darkvision | e545c5728ec3ad44feaecb13c8caac5f4b899418281ea83df17048e787dcb531

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e545c5728ec3ad44feaecb13c8caac5f4b899418281ea83df17048e787dcb531.exe
Size

4.0MB
MD5

2eea32819c249793a43de83f9a2b93ac
SHA1

3e072c7633fae2f149e25b96e3b3315f94428fee
SHA256

e545c5728ec3ad44feaecb13c8caac5f4b899418281ea83df17048e787dcb531
SHA512

0c0ad3832bc2e41edf8d99577d97c011c18a9c86fd187e27ee8986f376f284316b1b78f900aa4e31a4e532151f67e9426945afd0a1433eb30a260c71e407c4b5
SSDEEP

49152:qT0IGMXuq88wrAyCRMMxmB/s4tx4zL3rEC3/eaQ6uQsI35UkiSOINRH:S5sNAkssuYC3bsI354SnH

Score

10^/10

darkvision execution rat

Malware Config

Extracted

Family

darkvision

powercycle.ddns.net

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2124	powershell.exe
2256	powershell.exe

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sanjayelectricals.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e545c5728ec3ad44feaecb13c8caac5f4b899418281ea83df17048e787dcb531.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sanjayelectricals.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e545c5728ec3ad44feaecb13c8caac5f4b899418281ea83df17048e787dcb531.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Drops startup file 33 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
4872	sanjayelectricals.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2124	powershell.exe
2124	powershell.exe
2256	powershell.exe
2256	powershell.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe
4872	sanjayelectricals.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 1888	4300	e545c5728ec3ad44feaecb13c8caac5f4b899418281ea83df17048e787dcb531.exe	83
PID 4300 wrote to memory of 1888	4300	e545c5728ec3ad44feaecb13c8caac5f4b899418281ea83df17048e787dcb531.exe	83
PID 4300 wrote to memory of 4872	4300	e545c5728ec3ad44feaecb13c8caac5f4b899418281ea83df17048e787dcb531.exe	85
PID 4300 wrote to memory of 4872	4300	e545c5728ec3ad44feaecb13c8caac5f4b899418281ea83df17048e787dcb531.exe	85
PID 1888 wrote to memory of 2124	1888	cmd.exe	86
PID 1888 wrote to memory of 2124	1888	cmd.exe	86
PID 4872 wrote to memory of 4752	4872	sanjayelectricals.exe	87
PID 4872 wrote to memory of 4752	4872	sanjayelectricals.exe	87
PID 4872 wrote to memory of 2924	4872	sanjayelectricals.exe	89
PID 4872 wrote to memory of 2924	4872	sanjayelectricals.exe	89
PID 4752 wrote to memory of 2256	4752	cmd.exe	90
PID 4752 wrote to memory of 2256	4752	cmd.exe	90
PID 4872 wrote to memory of 3224	4872	sanjayelectricals.exe	91
PID 4872 wrote to memory of 3224	4872	sanjayelectricals.exe	91
PID 4872 wrote to memory of 2844	4872	sanjayelectricals.exe	99
PID 4872 wrote to memory of 2844	4872	sanjayelectricals.exe	99
PID 4872 wrote to memory of 3560	4872	sanjayelectricals.exe	104
PID 4872 wrote to memory of 3560	4872	sanjayelectricals.exe	104
PID 4872 wrote to memory of 2396	4872	sanjayelectricals.exe	110
PID 4872 wrote to memory of 2396	4872	sanjayelectricals.exe	110
PID 4872 wrote to memory of 3324	4872	sanjayelectricals.exe	112
PID 4872 wrote to memory of 3324	4872	sanjayelectricals.exe	112
PID 4872 wrote to memory of 208	4872	sanjayelectricals.exe	115
PID 4872 wrote to memory of 208	4872	sanjayelectricals.exe	115
PID 4872 wrote to memory of 4472	4872	sanjayelectricals.exe	120
PID 4872 wrote to memory of 4472	4872	sanjayelectricals.exe	120
PID 4872 wrote to memory of 2748	4872	sanjayelectricals.exe	122
PID 4872 wrote to memory of 2748	4872	sanjayelectricals.exe	122
PID 4872 wrote to memory of 2228	4872	sanjayelectricals.exe	125
PID 4872 wrote to memory of 2228	4872	sanjayelectricals.exe	125
PID 4872 wrote to memory of 4480	4872	sanjayelectricals.exe	127
PID 4872 wrote to memory of 4480	4872	sanjayelectricals.exe	127
PID 4872 wrote to memory of 4348	4872	sanjayelectricals.exe	129
PID 4872 wrote to memory of 4348	4872	sanjayelectricals.exe	129
PID 4872 wrote to memory of 1004	4872	sanjayelectricals.exe	132
PID 4872 wrote to memory of 1004	4872	sanjayelectricals.exe	132
PID 4872 wrote to memory of 4688	4872	sanjayelectricals.exe	134
PID 4872 wrote to memory of 4688	4872	sanjayelectricals.exe	134
PID 4872 wrote to memory of 4844	4872	sanjayelectricals.exe	136
PID 4872 wrote to memory of 4844	4872	sanjayelectricals.exe	136
PID 4872 wrote to memory of 2600	4872	sanjayelectricals.exe	139
PID 4872 wrote to memory of 2600	4872	sanjayelectricals.exe	139
PID 4872 wrote to memory of 1348	4872	sanjayelectricals.exe	141
PID 4872 wrote to memory of 1348	4872	sanjayelectricals.exe	141
PID 4872 wrote to memory of 464	4872	sanjayelectricals.exe	143
PID 4872 wrote to memory of 464	4872	sanjayelectricals.exe	143
PID 4872 wrote to memory of 1164	4872	sanjayelectricals.exe	146
PID 4872 wrote to memory of 1164	4872	sanjayelectricals.exe	146
PID 4872 wrote to memory of 4000	4872	sanjayelectricals.exe	148
PID 4872 wrote to memory of 4000	4872	sanjayelectricals.exe	148
PID 4872 wrote to memory of 5040	4872	sanjayelectricals.exe	150
PID 4872 wrote to memory of 5040	4872	sanjayelectricals.exe	150
PID 4872 wrote to memory of 1376	4872	sanjayelectricals.exe	153
PID 4872 wrote to memory of 1376	4872	sanjayelectricals.exe	153
PID 4872 wrote to memory of 4476	4872	sanjayelectricals.exe	155
PID 4872 wrote to memory of 4476	4872	sanjayelectricals.exe	155
PID 4872 wrote to memory of 1352	4872	sanjayelectricals.exe	157
PID 4872 wrote to memory of 1352	4872	sanjayelectricals.exe	157
PID 4872 wrote to memory of 4008	4872	sanjayelectricals.exe	160
PID 4872 wrote to memory of 4008	4872	sanjayelectricals.exe	160
PID 4872 wrote to memory of 1684	4872	sanjayelectricals.exe	162
PID 4872 wrote to memory of 1684	4872	sanjayelectricals.exe	162
PID 4872 wrote to memory of 3788	4872	sanjayelectricals.exe	164
PID 4872 wrote to memory of 3788	4872	sanjayelectricals.exe	164

C:\Users\Admin\AppData\Local\Temp\e545c5728ec3ad44feaecb13c8caac5f4b899418281ea83df17048e787dcb531.exe
"C:\Users\Admin\AppData\Local\Temp\e545c5728ec3ad44feaecb13c8caac5f4b899418281ea83df17048e787dcb531.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\exploers'
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\exploers'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- C:\ProgramData\explorers\sanjayelectricals.exe
  "C:\ProgramData\explorers\sanjayelectricals.exe" {EBB5829C-DDE4-476D-85D8-35BA0C02EDEE}
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\exploers'
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\exploers'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2256
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2924
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:3224
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2844
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:3560
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2396
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:3324
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:208
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4472
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2748
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2228
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4480
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4348
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:1004
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4688
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4844
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2600
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:1348
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:464
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:1164
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4000
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:5040
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:1376
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4476
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:1352
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4008
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:1684
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:3788
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4876
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4564
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:624
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:3900
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:1372
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\explorers\sanjayelectricals.exe

Filesize
4.0MB

MD5
2eea32819c249793a43de83f9a2b93ac

SHA1
3e072c7633fae2f149e25b96e3b3315f94428fee

SHA256
e545c5728ec3ad44feaecb13c8caac5f4b899418281ea83df17048e787dcb531

SHA512
0c0ad3832bc2e41edf8d99577d97c011c18a9c86fd187e27ee8986f376f284316b1b78f900aa4e31a4e532151f67e9426945afd0a1433eb30a260c71e407c4b5

Download Submit
C:\ProgramData\{BF33B405-0CE8-4E41-B2A3-84AE8BA9A2D3}\{BEA7D40B-ACEB-44F9-8B44-6E4EAD745C7A}.bat

Filesize
113B

MD5
ba26ebd2a7e9ac208959a6dcd3de5bf5

SHA1
f7655750fbbe3c86fced7937170f04528ebb5949

SHA256
96eb1bdee26f5ba4b684ced763177bd2404719ee7f2a3928828652a5e47fb001

SHA512
eee0d1384322673537168d77681837b528d0489d82b65ea273ce80af1e8182a56dadf83f9557e3005c31bef3a0f10149b2889c0bc895c7db33d8d62c369cc5c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd9152fd0fab56908fe168af91a08303

SHA1
e4e64d449aaae4e5cda388fc492ff8ee0878af24

SHA256
a78dca0d470c353064c51dbe58a9bf408c188b65d44636759aace9011f5b482e

SHA512
c29093187dcc35ba79e20c11a00ad4063cb81bf7b0bc269f3aee66f583ebece5821cf1ac8748e49247a8eb0eccf4e47f5eb4c1f8577327d8a754a807d5a4aa16

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oqmofnhw.kcm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk

Filesize
1KB

MD5
9ddd4e6c499fe46e5aa3c2aee79f82a4

SHA1
5574de8770600b7737398e447102e2cf7715e1c8

SHA256
1193f926f89ef86aacb2a7c46f57871bf0505f488842ca3afa242191c6a0ac1f

SHA512
54ba46b716febb605eb9b02f9b114cbff526a1c55ee6d36b77d12fc68a2fecece1d0039ba8f7d6109a0fa33cc37392b36f355b6b9f431b4c8d43f454236c7d01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk

Filesize
1KB

MD5
3f7044c3493da82da1dd03b38640aef9

SHA1
90c8c610d8ae121c0b91d63bf87962e9afbfac53

SHA256
d68619c31f0e9ae7934f4210a9c6418aa88fa78278d6c52351c2dc7f4194c291

SHA512
e656b5aeef55acaa107e132214df287f9ee339f40bc18801f6c52dc9c07e71c54601e8f5f0c9628f6548ca1757f8dedc7989619cca416dc28f7c8e10e0d2c5bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk

Filesize
1KB

MD5
fa814e54b292fe289ef21f37b013aa03

SHA1
8852a5fe4450b08b2e3018cd70cae1b532b846d0

SHA256
e3a2230721b7b6bc3f4d5f7d25aff2d4f9b141144972275b9416fd60858a620a

SHA512
676d20069588620ab1c7d1984c3f1607f41efb2546a1e15796edbb6a7714e5a4f1694d2461d99349ad1ab08ee1428d8cd2974e25722fff65a1b529138e789bb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk

Filesize
1KB

MD5
2b6df1f6ef0d00f86f829d770df40fcb

SHA1
220b7421295876b80651348852ae7442ba4ec1c4

SHA256
8ebc418dd1ba64fcd8d5c8795f9a95a10fc63353fbb60a6fb35c86e4ca110e77

SHA512
b41323afaec0234de07839f0a0816f3535ab48947f918f6708a36e0b59876da122032ffab10a3dc0816187403be01125bc4728c06ba8523bd131687316cbf943

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk

Filesize
1KB

MD5
c97b7082db980ec427f6887962a2958b

SHA1
955297a0590549ee581d8d36ba91387ac66191c3

SHA256
ce52c214086f2d38765e4321e184853826f4407bd9755d1d790a2e70bf9c1ef6

SHA512
aae3d493ed136e5b7b6011a76dd8bce2f601d51d411178b9ea7dbd776c83dc0959820209ae7954c36f4d6d3abff6768e98d24155016c955135a07e4a2586aab7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk

Filesize
1KB

MD5
1f799e4b53b3fd36567b769df6387fb9

SHA1
28dd4d7bb9a0cdfcd84c6436167df8cfa4fe81aa

SHA256
155a27e0c6d5abda4bc3a4de88fdb178cbb768e6bd63601e8384cce1c1c84dcb

SHA512
b958ddac443d7f4172a58e1d1bd7d52860e2ddf84d77e5f01ca41ee14e457879d582d809fa56b769686061e9a3554f62f264c83f45f005a7d350afd9fe9118df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk

Filesize
1KB

MD5
3dd1655c6fee5759c31fe43325973cc5

SHA1
f2983795d80964337bbb9d7e59ca55e3b9174ffc

SHA256
26f1949022cf1108b187acdb7950c0b0497db5a7b5a5e4cd7675d226f8cce593

SHA512
444618356043b02c6e29adfb092fbd2f40bd075d224fd423b77ac6b41dfe35e79926ab2925738e8ae4a1e638f2b5a2436fb8bc77a3a5b4a3c27dba09824a9933

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk

Filesize
1KB

MD5
6830bb7a0f58918e50c5c4ed76501cfd

SHA1
632ddb5de03c28274b15902110eda577c176f9c3

SHA256
027f4d92b2d2fc407cc409a6ec865698540d47db92cff59acc77a2a1317e6e56

SHA512
1954289e894133be44f1bf7c35b053c053f6586fd0f81e0f49d1ea6320d59aa285fd919547e215dfc6dc9c9118c4623714d172252234f26bb282515be25b870f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk

Filesize
1KB

MD5
3462f44ef23fae202e59363fa6971617

SHA1
cc1d1910946ce3d2a08df210fdc0f92dfd685be9

SHA256
53e5ad09029d447a2a50a5417c31adeb3f3bdc3a756a06e616beca9d1965888b

SHA512
c4745a7ceb784fc792f39b11d0e4259d478e5d398fcd143360753edfce3e13e764b437d7acb1fbde8491d53d0ba1f7003b4d4d8505563cea87cb6e1240e1acd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6EA87600-4FB5-4F36-8895-30833DA07EAF}.lnk

Filesize
1KB

MD5
0adddcbbafd9f3209435aade2f0c5363

SHA1
8270ea06f5f4dd4a4afb2bfaaa97493f72318387

SHA256
b62b5a31f6f024f0c3fcf98428834f4f6d2c74d175ff96abd188fa5c5616c323

SHA512
0c23fea4dd84180f0b141d94d13a9fd22d0bb3fa8beb83104acca80dd674f5a86117bc600121d212a5f1840c01b4eda464e9ca313d944eaab437afd29bbe5484

Download Submit
memory/2124-16-0x000001B9B56C0000-0x000001B9B56E2000-memory.dmp

Filesize
136KB

Download
memory/2124-73-0x00007FF969ED0000-0x00007FF96A0C5000-memory.dmp

Filesize
2.0MB

Download
memory/2124-10-0x00007FF969ED0000-0x00007FF96A0C5000-memory.dmp

Filesize
2.0MB

Download
memory/2924-41-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-33-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-49-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-48-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-47-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-46-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-45-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-44-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-42-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-54-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-39-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-40-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-37-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-36-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-35-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-34-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-32-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-31-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-29-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-53-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-30-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-77-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-55-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-61-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-21-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2924-22-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-38-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-43-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-51-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-52-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-57-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-56-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2924-50-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/4300-7-0x00007FF692DF0000-0x00007FF6931F0000-memory.dmp

Filesize
4.0MB

Download
memory/4300-0-0x00007FF692DF0000-0x00007FF6931F0000-memory.dmp

Filesize
4.0MB

Download
memory/4300-1-0x00007FF969F70000-0x00007FF969F72000-memory.dmp

Filesize
8KB

Download
memory/4872-175-0x00007FF969ED0000-0x00007FF96A0C5000-memory.dmp

Filesize
2.0MB

Download
memory/4872-146-0x00007FF788000000-0x00007FF788400000-memory.dmp

Filesize
4.0MB

Download
memory/4872-9-0x00007FF969ED0000-0x00007FF96A0C5000-memory.dmp

Filesize
2.0MB

Download
memory/4872-8-0x00007FF788000000-0x00007FF788400000-memory.dmp

Filesize
4.0MB

Download