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4424
                                                        • C:\Users\Admin\AppData\Local\Temp\tmp7D59.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmp7D59.tmp.exe"
                                                          10⤵
                                                          • Executes dropped EXE
                                                          PID:1136
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91d004dd-dd3e-4d37-b8eb-013efed6d426.vbs"
                                                    7⤵
                                                      PID:4912
                                                    • C:\Users\Admin\AppData\Local\Temp\tmp4E2B.tmp.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\tmp4E2B.tmp.exe"
                                                      7⤵
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      PID:1292
                                                      • C:\Users\Admin\AppData\Local\Temp\tmp4E2B.tmp.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\tmp4E2B.tmp.exe"
                                                        8⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4788
                                                        • C:\Users\Admin\AppData\Local\Temp\tmp4E2B.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmp4E2B.tmp.exe"
                                                          9⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2648
                                                          • C:\Users\Admin\AppData\Local\Temp\tmp4E2B.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmp4E2B.tmp.exe"
                                                            10⤵
                                                            • Executes dropped EXE
                                                            PID:1536
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8896b4d9-d514-4f10-8557-992c2a49d81f.vbs"
                                                  5⤵
                                                    PID:4900
                                                  • C:\Users\Admin\AppData\Local\Temp\tmp1DB4.tmp.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\tmp1DB4.tmp.exe"
                                                    5⤵
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:3580
                                                    • C:\Users\Admin\AppData\Local\Temp\tmp1DB4.tmp.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\tmp1DB4.tmp.exe"
                                                      6⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetThreadContext
                                                      • System Location Discovery: System Language Discovery
                                                      PID:1552
                                                      • C:\Users\Admin\AppData\Local\Temp\tmp1DB4.tmp.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\tmp1DB4.tmp.exe"
                                                        7⤵
                                                        • Executes dropped EXE
                                                        PID:4204
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5eb73b10-e024-4312-b447-89ceeb7f976e.vbs"
                                                3⤵
                                                  PID:1108
                                                • C:\Users\Admin\AppData\Local\Temp\tmpFD3C.tmp.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\tmpFD3C.tmp.exe"
                                                  3⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:4072
                                                  • C:\Users\Admin\AppData\Local\Temp\tmpFD3C.tmp.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\tmpFD3C.tmp.exe"
                                                    4⤵
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:3156
                                                    • C:\Users\Admin\AppData\Local\Temp\tmpFD3C.tmp.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\tmpFD3C.tmp.exe"
                                                      5⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetThreadContext
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:3856
                                                      • C:\Users\Admin\AppData\Local\Temp\tmpFD3C.tmp.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\tmpFD3C.tmp.exe"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        PID:3368
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\sysmon.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2664
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\debug\sysmon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1964
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\sysmon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:684
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Default\OfficeClickToRun.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3588
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\OfficeClickToRun.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4192
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Default\OfficeClickToRun.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4928
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:64
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4072
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2308
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2256
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4208
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:892
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2584
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2276
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3324
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\winlogon.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2932
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1488
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2960

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Program Files (x86)\Windows Portable Devices\dllhost.exe
                                              Filesize

                                              4.9MB

                                              MD5

                                              9f28672d5f9616c0ba11631392dbf180

                                              SHA1

                                              fdfb05bd604067b16bdf10aa0e98530424ab0b0d

                                              SHA256

                                              02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666

                                              SHA512

                                              bfa229a6c0aea13eb148f2f78b5de7cd1d035b474c1508c4c9bfe12739dc0006052a2f7d441bb0ea2760b02db170bb55a2090760e5c3869f608137a1982cce9b

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                              Filesize

                                              2KB

                                              MD5

                                              d85ba6ff808d9e5444a4b369f5bc2730

                                              SHA1

                                              31aa9d96590fff6981b315e0b391b575e4c0804a

                                              SHA256

                                              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                              SHA512

                                              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log
                                              Filesize

                                              1KB

                                              MD5

                                              4a667f150a4d1d02f53a9f24d89d53d1

                                              SHA1

                                              306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                              SHA256

                                              414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                              SHA512

                                              4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                              Filesize

                                              944B

                                              MD5

                                              d28a889fd956d5cb3accfbaf1143eb6f

                                              SHA1

                                              157ba54b365341f8ff06707d996b3635da8446f7

                                              SHA256

                                              21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                              SHA512

                                              0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                              Filesize

                                              944B

                                              MD5

                                              59d97011e091004eaffb9816aa0b9abd

                                              SHA1

                                              1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                                              SHA256

                                              18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                                              SHA512

                                              d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                              Filesize

                                              944B

                                              MD5

                                              cadef9abd087803c630df65264a6c81c

                                              SHA1

                                              babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                              SHA256

                                              cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                              SHA512

                                              7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                              Filesize

                                              944B

                                              MD5

                                              3a6bad9528f8e23fb5c77fbd81fa28e8

                                              SHA1

                                              f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                              SHA256

                                              986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                              SHA512

                                              846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1add5cea-9c11-4278-99f1-684f9d0f7fc4.vbs
                                              Filesize

                                              708B

                                              MD5

                                              ab4a33133d1dd905b8acaa449e6baa36

                                              SHA1

                                              1c5ad27d88f6cf0f6c5944b7b357c3871fd08918

                                              SHA256

                                              261a7c7569fe5cf4b88e441b8cd2497e2ca82d4b9978c69b6a335a2db224be09

                                              SHA512

                                              21be9469f6d01cd20076ee8f2cec9e0b5750df7dc79659f38f94ac799f3ea1c1ae0b402336e17115d678297ad88b416393182585327618788c3efe85c89cee41

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\2e543ad5-4558-4b9a-9ba1-6ede98a93318.vbs
                                              Filesize

                                              710B

                                              MD5

                                              b1ad0e57799b6573461622245d9ded44

                                              SHA1

                                              7ab143d86958f3860c700ac42564a6976216b432

                                              SHA256

                                              8f240d1f6448580b05b7ca338fb8b30e7dff14a27f582a20dcece24e8031605a

                                              SHA512

                                              aca6c10affd1235135c0f53e4b2f7cb46ec3dffc0fb3bbf9fb960f018710c9e69e1b8bd0a88251447930b02293a5006fa472e6495050556a8c6b22e86309a312

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\3378a566-96c6-44b0-ad25-d2f0479ff720.vbs
                                              Filesize

                                              710B

                                              MD5

                                              92e0267927898a1c54afc7e120f4837c

                                              SHA1

                                              572e51e3ac6ecbcf42617b288bf75f6cd9e68a5d

                                              SHA256

                                              f8e02cf75724bdec7f241302c36b445cce00c3b6667a369eb7fbebfa2770dd3f

                                              SHA512

                                              a6ef46448c6e28154fa6638b3848dfa054449080a4cff73dbc7e3b7278bf0ccce64868b4f88ea868e8a050101468f0691789d497f7bd66d0b8ee68473cf85b2d

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\38c7f4b7-e9d2-4f36-a5c7-69d236731373.vbs
                                              Filesize

                                              710B

                                              MD5

                                              aa525cacc419855f1c51141ea9260522

                                              SHA1

                                              cb8697257237365dc68288ccbe06b9c67eef1925

                                              SHA256

                                              289c1dcb49ea6b772608554b5eff47c568c9cebf2eb5733495f273a89e90ee57

                                              SHA512

                                              e9e2cf1cfb94a95051ca7a3e831393814641363daddca9fa46451f6b1bd288e0dece2480bee52956626c9d0060d05539953f4cc25eb772b4a7dddf4bb29973a8

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\3e52a588-cf4f-4853-853b-bc9e0efc4307.vbs
                                              Filesize

                                              710B

                                              MD5

                                              65e4d4f47296801af297458bef0eed46

                                              SHA1

                                              7bfa4ae04b10de1863bf0da514ee166e0d3e74a5

                                              SHA256

                                              bef410c7b1332b48d97e42718aff40dbd091e9b210f9256060ad7d14b52a98e2

                                              SHA512

                                              82e4bbbdf7a0adfdfb67632fd44f7699e7d698c3167fcb60ddfdf2eb2d11951b93dff13a07306dd5fb015b9ce22d2b9a83b5b158a8ae45dc72d315b1f7868ee2

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\5eb73b10-e024-4312-b447-89ceeb7f976e.vbs
                                              Filesize

                                              486B

                                              MD5

                                              3a26a873102a2772bb9ff646f87af461

                                              SHA1

                                              fcadebe61f9068331de072cf41111b33a6158dc1

                                              SHA256

                                              d191668862918f86fd5264e4a7fcf06903ba2f395c08a46cd51fc29e952e902c

                                              SHA512

                                              9fa8fea05b74ed2bf9af12e9109a38b9c4498ddcb00fdccea36c4c6fed75be71fdd73cd80cf34b8d55d0e0eb7827231cf4ada51893fcfaaeec94c9a55915fdcd

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\8d6d2066-c537-45b3-989a-ab1da1fcc372.vbs
                                              Filesize

                                              710B

                                              MD5

                                              8e245ba6d1777a21408ffec44b582440

                                              SHA1

                                              e85fc9620485243c1f89acf22a8dd756d1a4e0f2

                                              SHA256

                                              f790f1265fbcc8e347b840396db6fefc8a291e1f4c07ba051b36204940321a56

                                              SHA512

                                              56ae280cc6878d243cea60d1170faf013a03a74feffba9dfacbb79f13f0036b1d11202c7082e0d0a52d3500c588b1e042bb261743dbb4f6d389ef9d891d0f97d

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wkw4dqks.uuq.ps1
                                              Filesize

                                              60B

                                              MD5

                                              d17fe0a3f47be24a6453e9ef58c94641

                                              SHA1

                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                              SHA256

                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                              SHA512

                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\dbf6a50b-dada-448c-93d9-74dc53307453.vbs
                                              Filesize

                                              710B

                                              MD5

                                              1bf3bf319de872ea91870f40d5e24b1b

                                              SHA1

                                              096bc2af6657477270abe262bdfd98aef7ebb27b

                                              SHA256

                                              83bbc8389a6e77654a12df4fa1b568d03dbc060023ffea61cdec8d88cda581f3

                                              SHA512

                                              faf3e9a9f709486ecc877592fc8c0d04641abfadb54b6450483f7303a078ef1ef928fad774377f349339366c276357a904f6c7a7a7d2a9b9258ccbd6144d80bf

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\tmpE284.tmp.exe
                                              Filesize

                                              75KB

                                              MD5

                                              e0a68b98992c1699876f818a22b5b907

                                              SHA1

                                              d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                              SHA256

                                              2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                              SHA512

                                              856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                              Download Submit

                                            • C:\Users\Default\winlogon.exe
                                              Filesize

                                              4.9MB

                                              MD5

                                              f1f0316ef3a643a94702278122dbd4d0

                                              SHA1

                                              93794f1a59ece43fd505010bbc473acd0e76d42c

                                              SHA256

                                              bde00155daa15e75f71558e54cacd46b7c639c0b173ece2e8fc8191f24392927

                                              SHA512

                                              ade3493a659cc8ab692003cde8756d003dd6b70ec98c5cddac52051e5779ee70f46273f4ca744fcf161b71096493b2fb42e82ee59e7c9a5bb083ae9c97b35f16

                                              Download Submit

                                            • memory/60-260-0x000000001C050000-0x000000001C062000-memory.dmp

                                              Filesize

                                              72KB

                                              Download

                                            • memory/60-247-0x0000000000EB0000-0x00000000013A4000-memory.dmp

                                              Filesize

                                              5.0MB

                                              Download

                                            • memory/3024-6-0x0000000001C70000-0x0000000001C78000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/3024-16-0x000000001C290000-0x000000001C298000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/3024-0-0x00007FFD088B3000-0x00007FFD088B5000-memory.dmp

                                              Filesize

                                              8KB

                                              Download

                                            • memory/3024-1-0x0000000000F50000-0x0000000001444000-memory.dmp

                                              Filesize

                                              5.0MB

                                              Download

                                            • memory/3024-14-0x000000001C270000-0x000000001C27E000-memory.dmp

                                              Filesize

                                              56KB

                                              Download

                                            • memory/3024-18-0x000000001C9F0000-0x000000001C9FC000-memory.dmp

                                              Filesize

                                              48KB

                                              Download

                                            • memory/3024-248-0x00007FFD088B0000-0x00007FFD09371000-memory.dmp

                                              Filesize

                                              10.8MB

                                              Download

                                            • memory/3024-15-0x000000001C280000-0x000000001C28E000-memory.dmp

                                              Filesize

                                              56KB

                                              Download

                                            • memory/3024-13-0x000000001C210000-0x000000001C21A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/3024-12-0x000000001CF20000-0x000000001D448000-memory.dmp

                                              Filesize

                                              5.2MB

                                              Download

                                            • memory/3024-11-0x000000001C200000-0x000000001C212000-memory.dmp

                                              Filesize

                                              72KB

                                              Download

                                            • memory/3024-2-0x00007FFD088B0000-0x00007FFD09371000-memory.dmp

                                              Filesize

                                              10.8MB

                                              Download

                                            • memory/3024-10-0x000000001C1F0000-0x000000001C1FA000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/3024-8-0x000000001C1D0000-0x000000001C1E6000-memory.dmp

                                              Filesize

                                              88KB

                                              Download

                                            • memory/3024-9-0x0000000001E30000-0x0000000001E40000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/3024-17-0x000000001C2A0000-0x000000001C2A8000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/3024-7-0x0000000001E20000-0x0000000001E30000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/3024-5-0x000000001C220000-0x000000001C270000-memory.dmp

                                              Filesize

                                              320KB

                                              Download

                                            • memory/3024-4-0x0000000001C40000-0x0000000001C5C000-memory.dmp

                                              Filesize

                                              112KB

                                              Download

                                            • memory/3024-3-0x000000001C2C0000-0x000000001C3EE000-memory.dmp

                                              Filesize

                                              1.2MB

                                              Download

                                            • memory/4636-141-0x000001A8EBCC0000-0x000001A8EBCE2000-memory.dmp

                                              Filesize

                                              136KB

                                              Download

                                            • memory/4640-64-0x0000000000400000-0x0000000000407000-memory.dmp

                                              Filesize

                                              28KB

                                              Download