hxxp://sora-6b494[.]web[.]app

Resubmissions

16-04-2024 08:33

240416-kf8edafc9s 8

15-04-2024 16:33

240415-t21fbsba22 8

Analysis

max time kernel
1176s
max time network
1178s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://sora-6b494.web.app

Score

8^/10

Malware Config

Signatures

Patched UPX-packed file 1 IoCs

Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\ext\php_fileinfo.dll	patched_upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Sora - OpenAi Beta v.1.1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	Sora - OpenAi Beta v.1.1.exe

Executes dropped EXE 9 IoCs

Processes:

Sora - OpenAi Beta v.1.1.exephp.exeSora - OpenAi Beta v.1.1.exerhc.exephp.exerhc.exephp.exerhc.exephp.exe

pid	process
5592	Sora - OpenAi Beta v.1.1.exe
5992	php.exe
6064	Sora - OpenAi Beta v.1.1.exe
4628	rhc.exe
3668	php.exe
2052	rhc.exe
6108	php.exe
4604	rhc.exe
836	php.exe

Loads dropped DLL 60 IoCs

Processes:

php.exephp.exephp.exephp.exe

pid	process
5992	php.exe
5992	php.exe
5992	php.exe
5992	php.exe
5992	php.exe
5992	php.exe
5992	php.exe
5992	php.exe
5992	php.exe
5992	php.exe
5992	php.exe
5992	php.exe
5992	php.exe
5992	php.exe
5992	php.exe
3668	php.exe
3668	php.exe
3668	php.exe
3668	php.exe
3668	php.exe
3668	php.exe
3668	php.exe
3668	php.exe
3668	php.exe
3668	php.exe
3668	php.exe
3668	php.exe
3668	php.exe
3668	php.exe
3668	php.exe
6108	php.exe
6108	php.exe
6108	php.exe
6108	php.exe
6108	php.exe
6108	php.exe
6108	php.exe
6108	php.exe
6108	php.exe
6108	php.exe
6108	php.exe
6108	php.exe
6108	php.exe
6108	php.exe
6108	php.exe
836	php.exe
836	php.exe
836	php.exe
836	php.exe
836	php.exe
836	php.exe
836	php.exe
836	php.exe
836	php.exe
836	php.exe
836	php.exe
836	php.exe
836	php.exe
836	php.exe
836	php.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 2 IoCs

Processes:

firefox.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings	explorer.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\Sora - OpenAi v1.1.1.zip:Zone.Identifier firefox.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

4132 vlc.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exephp.exephp.exe

pid process

4868 powershell.exe
4868 powershell.exe
3668 php.exe
3668 php.exe
6108 php.exe
6108 php.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

4132 vlc.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Sora - OpenAi v1.1.1.zip:Zone.Identifier	firefox.exe

pid	process
4132	vlc.exe

pid	process
4868	powershell.exe
4868	powershell.exe
3668	php.exe
3668	php.exe
6108	php.exe
6108	php.exe

pid	process
4132	vlc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

firefox.exe7zG.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4296	firefox.exe
Token: SeDebugPrivilege	4296	firefox.exe
Token: SeDebugPrivilege	4296	firefox.exe
Token: SeRestorePrivilege	5412	7zG.exe
Token: 35	5412	7zG.exe
Token: SeSecurityPrivilege	5412	7zG.exe
Token: SeSecurityPrivilege	5412	7zG.exe
Token: SeDebugPrivilege	4868	powershell.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

firefox.exe7zG.exevlc.exe

pid	process
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
5412	7zG.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

firefox.exevlc.exe

pid	process
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

firefox.exevlc.exe

pid	process
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 692 wrote to memory of 4296	692	firefox.exe	firefox.exe
PID 692 wrote to memory of 4296	692	firefox.exe	firefox.exe
PID 692 wrote to memory of 4296	692	firefox.exe	firefox.exe
PID 692 wrote to memory of 4296	692	firefox.exe	firefox.exe
PID 692 wrote to memory of 4296	692	firefox.exe	firefox.exe
PID 692 wrote to memory of 4296	692	firefox.exe	firefox.exe
PID 692 wrote to memory of 4296	692	firefox.exe	firefox.exe
PID 692 wrote to memory of 4296	692	firefox.exe	firefox.exe
PID 692 wrote to memory of 4296	692	firefox.exe	firefox.exe
PID 692 wrote to memory of 4296	692	firefox.exe	firefox.exe
PID 692 wrote to memory of 4296	692	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1668	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1124	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1124	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1124	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1124	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1124	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1124	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1124	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1124	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1124	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 1124	4296	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://sora-6b494.web.app"
1⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://sora-6b494.web.app
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4296

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4296.0.2085794107\116953621" -parentBuildID 20230214051806 -prefsHandle 1784 -prefMapHandle 1776 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {542d76bd-5a05-4b9e-94a7-b761b0a143e9} 4296 "\\.\pipe\gecko-crash-server-pipe.4296" 1872 1b350123a58 gpu
3⤵
PID:1668

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4296.1.72880994\1270543534" -parentBuildID 20230214051806 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80e33d07-e849-434a-9ab3-07d6ce8a5c38} 4296 "\\.\pipe\gecko-crash-server-pipe.4296" 2472 1b34338a858 socket
3⤵
- Checks processor information in registry
PID:1124

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4296.2.1559614078\1041186333" -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 3012 -prefsLen 23030 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65a737c4-5417-49bc-84ae-2e9a0ecdec05} 4296 "\\.\pipe\gecko-crash-server-pipe.4296" 3028 1b353112e58 tab
3⤵
PID:1520

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4296.3.444700750\649159429" -childID 2 -isForBrowser -prefsHandle 3932 -prefMapHandle 3928 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b8bb6fd-a861-419e-8d1d-065c39216c2c} 4296 "\\.\pipe\gecko-crash-server-pipe.4296" 3936 1b354ce2958 tab
3⤵
PID:3968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4296.4.1899496409\1114039264" -childID 3 -isForBrowser -prefsHandle 4868 -prefMapHandle 4864 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b1f70c2-0515-4a4f-b74b-cdf8eb0c1ffc} 4296 "\\.\pipe\gecko-crash-server-pipe.4296" 4880 1b355d6e558 tab
3⤵
PID:892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4296.5.90772898\1807841657" -childID 4 -isForBrowser -prefsHandle 3056 -prefMapHandle 3208 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f75f88bc-e2dd-40f3-9ba2-61e7d9740b65} 4296 "\\.\pipe\gecko-crash-server-pipe.4296" 3504 1b343380758 tab
3⤵
PID:1176

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4296.6.2124662752\984275513" -childID 5 -isForBrowser -prefsHandle 5276 -prefMapHandle 5272 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a01d9161-5ecf-4b1c-ae00-c2a8302b88aa} 4296 "\\.\pipe\gecko-crash-server-pipe.4296" 5296 1b356c25258 tab
3⤵
PID:876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4296.7.1620666764\1244256916" -childID 6 -isForBrowser -prefsHandle 5376 -prefMapHandle 5384 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1eee5170-27b8-4af9-86ad-e7e5f31fa78b} 4296 "\\.\pipe\gecko-crash-server-pipe.4296" 5460 1b356c28258 tab
3⤵
PID:4276

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4296.8.1619011922\1828988149" -parentBuildID 20230214051806 -prefsHandle 5616 -prefMapHandle 5620 -prefsLen 27697 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ba8ad6a-e805-4c9f-b418-a0a2489f1478} 4296 "\\.\pipe\gecko-crash-server-pipe.4296" 5684 1b355ffb558 rdd
3⤵
PID:1236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5608

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap15899:98:7zEvent1810
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5412

C:\Users\Admin\Desktop\Sora - OpenAi v1.1\Sora - OpenAi Beta v.1.1.exe
"C:\Users\Admin\Desktop\Sora - OpenAi v1.1\Sora - OpenAi Beta v.1.1.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5592

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" "C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\img\PlayVideoFull.mp4"
2⤵
PID:5836

C:\ProgramData\ContentData\php.exe
"C:\ProgramData\ContentData\php.exe" C:\ProgramData\ContentData\include.php
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5992

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "PowerShell -c "Get-Date -Format 'yyyy-MM-dd HH:mm:ss'""
3⤵
PID:1032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell -c "Get-Date -Format 'yyyy-MM-dd HH:mm:ss'"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:5860

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\img\PlayVideoFull.mp4"
2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4132

C:\Users\Admin\Desktop\Sora - OpenAi v1.1\Sora - OpenAi Beta v.1.1.exe
"C:\Users\Admin\Desktop\Sora - OpenAi v1.1\Sora - OpenAi Beta v.1.1.exe"
1⤵
- Executes dropped EXE
PID:6064

C:\ProgramData\ContentData\rhc.exe
C:\ProgramData\ContentData\rhc.exe php.exe index.php
1⤵
- Executes dropped EXE
PID:4628

C:\ProgramData\ContentData\php.exe
php.exe index.php
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3668

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ""C:\ProgramData\CloudData\rhc.exe" "C:\ProgramData\CloudData\python.exe" "C:\ProgramData\CloudData\main.py""
3⤵
PID:3772

C:\ProgramData\ContentData\rhc.exe
C:\ProgramData\ContentData\rhc.exe php.exe index.php
1⤵
- Executes dropped EXE
PID:2052

C:\ProgramData\ContentData\php.exe
php.exe index.php
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:6108

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ""C:\ProgramData\CloudData\rhc.exe" "C:\ProgramData\CloudData\python.exe" "C:\ProgramData\CloudData\main.py""
3⤵
PID:5456

C:\ProgramData\ContentData\rhc.exe
C:\ProgramData\ContentData\rhc.exe php.exe index.php
1⤵
- Executes dropped EXE
PID:4604

C:\ProgramData\ContentData\php.exe
php.exe index.php
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ""C:\ProgramData\CloudData\rhc.exe" "C:\ProgramData\CloudData\python.exe" "C:\ProgramData\CloudData\main.py""
3⤵
PID:2244

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\activity-stream.discovery_stream.json.tmp
Filesize
25KB

MD5
baa357367138534a42a1bae52f5cb5f2

SHA1
ec31291f07f687a6bb5cf1188c0ea3d907e9511f

SHA256
2e5eb15e59c4d2826ca3313ffa5f51fb4a5c78589223d197ab42a44b85869583

SHA512
ec7168ad0685f412f3770b200d313041aee1c7588188d29ce5ff778d4c9b430e6d3fa320d454350d83a01fe2f9fab92cde2aff2e629760f27082c13e85926fc0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\activity-stream.discovery_stream.json.tmp
Filesize
24KB

MD5
6f20b9a4cd97034008cd4796e69ce694

SHA1
076bb52ed869a5ab8370156d9e5e981e375d1713

SHA256
607c6cba3eddea94cd3962304e612dbe697703b54f52dc0ecf266f2f0b332a07

SHA512
7f78c8318b6f9914de1fcf18dd4d37336890cfc79c3a9f9a4275ca8d6af6c6fc07fcf76c33a47aab6e391c0b76a5856f636e13ede1e7f53eeb50a8be5fc4eb8c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\F43F96CF16AAAB999840B6AB1FF417BAC03D7790
Filesize
54KB

MD5
aad338cd606625a1127d6528311e3b0a

SHA1
40d1dcb3d6e413d81ba481012200c4d3ec003bf3

SHA256
415337bb1fbaed81e6a5899142e7f614b457b8c7fc6177c2887bfae4d3ea17f5

SHA512
35243dedc41aee4b76e0568049b2c8aef2326a262f0efcb33484e89612e6ea37b4d791bc02c159a2174fa299b37cc2017464d7a7086b1d2ded250e67196806ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wlagg2xf.duv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs-1.js
Filesize
6KB

MD5
409462c0b2b88d408d4d85bac58fad3c

SHA1
a7d394133d4efe196ac1412a8b686dfcb30be628

SHA256
19befeb91b2951e034af9c3d47e1455a6180a3bf68d67c8c12710d922d57f41a

SHA512
dbdded1eca77a30255efd1221f5dbdc8dd27025f4d4317fa51bcfb9283d198809917f89321e2e241c9816496fffa030a791c858eb471ded0d7722a06e9bac452

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs-1.js
Filesize
6KB

MD5
be6aa85c9b5507ab9885e165a1bdbab4

SHA1
0b8d9e9b8c3cf2ae188e7ef3b04445d22004d03c

SHA256
fe2464853bf7a073016c885696777f65a0a9bc620fc4314d17c7146df355d70a

SHA512
c5bb715cbf32ef3374a6f2bead1837b51b79795338bd0a8905eac8e6ced4773a79d500363311c59198de0531fa0f2db08386ade9aa95c8f9629fa1f7ec501f5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs.js
Filesize
6KB

MD5
4269b1487fed06b442c9afc326a4b7f1

SHA1
50dfc4f23f388d3bbc3a819d5b047c5816021a75

SHA256
6574946246023d7de40eaf6ef38e2c861ed620c41fc934f68b8a287b4020dc0c

SHA512
36ff4b4595fba4eb57d405520d58ce6aac3ffa72d42f9280b55991b037290cf682f41f9dcb54788d6ec111e13923f395d98ed61019b3283b0bc19bdb1eec2b45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs.js
Filesize
7KB

MD5
f3d4859b6b9c61a1ca58db6497a2a960

SHA1
677fd26b4832676ab896bf103d1fa2bfaceefc85

SHA256
1ebf84f646332ec4b7a98ba9e4b2b4af3c3614ff658c1ef6d6249c7d20cff748

SHA512
bf2ae040202cadfbdb7f9093e9bc38a39ed8b5ce0a80f4b12cf15888e4c46454d7987c7a7b758f4aefbe77f0c7252886a5b37f129e80b3deb47747ddd748aa6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
2KB

MD5
e0d5713bb91028ef41762decf9b28204

SHA1
6ea1368275c993d5bf6df7878223e56c6587282f

SHA256
d909eb6606e5102cb86d96782d6123745a0d3788ac9c7d231a518980b69aca68

SHA512
d92a610f9c89e55b3dc06cc09bdb3291cf2de16999bc549be7537eacd7d64f6a6ddf685c3e60ed2f46a4dfc14e5e9369c409d8b48dd015c1618cebe16dc11b35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore.jsonlz4
Filesize
2KB

MD5
7cd93ba8a0360e7b7c9d3be3afe2d5a8

SHA1
3bc8d680e35d38ce42f5fcfe1a43efba5599acf4

SHA256
850d42165ac1a11825f9068779177ddd73761bf9eee099bf845ab454db6f9dda

SHA512
9b1d4febff9f509e1f1c17f252d6fbb8bdcd709142738124fd3ecd04c1f0a51a16c52559d7c0e4332faba281678d45759ea68997298678e90c02417460b2d906

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\Sora - OpenAi Beta v.1.1.exe
Filesize
153KB

MD5
37932fd952d6d845927f25f42cb3c628

SHA1
d0d7e1b7cfb13a0999ef4c4733b83275a1de2440

SHA256
cb807472bb6d4d1113fcbc209d6a08fa80ff9e53c83b1aa37f9d6f549affd68c

SHA512
403dce223d9cbb4241f21a773cfc55501e4141b161c3ba60397c75d533c3abbd420a8f526f6aac7f2a0a5b7b91361ed013641f0d40afc00680428db3c1dbb49b

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\WDSync.dll
Filesize
15KB

MD5
a0aae6000f5d7a2abc603afe54d284b5

SHA1
e31070d51d5b26b2d7816b751b2af70a75d60999

SHA256
12e633b25946133b8c6bdb12029a6705dbde6a0b58a8fb028dbc80697c2f14ba

SHA512
3eaa559fd2c7ab9f1554227db0556d68dab6eecf20475529f772370c3599ea1a245091c01130cc522b946cf005b43b7cdfb6d6ed1edbaf7fd56ed298ed011977

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\ext\php_bz2.dll
Filesize
64KB

MD5
2e83d3a008f9d9bf6c6785d4feba5c75

SHA1
cd634271c56ff3b6c4c141adadb724a581378410

SHA256
d1457076b72d629f0af7e98cd6fe5be4fb0b18fb9c15675f2995b4c5e88a8106

SHA512
09fd9dba3e625dc38ec4587478988252a2ad1916f395a6d84ade09ea1a5f6c2b1353f9cd80455c22d9a0a30285a197801b3dca29664dce43e125ede9f8f379a8

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\ext\php_com_dotnet.dll
Filesize
69KB

MD5
e6356bb0442e22f4c833c8f3faa12e54

SHA1
aa7867e7b0275e43b162a97ee9ff9417daa60887

SHA256
e7acc59480842e662351c2026f08ab67971ee33c34c663ce509a4c9473e643fa

SHA512
abdff0cac197d1fc73ddc74ce677556bd798e3e2c13f12eeb050785873dc43908f137d95f02f7eceac38dee39ed391b0b820837db97c7c0a96fa414c08ef7de1

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\ext\php_curl.dll
Filesize
393KB

MD5
c8cce26e1f5c4ebcaf7d4f6f9cf6f994

SHA1
b174076a6b26e160954572c675cce067ba6582c8

SHA256
05c99429e208bc9f345c791e16dd3f68ec628186d64e2acbc7f2f6dcc877bf11

SHA512
a078e5c1cb37857a8e4f1f8430823466a30b51e22b1136afeb4542091e17c79e278a4fc081dac9ad0f85cfd18a63333aec39ec272b1cbcf78037b85af2fa50df

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\ext\php_fileinfo.dll
Filesize
2.7MB

MD5
f53c9423bd798be924215b6d50dd57e1

SHA1
3453ae45f830d878825e739d1364dd8d9c657c6d

SHA256
1132e7e1cd973f0d44da001bc64ac36a061b69192c9d8ea175cd73e94100bcc0

SHA512
3b8e773321820e0a2e18532692ed027756e2c28ff2452c0e35caf3554e55d8a5510835be6916befd5cce74ea63b40c986e67f9251c722f5a7748a5795ef1a37e

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\ext\php_gd2.dll
Filesize
1.3MB

MD5
6b5a11b8724dbb00f921d0d3adddc0f8

SHA1
16736b897a691c1298eca0a9df70a82eac69c7f2

SHA256
ddc10933f9d057fbb929f59997f5913182ce928dc8ffad8963eed74c2ef50256

SHA512
729c2cea71d89177473f738e0b342817ce12508dde857b5eb1226ab7fb90d4c64a777a9ed04b083ce57c9129da916e062b1084ee93058593e99487ae4eab4da0

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\ext\php_ioncube.dll
Filesize
779KB

MD5
c57d5f4ec2992e6b06e891d09dcc3e32

SHA1
f1627024fe4a922a43e2163d77da987918635ca7

SHA256
4b6f679ab3da317ee310d5bd482b41a77f5ebf1fc0d514d3595c3d16db6e7327

SHA512
ed30da1c8950865c380b6d13468af1075e4161a052199ea77d071851d297c14c041e082377935d5a8deb3807df6a6bb375c63d3f017c91b425b63a22c82f6151

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\ext\php_mbstring.dll
Filesize
1.2MB

MD5
91e97c0ebbe5a7053b9396b1e376283d

SHA1
1906eae6644797e905a1f54c558e83c550440320

SHA256
6653e52f3a7d12afc5e1d5922a73d56a9d914864a1f882004e986ea210005b61

SHA512
3e4e03e4932cf3cdadbc29f0163e81ac430f94e4497f805b31cd0ab12e3975f8152347b78ab1efe1a1feb24101925e671585b8d7080316ac86f4a6d78de9e790

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\ext\php_openssl.dll
Filesize
86KB

MD5
7b404ba96f7f535fee77b97e0e45de2c

SHA1
3fa2897c6af4d9e2fa7d88748220816cd50c9e06

SHA256
673596e0945d61b3f5ff71d293ff8c2cc38464142bdde00387a87ea9af646aed

SHA512
10368f80234a6d7330616dc94d35238aa3215b3ae95e26ba5cde54eb2d99ce5585a138e2c8f97f52713809199eb15bf7b3555dd92ec9be0dbde0cabd118eb30f

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\ext\php_pdo_sqlite.dll
Filesize
475KB

MD5
233fa83055777dfc5602c15e049e381b

SHA1
d0d5bb591515a1a96e1acd486741c1b041517377

SHA256
8b46ab99dad214f30ff11daf08d6b77041165875a04b3d4dc16cdfcfe73ca625

SHA512
401143a7770e429289980b5ef072a630d3246806e77fcbcfa86aef1abbb447aa7b15b29b7a467824580f8c4c2de4ff897c8ed70386f965514ab309cdad14a5d0

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\img\PlayVideoFull.mp4
Filesize
20.1MB

MD5
9804131e8c787e4cbe2dcb43f2a3ff17

SHA1
1641b6f53958dda1bd26b1fbceef332b9066c27d

SHA256
dac5c406f82c5d2c2f6473b6b864f23cd36055be91d01a4670ac1d4b797ffa42

SHA512
745d0f0c37c6fc0ad62e65cc296fd673a7cf3811e5fcc89ef68e9d9a5a95c93c515df65b72a8a6c59d2538edac21ce8dc47cab1763b8bd7f3d160e6c8fec8134

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\include.php
Filesize
9KB

MD5
273bd3d5da3cfcf66b62c219138dff27

SHA1
171899a2b963ebef255551444a9eb8d1705278f8

SHA256
0d78ba7e8a43f92511616c5be20197a2ad2d78b108cd68cad9a8005fde7d80df

SHA512
a09a6b1932efdd5f201558eae93610c8936a3910b503d63b3a2500dbc0846f4599b22621170d98b285b37c53a16ebfe3e1dc4041697185439e0cbec2229e60ef

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\index.php
Filesize
10KB

MD5
e1829b8350d861ff3a3bce5f167a4db3

SHA1
4eb5fa60631706d97cb96dc90984bb7780820f8b

SHA256
996e0e86a18d0b129d48fac97ef3c7a74cfcdfca89f38ea24af92bddb07f7f74

SHA512
cdbb42cc36c639e3ea51c73659139c751018bf9b4e15a837842b25328e980c7d462619708adcbb6933b235c43c1fa4a4ac3e0a71c457719c3830d983759e34d4

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\libeay32.dll
Filesize
1.2MB

MD5
d02143376cdea15b313a398a4caf3735

SHA1
6ed82e6c999974154cccd1b0809e518bf234eafb

SHA256
fe5ceefedcec83d40bd63a7cc2d4ae4012b3f59f1098638056fdc1a477d405f7

SHA512
d9e9e547e21bf3ad0f4474e0d05132c36d4865b8e796dfce888b9f81f5332e3dfe9126988dce938564f1030d069f30d4b912285205f77977c1b4bfee68707624

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\libssh2.dll
Filesize
163KB

MD5
73f95c1b2a23be7a80aa75250b8f25ad

SHA1
20dcce600d126479bd2f0226ae4b8981ee1f147b

SHA256
ed0db696c2ae8b896eab6fd8c71e5fa4c88e6a90b98fffc354593288d59fe119

SHA512
5ee88e0b0215dc7c970e085068f24baf3d7d1df247e7ed56d052dfa20d7dfd603353f036daa0d60e1514277e27d49449fbd9708a5e1c690eb1b90699e7f0e42f

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\msvcr110.dll
Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\openai.api
Filesize
88B

MD5
850952b67ab0c698657c3d908f559816

SHA1
e328f80fedc6c1208340f8ad775c3f350aa949d9

SHA256
fcfaf39e980b6fd20b1c27dae0565145b4e52dad257a780dcc2919800f8856b7

SHA512
b16f9d12d2b8fc6cd31fadd8397a56583bc2ea82ec2f333f85e8ad8ac4b83689cd0e5a2c7664129278f327d7df8b8a9df274ccbb8026e41a626abd1d13e01482

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\php.exe
Filesize
63KB

MD5
a1fe2fe70b38f91230cb5f4ca22b2c0c

SHA1
736bb400f69925493e4fb573e7222ac483ec3b32

SHA256
702d09e982e2af6bf5d828bb1d27bd3a48efcab7cf8837b023953354c4026550

SHA512
1cea0f50aceef5240c096bebf0d58f48e8b6313d71b0dd230b6aa465678e650c91e8e3ccecb7c73f7dc0c4a81eef5c3d14dbea1139543e2907ccca9e31d85dc3

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\php.ini
Filesize
70KB

MD5
dc20e139ccdcf3ab7037a18e52a00755

SHA1
a58c36fae35b20919ea214e17dae765c5a01b144

SHA256
9d2acec331a9e21ac406c8c469f68d943bca1503f9034a1bdd81664c993a9235

SHA512
91dc6e908af6f8f8d61473c03a71ed852cae80a3a5d480fd21fa44a8b4f156ed3194d6118b69376575e7e331c6bb249730ad34c0d54d987e981f105da31e2bb1

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\php5.dll
Filesize
6.7MB

MD5
0f9246f67611db06b9082a03e2680aba

SHA1
12d3ab77f06921aa9d7ebeda5410cc34455df7fa

SHA256
36179be42a85e363099ab57852f6fd1cd12e602e1475841ab169d13fc8955065

SHA512
d10d35febcbf0c036ae12be57cb168841e47f8f171a65b8b11ee625ced9ff0a33fcaa6467e690f8e9880bf8fdbb0f3dd77f5740453fea06ca8292dfdae86f0aa

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\rhc.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\Users\Admin\Desktop\Sora - OpenAi v1.1\__MACOSX\ssleay32.dll
Filesize
268KB

MD5
a24016af3e4cb13139f7904fd1fd847d

SHA1
60b61964b809de44090bdb7a2cc1b0ccf608bc24

SHA256
df5ca94869c6532d6db6c2aafddc4eab93e867670ce5964728248df68e07ce20

SHA512
227f9f16a4d5d683d3fea82390cc4cc07bb2eac6d8fad1aa41806aed4b825a5372f00bc284d73c2be5ad34e023bbd35cac901a4322ce911b998921a157eb934c

Download Submit
C:\Users\Admin\Downloads\Sora - OpenAi v1.BW2l4eim.1.1.zip.part
Filesize
26.9MB

MD5
7c9de4d2c78e006f11ad8f1c44966fb4

SHA1
93e54785137b1471ed7530ae0e8da5640dd0cdb0

SHA256
081b2455cbf464eee43082d023137137eaf43b7a6e1f475feeb75b7cdaaa4cac

SHA512
6463c5dcae47226146dddc159105ecaba762fcfb27c330f8d721e742d948a939c0419104d69bc0ee3812b1b0aeaa22fe8edfd75682f2707027c9f9d7adf98a5d

Download Submit
memory/2052-542-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4132-412-0x00007FF90E360000-0x00007FF90E371000-memory.dmp

Filesize
68KB

Download
memory/4132-431-0x00007FF8FD760000-0x00007FF8FD77B000-memory.dmp

Filesize
108KB

Download
memory/4132-388-0x00007FF647E50000-0x00007FF647F48000-memory.dmp

Filesize
992KB

Download
memory/4132-390-0x00007FF8FE3B0000-0x00007FF8FE666000-memory.dmp

Filesize
2.7MB

Download
memory/4132-392-0x00007FF917560000-0x00007FF917577000-memory.dmp

Filesize
92KB

Download
memory/4132-391-0x00007FF917580000-0x00007FF917598000-memory.dmp

Filesize
96KB

Download
memory/4132-394-0x00007FF914A10000-0x00007FF914A27000-memory.dmp

Filesize
92KB

Download
memory/4132-396-0x00007FF914480000-0x00007FF91449D000-memory.dmp

Filesize
116KB

Download
memory/4132-397-0x00007FF914320000-0x00007FF914331000-memory.dmp

Filesize
68KB

Download
memory/4132-395-0x00007FF9147F0000-0x00007FF914801000-memory.dmp

Filesize
68KB

Download
memory/4132-393-0x00007FF9173B0000-0x00007FF9173C1000-memory.dmp

Filesize
68KB

Download
memory/4132-398-0x00007FF8FE1A0000-0x00007FF8FE3AB000-memory.dmp

Filesize
2.0MB

Download
memory/4132-399-0x00007FF8FA240000-0x00007FF8FB2F0000-memory.dmp

Filesize
16.7MB

Download
memory/4132-400-0x00007FF914120000-0x00007FF914161000-memory.dmp

Filesize
260KB

Download
memory/4132-401-0x00007FF913A00000-0x00007FF913A21000-memory.dmp

Filesize
132KB

Download
memory/4132-403-0x00007FF913820000-0x00007FF913831000-memory.dmp

Filesize
68KB

Download
memory/4132-408-0x00007FF90F1B0000-0x00007FF90F1C8000-memory.dmp

Filesize
96KB

Download
memory/4132-407-0x00007FF90F1F0000-0x00007FF90F201000-memory.dmp

Filesize
68KB

Download
memory/4132-406-0x00007FF90F210000-0x00007FF90F22B000-memory.dmp

Filesize
108KB

Download
memory/4132-405-0x00007FF90F230000-0x00007FF90F241000-memory.dmp

Filesize
68KB

Download
memory/4132-404-0x00007FF912CA0000-0x00007FF912CB1000-memory.dmp

Filesize
68KB

Download
memory/4132-402-0x00007FF9139E0000-0x00007FF9139F8000-memory.dmp

Filesize
96KB

Download
memory/4132-409-0x00007FF90E380000-0x00007FF90E3B0000-memory.dmp

Filesize
192KB

Download
memory/4132-410-0x00007FF904490000-0x00007FF9044F7000-memory.dmp

Filesize
412KB

Download
memory/4132-413-0x00007FF903D50000-0x00007FF903DA7000-memory.dmp

Filesize
348KB

Download
memory/4132-463-0x00007FF918C70000-0x00007FF918CA4000-memory.dmp

Filesize
208KB

Download
memory/4132-411-0x00007FF9032B0000-0x00007FF90332C000-memory.dmp

Filesize
496KB

Download
memory/4132-414-0x00007FF8FE020000-0x00007FF8FE1A0000-memory.dmp

Filesize
1.5MB

Download
memory/4132-415-0x00007FF90E340000-0x00007FF90E357000-memory.dmp

Filesize
92KB

Download
memory/4132-416-0x00007FF8F89D0000-0x00007FF8FA23F000-memory.dmp

Filesize
24.4MB

Download
memory/4132-417-0x00007FF8FDE10000-0x00007FF8FE016000-memory.dmp

Filesize
2.0MB

Download
memory/4132-418-0x00007FF904470000-0x00007FF904482000-memory.dmp

Filesize
72KB

Download
memory/4132-419-0x00007FF8FDDC0000-0x00007FF8FDE02000-memory.dmp

Filesize
264KB

Download
memory/4132-420-0x00007FF8FDD70000-0x00007FF8FDDBD000-memory.dmp

Filesize
308KB

Download
memory/4132-421-0x00007FF8FDC00000-0x00007FF8FDD6B000-memory.dmp

Filesize
1.4MB

Download
memory/4132-422-0x00007FF8FDA10000-0x00007FF8FDA67000-memory.dmp

Filesize
348KB

Download
memory/4132-423-0x00007FF8FBB30000-0x00007FF8FBD71000-memory.dmp

Filesize
2.3MB

Download
memory/4132-424-0x00007FF8FB880000-0x00007FF8FBB30000-memory.dmp

Filesize
2.7MB

Download
memory/4132-426-0x00007FF8FD9E0000-0x00007FF8FDA03000-memory.dmp

Filesize
140KB

Download
memory/4132-427-0x00007FF8FD9C0000-0x00007FF8FD9D3000-memory.dmp

Filesize
76KB

Download
memory/4132-428-0x00007FF8FD8B0000-0x00007FF8FD9B6000-memory.dmp

Filesize
1.0MB

Download
memory/4132-429-0x00007FF8FD7A0000-0x00007FF8FD7CA000-memory.dmp

Filesize
168KB

Download
memory/4132-430-0x00007FF8FD780000-0x00007FF8FD793000-memory.dmp

Filesize
76KB

Download
memory/4132-389-0x00007FF918C70000-0x00007FF918CA4000-memory.dmp

Filesize
208KB

Download
memory/4132-432-0x00007FF8FD740000-0x00007FF8FD752000-memory.dmp

Filesize
72KB

Download
memory/4132-425-0x00007FF8FDBE0000-0x00007FF8FDBF5000-memory.dmp

Filesize
84KB

Download
memory/4132-433-0x00007FF8FD720000-0x00007FF8FD735000-memory.dmp

Filesize
84KB

Download
memory/4132-434-0x00007FF8FD700000-0x00007FF8FD713000-memory.dmp

Filesize
76KB

Download
memory/4132-435-0x00007FF8FD6E0000-0x00007FF8FD6F4000-memory.dmp

Filesize
80KB

Download
memory/4132-436-0x00007FF8FD6C0000-0x00007FF8FD6D2000-memory.dmp

Filesize
72KB

Download
memory/4132-438-0x00007FF8FD680000-0x00007FF8FD695000-memory.dmp

Filesize
84KB

Download
memory/4132-439-0x00007FF8FD350000-0x00007FF8FD361000-memory.dmp

Filesize
68KB

Download
memory/4132-437-0x00007FF8FD6A0000-0x00007FF8FD6B5000-memory.dmp

Filesize
84KB

Download
memory/4132-440-0x00007FF8FD320000-0x00007FF8FD34B000-memory.dmp

Filesize
172KB

Download
memory/4132-442-0x00007FF8FD2C0000-0x00007FF8FD2D1000-memory.dmp

Filesize
68KB

Download
memory/4132-441-0x00007FF8FD2E0000-0x00007FF8FD318000-memory.dmp

Filesize
224KB

Download
memory/4132-443-0x00007FF8FD040000-0x00007FF8FD051000-memory.dmp

Filesize
68KB

Download
memory/4132-444-0x00007FF8FCF10000-0x00007FF8FCF71000-memory.dmp

Filesize
388KB

Download
memory/4132-447-0x00007FF8FCB30000-0x00007FF8FCB7E000-memory.dmp

Filesize
312KB

Download
memory/4132-452-0x00007FF8FCAD0000-0x00007FF8FCB27000-memory.dmp

Filesize
348KB

Download
memory/4132-454-0x00007FF8FCAB0000-0x00007FF8FCAC7000-memory.dmp

Filesize
92KB

Download
memory/4132-453-0x00007FF8FCE10000-0x00007FF8FCE21000-memory.dmp

Filesize
68KB

Download
memory/4132-462-0x00007FF647E50000-0x00007FF647F48000-memory.dmp

Filesize
992KB

Download
memory/4132-464-0x00007FF8FE3B0000-0x00007FF8FE666000-memory.dmp

Filesize
2.7MB

Download
memory/4628-532-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4868-519-0x0000000005810000-0x0000000005B64000-memory.dmp

Filesize
3.3MB

Download
memory/4868-525-0x0000000007470000-0x0000000007AEA000-memory.dmp

Filesize
6.5MB

Download
memory/4868-504-0x0000000002880000-0x0000000002890000-memory.dmp

Filesize
64KB

Download
memory/4868-505-0x0000000002880000-0x0000000002890000-memory.dmp

Filesize
64KB

Download
memory/4868-506-0x0000000004FF0000-0x0000000005618000-memory.dmp

Filesize
6.2MB

Download
memory/4868-507-0x0000000004E70000-0x0000000004E92000-memory.dmp

Filesize
136KB

Download
memory/4868-508-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/4868-520-0x0000000005E40000-0x0000000005E5E000-memory.dmp

Filesize
120KB

Download
memory/4868-510-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/4868-502-0x0000000002890000-0x00000000028C6000-memory.dmp

Filesize
216KB

Download
memory/4868-529-0x00000000736F0000-0x0000000073EA0000-memory.dmp

Filesize
7.7MB

Download
memory/4868-521-0x0000000005E80000-0x0000000005ECC000-memory.dmp

Filesize
304KB

Download
memory/4868-526-0x0000000006350000-0x000000000636A000-memory.dmp

Filesize
104KB

Download
memory/4868-503-0x00000000736F0000-0x0000000073EA0000-memory.dmp

Filesize
7.7MB

Download
memory/5592-337-0x00000226F9DF0000-0x00000226F9DFA000-memory.dmp

Filesize
40KB

Download
memory/5592-538-0x00007FF9019A0000-0x00007FF902461000-memory.dmp

Filesize
10.8MB

Download
memory/5592-379-0x00007FF9019A0000-0x00007FF902461000-memory.dmp

Filesize
10.8MB

Download
memory/5592-335-0x00000226F9A10000-0x00000226F9A38000-memory.dmp

Filesize
160KB

Download
memory/6064-524-0x00007FF9019A0000-0x00007FF902461000-memory.dmp

Filesize
10.8MB

Download
memory/6064-541-0x00007FF9019A0000-0x00007FF902461000-memory.dmp

Filesize
10.8MB

Download