9e68542a9eebdb982433cdca5e3bf79246d85c03e85ccb82ea2886290b493184

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

app.exe
Size

139.6MB
MD5

d4d78a1172851c26a6132cf65de31ae0
SHA1

89bbbcae5e98307ae4e14ae510af4bd17da582c4
SHA256

b9b6921e279b16b9035cc7beffee32ffcc10a4a99bbe6102d122a8b6d07c904c
SHA512

7436b6fc36f7e92e37a2ff555c4685054729c5ccfbb2b75a57696a6aec98339c13cee7009ed9c86016158c5d702a20611f09a514556b3e9c11b941902f848566
SSDEEP

786432:ESfg0tbLs2cRE3FsdxwBFyAaZZiljQWohhjbj6S46P845IPD:ESj5szmFcxwBFyAaZ4jMhhXcyC

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 25 IoCs

pid	Process
2808	kxhves.exe
1864	kxhves.exe
2440	kxhves.exe
3024	kxhves.exe
1748	kxhves.exe
2168	kxhves.exe
452	kxhves.exe
1104	kxhves.exe
2004	kxhves.exe
2632	kxhves.exe
2580	kxhves.exe
1768	kxhves.exe
2896	kxhves.exe
1656	kxhves.exe
3008	kxhves.exe
2816	kxhves.exe
2180	kxhves.exe
1232	kxhves.exe
352	kxhves.exe
1612	kxhves.exe
1820	kxhves.exe
2212	kxhves.exe
592	kxhves.exe
2976	kxhves.exe
2448	kxhves.exe

Loads dropped DLL 1 IoCs

pid	Process
1660	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	app.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	app.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	app.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	app.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	app.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	app.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	app.exe

Detects videocard installed 1 TTPs 11 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2412	WMIC.exe
2108	WMIC.exe
2904	WMIC.exe
1720	WMIC.exe
1360	WMIC.exe
1948	WMIC.exe
2940	WMIC.exe
1628	WMIC.exe
2804	WMIC.exe
1060	WMIC.exe
1820	WMIC.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
2928	tasklist.exe
1160	tasklist.exe
1816	tasklist.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2956	app.exe
2956	app.exe
2508	app.exe
1332	powershell.exe
2400	powershell.exe
2540	powershell.exe
1672	powershell.exe
3064	powershell.exe
1176	powershell.exe
1592	powershell.exe
2640	powershell.exe
932	powershell.exe
2956	app.exe
2956	app.exe
1248	powershell.exe
2252	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2956	app.exe
Token: SeShutdownPrivilege	2956	app.exe
Token: SeShutdownPrivilege	2956	app.exe
Token: SeShutdownPrivilege	2956	app.exe
Token: SeShutdownPrivilege	2956	app.exe
Token: SeShutdownPrivilege	2956	app.exe
Token: SeShutdownPrivilege	2956	app.exe
Token: SeShutdownPrivilege	2956	app.exe
Token: SeShutdownPrivilege	2956	app.exe
Token: SeShutdownPrivilege	2956	app.exe
Token: SeShutdownPrivilege	2956	app.exe
Token: SeShutdownPrivilege	2956	app.exe
Token: SeIncreaseQuotaPrivilege	2940	WMIC.exe
Token: SeSecurityPrivilege	2940	WMIC.exe
Token: SeTakeOwnershipPrivilege	2940	WMIC.exe
Token: SeLoadDriverPrivilege	2940	WMIC.exe
Token: SeSystemProfilePrivilege	2940	WMIC.exe
Token: SeSystemtimePrivilege	2940	WMIC.exe
Token: SeProfSingleProcessPrivilege	2940	WMIC.exe
Token: SeIncBasePriorityPrivilege	2940	WMIC.exe
Token: SeCreatePagefilePrivilege	2940	WMIC.exe
Token: SeBackupPrivilege	2940	WMIC.exe
Token: SeRestorePrivilege	2940	WMIC.exe
Token: SeShutdownPrivilege	2940	WMIC.exe
Token: SeDebugPrivilege	2940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2940	WMIC.exe
Token: SeRemoteShutdownPrivilege	2940	WMIC.exe
Token: SeUndockPrivilege	2940	WMIC.exe
Token: SeManageVolumePrivilege	2940	WMIC.exe
Token: 33	2940	WMIC.exe
Token: 34	2940	WMIC.exe
Token: 35	2940	WMIC.exe
Token: SeDebugPrivilege	2928	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2288	WMIC.exe
Token: SeSecurityPrivilege	2288	WMIC.exe
Token: SeTakeOwnershipPrivilege	2288	WMIC.exe
Token: SeLoadDriverPrivilege	2288	WMIC.exe
Token: SeSystemProfilePrivilege	2288	WMIC.exe
Token: SeSystemtimePrivilege	2288	WMIC.exe
Token: SeProfSingleProcessPrivilege	2288	WMIC.exe
Token: SeIncBasePriorityPrivilege	2288	WMIC.exe
Token: SeCreatePagefilePrivilege	2288	WMIC.exe
Token: SeBackupPrivilege	2288	WMIC.exe
Token: SeRestorePrivilege	2288	WMIC.exe
Token: SeShutdownPrivilege	2288	WMIC.exe
Token: SeDebugPrivilege	2288	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2288	WMIC.exe
Token: SeRemoteShutdownPrivilege	2288	WMIC.exe
Token: SeUndockPrivilege	2288	WMIC.exe
Token: SeManageVolumePrivilege	2288	WMIC.exe
Token: 33	2288	WMIC.exe
Token: 34	2288	WMIC.exe
Token: 35	2288	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2940	WMIC.exe
Token: SeSecurityPrivilege	2940	WMIC.exe
Token: SeTakeOwnershipPrivilege	2940	WMIC.exe
Token: SeLoadDriverPrivilege	2940	WMIC.exe
Token: SeSystemProfilePrivilege	2940	WMIC.exe
Token: SeSystemtimePrivilege	2940	WMIC.exe
Token: SeProfSingleProcessPrivilege	2940	WMIC.exe
Token: SeIncBasePriorityPrivilege	2940	WMIC.exe
Token: SeCreatePagefilePrivilege	2940	WMIC.exe
Token: SeBackupPrivilege	2940	WMIC.exe
Token: SeRestorePrivilege	2940	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2624	2956	app.exe	28
PID 2956 wrote to memory of 2508	2956	app.exe	29
PID 2956 wrote to memory of 2508	2956	app.exe	29
PID 2956 wrote to memory of 2508	2956	app.exe	29
PID 2956 wrote to memory of 2712	2956	app.exe	30
PID 2956 wrote to memory of 2712	2956	app.exe	30
PID 2956 wrote to memory of 2712	2956	app.exe	30
PID 2956 wrote to memory of 2712	2956	app.exe	30
PID 2956 wrote to memory of 2712	2956	app.exe	30
PID 2956 wrote to memory of 2712	2956	app.exe	30
PID 2956 wrote to memory of 2712	2956	app.exe	30
PID 2956 wrote to memory of 2712	2956	app.exe	30
PID 2956 wrote to memory of 2712	2956	app.exe	30
PID 2956 wrote to memory of 2712	2956	app.exe	30
PID 2956 wrote to memory of 2712	2956	app.exe	30
PID 2956 wrote to memory of 2712	2956	app.exe	30
PID 2956 wrote to memory of 2712	2956	app.exe	30
PID 2956 wrote to memory of 2712	2956	app.exe	30
PID 2956 wrote to memory of 2712	2956	app.exe	30
PID 2956 wrote to memory of 2712	2956	app.exe	30
PID 2956 wrote to memory of 2712	2956	app.exe	30
PID 2956 wrote to memory of 2712	2956	app.exe	30
PID 2956 wrote to memory of 2712	2956	app.exe	30
PID 2956 wrote to memory of 2712	2956	app.exe	30

C:\Users\Admin\AppData\Local\Temp\app.exe
"C:\Users\Admin\AppData\Local\Temp\app.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\app.exe
  "C:\Users\Admin\AppData\Local\Temp\app.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\app" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1200,14899798745253865390,8326767992029446583,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\app.exe
  "C:\Users\Admin\AppData\Local\Temp\app.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\app" --mojo-platform-channel-handle=1348 --field-trial-handle=1200,14899798745253865390,8326767992029446583,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2508
- C:\Users\Admin\AppData\Local\Temp\app.exe
  "C:\Users\Admin\AppData\Local\Temp\app.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\app" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=900 --field-trial-handle=1200,14899798745253865390,8326767992029446583,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "xcopy "C:\Users\Admin\AppData\Local\Temp\" "C:\Users\Admin/AppData/Local/Microsoft/svchostservice" /S /Y"
  2⤵
  PID:2316
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\" "C:\Users\Admin/AppData/Local/Microsoft/svchostservice" /S /Y
    3⤵
    PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:644
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:2116
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1808
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
  2⤵
  PID:1944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1680
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  - Loads dropped DLL
  PID:1660
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:2808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:712
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:572
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2336
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
  2⤵
  PID:1244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:888
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:1864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:2552
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:2560
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:2824
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:1748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:1636
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2684
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
  2⤵
  PID:1812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:2312
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:644
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:2016
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:780
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
  2⤵
  PID:1336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:1720
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:1104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:2760
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:2736
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:1340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2520
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
  2⤵
  PID:2464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:2984
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:2476
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:2580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:2776
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:2320
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:2316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1728
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
  2⤵
  PID:2692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:964
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:2896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:1952
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:1656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:896
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1264
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
  2⤵
  PID:1864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:2440
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:2980
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:2816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:2996
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:2120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2820
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
  2⤵
  PID:2992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:2212
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:1096
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:1232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:2412
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:1668
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:1932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1652
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
  2⤵
  PID:2388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:1608
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:2604
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:1820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:3036
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:1804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:572
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
  2⤵
  PID:2816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:1856
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:2320
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:644
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:1776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:916
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
  2⤵
  PID:1688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:2340
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
  2⤵
  PID:1348
- - C:\Users\Admin\kxhves.exe
    C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
    3⤵
    - Executes dropped EXE
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5dec32abfe7af3538be930035b4ddb62

SHA1
1406dcde143d081b81c5670e67dc45560ea1c86e

SHA256
aa3dd912a17dabb76cc4a21113cbb004ceced94f3f7fa310834d5ae4dc065807

SHA512
845a00efad64af367b6368109288a6fc4a6ca5640616634791f1ad44ef3ed156566ef9d0a036d1aa13d90b3c9efc89af1734e93bd64e17ee6e6dad73d35205e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
64687da037140cfdfcac9d422ad36fc7

SHA1
ab46b26084219c382fe860114e9c50919e80bd0b

SHA256
77869a880357c58aef67786ecca1d00cf0e2a1acac69273eb4d09541e405edca

SHA512
e60290b2f531392c422eb0c5f26f908bacd9391147a66491f70c6f9801aef1d8875c3aaa142dd7d59cbf4ef46c7d7dcb2ad2d8dad9ea36c605f4225daca3c4aa

Download Submit
C:\Users\Admin\AppData\Roaming\app\Local Storage\leveldb\CURRENT~RFf762240.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\kxhves.exe

Filesize
9.5MB

MD5
92399828cbb314174aee2ad3f309adba

SHA1
089017e7697a8e02a1f5c3f2d241c69037eea4c9

SHA256
53272c2bc5eb64dee769966d5c7a70df8b0ae1ac2e9c0064e9c51d2caec9c59b

SHA512
4fe075e613f5cc3985e94cca338f19166facab122b36c084f5cb66120181ad31350b393434068539dad8f4370e5e1a1c8aae45bc28f93b80ee45b593442418fc

Download Submit
\Users\Admin\kxhves.exe

Filesize
30.4MB

MD5
66c4256bfc23d0c5a67d26f03ed336b3

SHA1
160f44e0c6a101ac35da1efa3c818c33bfbb6bdb

SHA256
203a55f05216870706cf7b486428263d311c36db3811b8c6621687a93e40df46

SHA512
7a857c2933684e829ec2320be92f0a1a6e7ce3bdb14a62295d9636c44c0e74321114852c5f2cc0afaaa6989b27d19ced29ffe9b85fa6f6d156be5481fccc4866

Download Submit
memory/1176-312-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/1176-286-0x0000000002DF0000-0x0000000002E70000-memory.dmp

Filesize
512KB

Download
memory/1176-287-0x0000000002DF0000-0x0000000002E70000-memory.dmp

Filesize
512KB

Download
memory/1176-285-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/1176-313-0x0000000002DF0000-0x0000000002E70000-memory.dmp

Filesize
512KB

Download
memory/1176-314-0x0000000002DF0000-0x0000000002E70000-memory.dmp

Filesize
512KB

Download
memory/1176-283-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/1176-284-0x0000000002DF0000-0x0000000002E70000-memory.dmp

Filesize
512KB

Download
memory/1176-319-0x0000000002DF0000-0x0000000002E70000-memory.dmp

Filesize
512KB

Download
memory/1332-165-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/1332-115-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/1332-117-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/1332-158-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/1332-109-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/1332-166-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/1332-167-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/1332-169-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/1332-114-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/1332-116-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/1332-112-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/1332-110-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1592-309-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/1592-305-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/1592-307-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/1592-306-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/1592-310-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/1672-252-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/1672-254-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/1672-223-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/1672-224-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/1672-227-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/1672-228-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/1672-229-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/2400-197-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/2400-154-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/2400-206-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/2400-155-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/2400-199-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/2400-198-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/2400-152-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/2400-185-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/2400-156-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/2400-150-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/2400-153-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/2540-203-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2540-230-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/2540-200-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/2540-201-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2540-202-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/2540-204-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2540-231-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2624-48-0x0000000077A50000-0x0000000077A51000-memory.dmp

Filesize
4KB

Download
memory/2624-1-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2640-331-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/2640-332-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2640-334-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/2640-335-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2640-336-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2640-337-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/3064-249-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/3064-250-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/3064-290-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/3064-251-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download
memory/3064-253-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/3064-281-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/3064-275-0x000007FEF3A40000-0x000007FEF43DD000-memory.dmp

Filesize
9.6MB

Download