e443fc596e951b82a800ebebf6d8ceb73c8ebd49d79e27891e7fe0e03d9eae59

Analysis

max time kernel
32s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

52.6MB
MD5

b37c85a609a3a9927fb52a185ba1ea4e
SHA1

1cab5544c2c0e7eeeb7bec84c7a83fd2a9739914
SHA256

e443fc596e951b82a800ebebf6d8ceb73c8ebd49d79e27891e7fe0e03d9eae59
SHA512

2f58378573e8c90db68153ac3f1315636089c445dfb6405995e3d3f18923656e8381a201d051fa717942a9e18b3d33b77cb53929276491c87e8ea3524a332761
SSDEEP

1572864:HSwHnqf3Gd6xdnj+YV5sz4+wE7fzqre0KAx:HSOnyo6VVN+poVx

Score

8^/10

execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3412	powershell.exe
556	powershell.exe
4868	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‎ ‌.scr	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‎ ‌.scr	Loader.exe

Loads dropped DLL 64 IoCs

pid	Process
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023833-705.dat	upx
behavioral2/memory/3880-709-0x00007FFAE5690000-0x00007FFAE5D68000-memory.dmp	upx
behavioral2/files/0x0007000000023482-717.dat	upx
behavioral2/memory/3880-720-0x00007FFAF6420000-0x00007FFAF642F000-memory.dmp	upx
behavioral2/files/0x000700000002344d-722.dat	upx
behavioral2/files/0x0007000000023831-726.dat	upx
behavioral2/files/0x0007000000023483-725.dat	upx
behavioral2/files/0x0007000000023481-724.dat	upx
behavioral2/files/0x0007000000023448-721.dat	upx
behavioral2/memory/3880-719-0x00007FFAF5E00000-0x00007FFAF5E25000-memory.dmp	upx
behavioral2/files/0x000700000002344a-715.dat	upx
behavioral2/memory/3880-731-0x00007FFAF5D00000-0x00007FFAF5D2D000-memory.dmp	upx
behavioral2/memory/3880-730-0x00007FFAF5DE0000-0x00007FFAF5DF9000-memory.dmp	upx
behavioral2/files/0x0007000000023838-729.dat	upx
behavioral2/files/0x0007000000023837-728.dat	upx
behavioral2/files/0x0007000000023836-727.dat	upx
behavioral2/files/0x0007000000023455-744.dat	upx
behavioral2/files/0x0007000000023453-742.dat	upx
behavioral2/files/0x0007000000023452-741.dat	upx
behavioral2/files/0x0007000000023451-740.dat	upx
behavioral2/files/0x0007000000023450-739.dat	upx
behavioral2/files/0x000700000002344f-738.dat	upx
behavioral2/files/0x000700000002344e-737.dat	upx
behavioral2/files/0x000700000002344c-736.dat	upx
behavioral2/files/0x000700000002344b-735.dat	upx
behavioral2/files/0x0007000000023449-734.dat	upx
behavioral2/files/0x0007000000023447-733.dat	upx
behavioral2/memory/3880-746-0x00007FFAF5CE0000-0x00007FFAF5CF9000-memory.dmp	upx
behavioral2/memory/3880-748-0x00007FFAF5F20000-0x00007FFAF5F2D000-memory.dmp	upx
behavioral2/memory/3880-752-0x00007FFAF5C90000-0x00007FFAF5CC5000-memory.dmp	upx
behavioral2/memory/3880-751-0x00007FFAF5CD0000-0x00007FFAF5CDD000-memory.dmp	upx
behavioral2/memory/3880-754-0x00007FFAF5C80000-0x00007FFAF5C8D000-memory.dmp	upx
behavioral2/memory/3880-756-0x00007FFAF4FF0000-0x00007FFAF5004000-memory.dmp	upx
behavioral2/memory/3880-758-0x00007FFAE5160000-0x00007FFAE5682000-memory.dmp	upx
behavioral2/memory/3880-760-0x00007FFAF1E70000-0x00007FFAF1EA3000-memory.dmp	upx
behavioral2/memory/3880-763-0x00007FFAE5090000-0x00007FFAE515D000-memory.dmp	upx
behavioral2/memory/3880-762-0x00007FFAE5690000-0x00007FFAE5D68000-memory.dmp	upx
behavioral2/memory/3880-767-0x00007FFAEC2F0000-0x00007FFAEC302000-memory.dmp	upx
behavioral2/memory/3880-766-0x00007FFAEC9C0000-0x00007FFAEC9D6000-memory.dmp	upx
behavioral2/memory/3880-769-0x00007FFAE4D70000-0x00007FFAE4E8B000-memory.dmp	upx
behavioral2/files/0x000700000002383f-770.dat	upx
behavioral2/memory/3880-772-0x00007FFAE4CE0000-0x00007FFAE4D67000-memory.dmp	upx
behavioral2/files/0x000700000002345c-776.dat	upx
behavioral2/files/0x000700000002345b-773.dat	upx
behavioral2/memory/3880-777-0x00007FFAF5CD0000-0x00007FFAF5CDD000-memory.dmp	upx
behavioral2/memory/3880-778-0x00007FFAF5660000-0x00007FFAF566B000-memory.dmp	upx
behavioral2/memory/3880-779-0x00007FFAE6FB0000-0x00007FFAE6FD7000-memory.dmp	upx
behavioral2/files/0x0007000000023499-781.dat	upx
behavioral2/memory/3880-783-0x00007FFAE6DE0000-0x00007FFAE6DF8000-memory.dmp	upx
behavioral2/memory/3880-786-0x00007FFAF4FF0000-0x00007FFAF5004000-memory.dmp	upx
behavioral2/memory/3880-799-0x00007FFAF1220000-0x00007FFAF122B000-memory.dmp	upx
behavioral2/memory/3880-798-0x00007FFAF4E00000-0x00007FFAF4E0B000-memory.dmp	upx
behavioral2/memory/3880-797-0x00007FFAF2BD0000-0x00007FFAF2BDC000-memory.dmp	upx
behavioral2/memory/3880-795-0x00007FFAE4B60000-0x00007FFAE4CD6000-memory.dmp	upx
behavioral2/files/0x000700000002341b-794.dat	upx
behavioral2/files/0x000700000002341a-792.dat	upx
behavioral2/memory/3880-796-0x00007FFAF40F0000-0x00007FFAF40FB000-memory.dmp	upx
behavioral2/memory/3880-800-0x00007FFAF1E70000-0x00007FFAF1EA3000-memory.dmp	upx
behavioral2/memory/3880-816-0x00007FFAE4AB0000-0x00007FFAE4AD9000-memory.dmp	upx
behavioral2/memory/3880-815-0x00007FFAE4820000-0x00007FFAE4A65000-memory.dmp	upx
behavioral2/memory/3880-814-0x00007FFAE4A80000-0x00007FFAE4AAE000-memory.dmp	upx
behavioral2/memory/3880-813-0x00007FFAE4AE0000-0x00007FFAE4AEC000-memory.dmp	upx
behavioral2/memory/3880-812-0x00007FFAE4AF0000-0x00007FFAE4B02000-memory.dmp	upx
behavioral2/memory/3880-811-0x00007FFAE4B10000-0x00007FFAE4B1D000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
17	discord.com
18	discord.com
22	discord.com
29	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1816	WMIC.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{5BD60E16-0CB3-41BE-B12A-FF22B96F93C3}	Loader.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3344	powershell.exe
3344	powershell.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3880	Loader.exe
3412	powershell.exe
3412	powershell.exe
556	powershell.exe
556	powershell.exe
4868	powershell.exe
4868	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3880	Loader.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeIncreaseQuotaPrivilege	4380	WMIC.exe
Token: SeSecurityPrivilege	4380	WMIC.exe
Token: SeTakeOwnershipPrivilege	4380	WMIC.exe
Token: SeLoadDriverPrivilege	4380	WMIC.exe
Token: SeSystemProfilePrivilege	4380	WMIC.exe
Token: SeSystemtimePrivilege	4380	WMIC.exe
Token: SeProfSingleProcessPrivilege	4380	WMIC.exe
Token: SeIncBasePriorityPrivilege	4380	WMIC.exe
Token: SeCreatePagefilePrivilege	4380	WMIC.exe
Token: SeBackupPrivilege	4380	WMIC.exe
Token: SeRestorePrivilege	4380	WMIC.exe
Token: SeShutdownPrivilege	4380	WMIC.exe
Token: SeDebugPrivilege	4380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4380	WMIC.exe
Token: SeRemoteShutdownPrivilege	4380	WMIC.exe
Token: SeUndockPrivilege	4380	WMIC.exe
Token: SeManageVolumePrivilege	4380	WMIC.exe
Token: 33	4380	WMIC.exe
Token: 34	4380	WMIC.exe
Token: 35	4380	WMIC.exe
Token: 36	4380	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4380	WMIC.exe
Token: SeSecurityPrivilege	4380	WMIC.exe
Token: SeTakeOwnershipPrivilege	4380	WMIC.exe
Token: SeLoadDriverPrivilege	4380	WMIC.exe
Token: SeSystemProfilePrivilege	4380	WMIC.exe
Token: SeSystemtimePrivilege	4380	WMIC.exe
Token: SeProfSingleProcessPrivilege	4380	WMIC.exe
Token: SeIncBasePriorityPrivilege	4380	WMIC.exe
Token: SeCreatePagefilePrivilege	4380	WMIC.exe
Token: SeBackupPrivilege	4380	WMIC.exe
Token: SeRestorePrivilege	4380	WMIC.exe
Token: SeShutdownPrivilege	4380	WMIC.exe
Token: SeDebugPrivilege	4380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4380	WMIC.exe
Token: SeRemoteShutdownPrivilege	4380	WMIC.exe
Token: SeUndockPrivilege	4380	WMIC.exe
Token: SeManageVolumePrivilege	4380	WMIC.exe
Token: 33	4380	WMIC.exe
Token: 34	4380	WMIC.exe
Token: 35	4380	WMIC.exe
Token: 36	4380	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1124	wmic.exe
Token: SeSecurityPrivilege	1124	wmic.exe
Token: SeTakeOwnershipPrivilege	1124	wmic.exe
Token: SeLoadDriverPrivilege	1124	wmic.exe
Token: SeSystemProfilePrivilege	1124	wmic.exe
Token: SeSystemtimePrivilege	1124	wmic.exe
Token: SeProfSingleProcessPrivilege	1124	wmic.exe
Token: SeIncBasePriorityPrivilege	1124	wmic.exe
Token: SeCreatePagefilePrivilege	1124	wmic.exe
Token: SeBackupPrivilege	1124	wmic.exe
Token: SeRestorePrivilege	1124	wmic.exe
Token: SeShutdownPrivilege	1124	wmic.exe
Token: SeDebugPrivilege	1124	wmic.exe
Token: SeSystemEnvironmentPrivilege	1124	wmic.exe
Token: SeRemoteShutdownPrivilege	1124	wmic.exe
Token: SeUndockPrivilege	1124	wmic.exe
Token: SeManageVolumePrivilege	1124	wmic.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 3880	2028	Loader.exe	86
PID 2028 wrote to memory of 3880	2028	Loader.exe	86
PID 3880 wrote to memory of 3340	3880	Loader.exe	91
PID 3880 wrote to memory of 3340	3880	Loader.exe	91
PID 3880 wrote to memory of 4888	3880	Loader.exe	92
PID 3880 wrote to memory of 4888	3880	Loader.exe	92
PID 4888 wrote to memory of 3344	4888	cmd.exe	95
PID 4888 wrote to memory of 3344	4888	cmd.exe	95
PID 3340 wrote to memory of 1636	3340	cmd.exe	96
PID 3340 wrote to memory of 1636	3340	cmd.exe	96
PID 4888 wrote to memory of 3412	4888	cmd.exe	97
PID 4888 wrote to memory of 3412	4888	cmd.exe	97
PID 3880 wrote to memory of 2092	3880	Loader.exe	98
PID 3880 wrote to memory of 2092	3880	Loader.exe	98
PID 4888 wrote to memory of 556	4888	cmd.exe	100
PID 4888 wrote to memory of 556	4888	cmd.exe	100
PID 4888 wrote to memory of 4868	4888	cmd.exe	101
PID 4888 wrote to memory of 4868	4888	cmd.exe	101
PID 3880 wrote to memory of 1928	3880	Loader.exe	103
PID 3880 wrote to memory of 1928	3880	Loader.exe	103
PID 1928 wrote to memory of 4380	1928	cmd.exe	105
PID 1928 wrote to memory of 4380	1928	cmd.exe	105
PID 3880 wrote to memory of 1124	3880	Loader.exe	106
PID 3880 wrote to memory of 1124	3880	Loader.exe	106
PID 3880 wrote to memory of 1744	3880	Loader.exe	108
PID 3880 wrote to memory of 1744	3880	Loader.exe	108
PID 1744 wrote to memory of 1816	1744	cmd.exe	110
PID 1744 wrote to memory of 1816	1744	cmd.exe	110
PID 3880 wrote to memory of 4696	3880	Loader.exe	111
PID 3880 wrote to memory of 4696	3880	Loader.exe	111
PID 4696 wrote to memory of 4468	4696	cmd.exe	113
PID 4696 wrote to memory of 4468	4696	cmd.exe	113
PID 3880 wrote to memory of 2252	3880	Loader.exe	114
PID 3880 wrote to memory of 2252	3880	Loader.exe	114
PID 2252 wrote to memory of 1012	2252	cmd.exe	116
PID 2252 wrote to memory of 1012	2252	cmd.exe	116
PID 3880 wrote to memory of 4840	3880	Loader.exe	117
PID 3880 wrote to memory of 4840	3880	Loader.exe	117
PID 4840 wrote to memory of 3624	4840	cmd.exe	119
PID 4840 wrote to memory of 3624	4840	cmd.exe	119
PID 3880 wrote to memory of 1312	3880	Loader.exe	120
PID 3880 wrote to memory of 1312	3880	Loader.exe	120
PID 1312 wrote to memory of 4084	1312	cmd.exe	122
PID 1312 wrote to memory of 4084	1312	cmd.exe	122

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1636	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‎ ‌.scr"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3340
  - - C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‎ ‌.scr
      4⤵
      Views/modifies file attributes
      PID:1636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4868
- - C:\Windows\SYSTEM32\netsh.exe
    netsh wlan show profiles
    3⤵
    PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4380
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      PID:1012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path softwarelicensingservice get OA3xOriginalProductKey
      4⤵
      PID:3624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0eIqdxOl4q\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\0eIqdxOl4q\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\Cryptodome\Cipher\_raw_cbc.pyd

Filesize
10KB

MD5
d9f0780e8df9e0adb12d1c4c39d6c9be

SHA1
2335d8d81c1a65d4f537553d66b70d37bc9a55b6

SHA256
e91c6bba58cf9dd76cb573f787c76f1da4481f4cbcdf5da3899cce4d3754bbe7

SHA512
7785aadb25cffdb736ce5f9ae4ca2d97b634bc969a0b0cb14815afaff4398a529a5f86327102b8005ace30c0d196b2c221384a54d7db040c08f0a01de3621d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\Cryptodome\Cipher\_raw_cfb.pyd

Filesize
10KB

MD5
24e69b6ec11c3099a0ce0f553653ffe8

SHA1
0e351eded34beecddba1f1f55fdbcf2e82388072

SHA256
9399b42e3ee1694b84a07229d4b550ae03162a2fce290ccc8910e0594eb79760

SHA512
a9373f88511bdb44079a5bb0620ff6380622be0695939c1cd3f2c3cdc9918ea6ec18f5c9d44579b4e15ea7a4d61be5c136c73a54bdd0a8c122859b3dc168698c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\Cryptodome\Cipher\_raw_ecb.pyd

Filesize
9KB

MD5
768559588eef33d33d9fa64ab5ed482b

SHA1
09be733f1deed8593c20afaf04042f8370e4e82f

SHA256
57d3efc53d8c4be726597a1f3068947b895b5b8aba47fd382c600d8e72125356

SHA512
3bf9cd35906e6e408089faea9ffcdf49cc164f58522764fe9e481d41b0e9c6ff14e13b0954d2c64bb942970bbf9d94d07fce0c0d5fdbd6ca045649675ecff0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\_asyncio.pyd

Filesize
37KB

MD5
694c2698ac9c44a14f835c78dd05d62f

SHA1
ade03844610394262e96c1757554955f66b17ba8

SHA256
236152a4a79c3e6caff6084fe52924c0a62584d418aea4a871f27f1a079a0d74

SHA512
047e8b3a53efacdef06ad7c984d8b13fb44f58a8efd8426f362735a11bc84b8140dd24644866db183ae0b6eda676933d4b3cdad9fa9c635cbaa5725d8ef04cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\_bz2.pyd

Filesize
48KB

MD5
49003c910983478a665ad589ce1ad353

SHA1
8df335dfff61dda15333e028d5176e401435da88

SHA256
84fd70c0be8db775fb110b445680a04b5ca7e96c7f2a60c892eb2a8fb25bc4f3

SHA512
bac7ed529914c8847af54bade6cc01dd7cb95f769372ddf18644df014fc8850284ddf2ce54a13936127be410e5a9233e6a9b2a595b01c1986c4265cafe98ecf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
5225e3fc11136d4ad314367fa911a8b1

SHA1
c2cfb71d867e59f29d394131e0e6c8a2e71dee32

SHA256
08005b24e71411fc4acdb312a4558339595b1d12c6917f8d50c6166a9f122abe

SHA512
87bdeacaca87dc465de92fe8dda425560c5e6e149883113f4541f2d5ecc59f57523cde41ad48fa0081f820678182648afbf73839c249fe3f7d493dcf94e76248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\_ctypes.pyd

Filesize
59KB

MD5
fb8309278746d19a8390ed44fafed32a

SHA1
e091a03d1f5f71402b2f111de274e5bceece842f

SHA256
8f53895f485c068f0cfe5b6eb2e097fbcaf0a5ecfc8388d7e29412dc745f25ab

SHA512
c970dfb8c2f32f698aeab6048446df51c7018d9ac80dbb38d9fed44338073eb4e5d88edc864f1f13ff8f63f452f2dc7db4de4a565c9ee7a8cf985e738518e4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\_decimal.pyd

Filesize
105KB

MD5
e32691eee6c902a54de696759a5a3685

SHA1
b079e9944194f474746b5cd4c6922c8868c05f9d

SHA256
c99c64508ae07c048e16341fb820890c057fdee3a33072129fd7cff47d6afbf1

SHA512
e8b94d4089e4a3ca8f28ff22c87dcc65c6d3eac1ade3f3fe1089ab2a068854faa43c9b8118e0121dede582846ef5203d0d9474f52072517e927e9af88ebdf158

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\_hashlib.pyd

Filesize
35KB

MD5
cd277abeef7c3f84560c0dc342ba00bf

SHA1
62b8c999d4ce3712ef6f53cafaac86165f09d04a

SHA256
47f178852941121aea11b3021c503c0de2ac54ce8b9879eef58bece8eb74d27b

SHA512
dcc333e3da99baf55174bfc40b99ffc02af7b0dbacb49fab44c12599441d09c3d33459c04662ee3f33bc365b27a49c4cf16fc2af631fd78e9263b8f0d338fda3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\_lzma.pyd

Filesize
86KB

MD5
a4b8532273021976c9bdc64be68c941e

SHA1
d00e20369c046ab05c8850ffb86e88a4cf578f71

SHA256
5715f629c0e7490c55c31a4d633e6f035196fff0fee32e77ea8ae731c2a3e872

SHA512
50209815497a2dc5f7cae7984b261a2e3498765a3b62af85ad68e3f8feaf5db2db526f5e55016e7b3adcb27d7eb392088db02d09126019cec775c02f38b5e2d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\_multiprocessing.pyd

Filesize
27KB

MD5
2e2984956878673027241d2eb5a869ab

SHA1
39d1f8a5bbff5a3761845394d4d963640e54ddfa

SHA256
d44f8e9acec42613021e730ceec7e45379507544142aa3498aee38f34ff23d3d

SHA512
6cae459e4d2cd6afb04905447164bc238070e6767352a61009093212adc87fad6a16c35d765808abfaecc39149445d2632d45dfd8bee2def6e85091e2b627fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\_overlapped.pyd

Filesize
33KB

MD5
395359bc3301ef7dae609f432a899ce6

SHA1
88e91a8be6943ba9e8987026dddf77b92ac5f370

SHA256
3b944e40abc19b074001dc116a0221240449bee19cc88281bb6580db5ca8abca

SHA512
d672672ef715046293bba25481d18358c6ca6be38917dba0d3986083e5b23903ffa1a4a89f95318d5b671162763d447db269cc8f9c505ae8b668dda7c242a735

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\_queue.pyd

Filesize
26KB

MD5
32f01ac2f59f0edb312ee1955c108d88

SHA1
717edab47e1bcb09cdd1459050e350dbc09eb0ad

SHA256
4a1192be590af804ee84ee9d69eb2d1fff8c967c0046a2405ab332fd82544155

SHA512
b25ca168d6e0124178d9a473bec9a8ccaeb84f4b1977b40f487d83c1049f50ff9cfc2f45fee5defde6d1b33e15b4436b85be388183846ffc400605fbed4822a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\_socket.pyd

Filesize
44KB

MD5
d4fdea17b3c0d41c6a4ff4c342075a81

SHA1
c104ddb932731f1c68c3bbcefb086c9f80b1e4c8

SHA256
99cacf4675025b08ed6c9afbe667161a401065f50c84eb77e174e05d8b8bdf87

SHA512
6448703d338ba02885a2cd068d83ee3dd8bde71e457b0dc3efc63f440385175c878b6538c40ac1d99d64e258182e366d48d1ec71a94708e6f9412085b3edf2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\_sqlite3.pyd

Filesize
57KB

MD5
3ba8ffea8311dbab59d72b754ed341db

SHA1
5f7d62df8b84cd437f10bb77c9aba6b5466cc4cf

SHA256
43822f6fae9006d1c639728f0687d6cecd4201b0a3635bbeb29a1993875fd144

SHA512
8b85bc88c58af79aaef765b408a9bb874cf16042fcd74b1c6f27915d81f15ee962d779bed1c8bb5eb40760edb8c52a643ddc2e49434fbcf553de71a6ecb15d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\_ssl.pyd

Filesize
65KB

MD5
6500fd7e9c1aef37c40afb913257ef56

SHA1
83d3f20bc1a225b09458d65dfa82c4757bfbb868

SHA256
ddfb2c461d09d7db2244eda120a8305cfe697ea71301e7d9e3e58cd5902fe683

SHA512
cd6c0c3ae31671fc269b23a52a92e609a3e25a97b16f7d341964b6d653d65cce740a9e7dc0b23078b9f6673b617e901a06c459af96607b58bfa48e2f62f461f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\_uuid.pyd

Filesize
24KB

MD5
b9e2ab3d934221a25f2ad0a8c2247f94

SHA1
af792b19b81c1d90d570bdfedbd5789bdf8b9e0c

SHA256
d462f34aca50d1f37b9ea03036c881ee4452e1fd37e1b303cd6daaecc53e260e

SHA512
9a278bfe339f3cfbd02a1bb177c3bc7a7ce36eb5b4fadaaee590834ad4d29cbe91c8c4c843263d91296500c5536df6ac98c96f59f31676cecdccf93237942a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\_wmi.pyd

Filesize
28KB

MD5
3b98c205af7ccb75893f329acb13cbe5

SHA1
ee74b314fefee8d67ced7a354d871ad17279013b

SHA256
16656429d174b4b7db307c15f7baed117b9f83dfa19f35bd69daeaf6d272f3b2

SHA512
166fc4eda8cf8ea1579d5329346e5dd261c2fdf13588d24931be8539aa9d17d550860a2be48d683846d70373f733e0702e1ad8969470c1472bf6b9678c2e2601

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\base_library.zip

Filesize
1.3MB

MD5
ccee0ea5ba04aa4fcb1d5a19e976b54f

SHA1
f7a31b2223f1579da1418f8bfe679ad5cb8a58f5

SHA256
eeb7f0b3e56b03454868411d5f62f23c1832c27270cee551b9ca7d9d10106b29

SHA512
4f29ac5df211fef941bd953c2d34cb0c769fb78475494746cb584790d9497c02be35322b0c8f5c14fe88d4dd722733eda12496db7a1200224a014043f7d59166

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
9KB

MD5
e4fad9ff1b85862a6afaca2495d9f019

SHA1
0e47d7c5d4de3a1d7e3bb31bd47ea22cc4ddeac4

SHA256
e5d362766e9806e7e64709de7e0cff40e03123d821c3f30cac5bac1360e08c18

SHA512
706fb033fc2079b0aabe969bc51ccb6ffaaf1863daf0e4a83d6f13adc0fedab61cee2b63efb40f033aea22bf96886834d36f50af36e6e25b455e941c1676a30a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
39KB

MD5
5c643741418d74c743ca128ff3f50646

SHA1
0b499a3228865a985d86c1199d14614096efd8a0

SHA256
2d86563fdfdc39894a53a293810744915192f3b3f40a47526551e66cdb9cb35c

SHA512
45d02b854557d8f9c25ca8136fa6d3daed24275cc77b1c98038752daed4318bd081c889ff1f4fa8a28e734c9167f477350a8fa863f61729c30c76e7a91d61a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\libcrypto-3.dll

Filesize
1.6MB

MD5
620c100eb510ef9c00a72b84f09d3243

SHA1
37687aa22aabc54deae898140ad748f158da4710

SHA256
07c64ebafd1623bc7e6a7299228d656fbb524eb7523b5082841effafb4778f52

SHA512
58f2dacf18f3c741d682c8602f9a457a1cfbdbd23bbb1c5bad434feb47617d65365d4bbbae9832271df4027e11c1d4053d88e7843dc181dc2ba2741eda7362b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\libffi-8.dll

Filesize
29KB

MD5
be8ceb4f7cb0782322f0eb52bc217797

SHA1
280a7cc8d297697f7f818e4274a7edd3b53f1e4d

SHA256
7d08df2c496c32281bf9a010b62e8898b9743db8b95a7ebee12d746c2e95d676

SHA512
07318c71c3137114e0cfec7d8b4815fd6efa51ce70b377121f26dc469cefe041d5098e1c92af8ed0c53b21e9c845fddee4d6646d5bd8395a3f1370ba56a59571

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\libssl-3.dll

Filesize
223KB

MD5
2c4bd4de4369f7b93b8cf03d51f984b2

SHA1
4e16f57887dd64dd0fb98adee03e7a99fc09b783

SHA256
6e35afcee97988bc8e3f861341d12e79b9178aa9eb8382b6b4aee5f2f9855c2d

SHA512
c1430148b6813d859e7fda225bc5d1fa014006b079370df9562464536f2ef91bfa50e921bedbad04fbd311b6b1cb6e64be991e1afd5f01a7dfc6dcda90a3f46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\psutil\_psutil_windows.pyd

Filesize
31KB

MD5
8a8e3fdcafb2d8f07b54028edafb5b09

SHA1
9eccb4d95d1e700109e3c786713b523958b14c25

SHA256
a1a297c62345f33d3bdb7db4e4b23b3aad75057440d1218d34291b57b1538423

SHA512
a32dc4e508e0b844fa7fd1efade9af999b3bd9116bc93657d6718608b8cdee3e3b1b753ea52549d2f36a831f7bf0edd661f57693d1fa5b1b84bc0d894fcff258

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\pyexpat.pyd

Filesize
87KB

MD5
a898aaf5c33ae2d3603ef6b23b5ad6ce

SHA1
eafe0704872fa83cb98df5a5ff17169b9d316f49

SHA256
4eaf8171549df731ccb269856949bea3c4ab807ab15caefc034c248134109d43

SHA512
3fdc343a033a51ec43d027fca5a6b086382c4ca35c632e878a48a41fd66b42b0fc243c548be815f24d4402faf2b7c41fe709f34db045fcf8ac35b24a22016e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\python3.dll

Filesize
66KB

MD5
4038af0427bce296ca8f3e98591e0723

SHA1
b2975225721959d87996454d049e6d878994cbf2

SHA256
a5bb3eb6fdfd23e0d8b2e4bccd6016290c013389e06daae6cb83964fa69e2a4f

SHA512
db762442c6355512625b36f112eca6923875d10aaf6476d79dc6f6ffc9114e8c7757ac91dbcd1fb00014122bc7f656115160cf5d62fa7fa1ba70bc71346c1ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\python312.dll

Filesize
1.8MB

MD5
8adc0fbbbb68a93dfe96fe708c132b91

SHA1
51c0fcdbe7014ee9598ad60e636ac1b8b6e43752

SHA256
ec1c02b311abaa35dc81154eae43574dca0659d0e491e60dc48da424703de0e3

SHA512
edd81400def1dc96982402ae1ffae61de36d13bf156f298b46aca1191cede10e3a6df5d0a8437ef4a0ac9d750f287f74fe41bda9d405ccffc5ad32d46ff8cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\select.pyd

Filesize
25KB

MD5
d534300e1f4876a15e6ad0e06b767dab

SHA1
2ab2a1d278c8777ed14c34a56546c502084df0c8

SHA256
dfa5583b36cbfa52a138f6925156d72dd1faabcfc669cdd71a7cd7bf0269adf0

SHA512
caed8823fa8778a01ad3546b5342968d7cd149d61b9883e6c9616f6e1f06cba4144826eb4d4cc90e9471dcf1964168d7df0a90a3af92913cc5bb98ec5b416dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\sqlite3.dll

Filesize
630KB

MD5
58529c6ea8ea899b640a67cea20b825e

SHA1
b7522812d5d1df6f4bcb5bda1bcea2350461c3c0

SHA256
9e4dd283a4a2780ceb8b77bdc1b31ae61710808f8e016744791e10c0bb6282bb

SHA512
1cd64ffdb12689919bae43cbd60edaab4bbf6d92cac21b5756381964111f1128467f31bc0a34c21139d71cad50e0bd1491f4708fc4740bc92276e132d1690d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\unicodedata.pyd

Filesize
295KB

MD5
3a2242fb2e86c96f2369f3a1663d15e3

SHA1
059eb58a06fc37cf45d4c014625f94f252e57ea2

SHA256
feb706a6123bf1e86279e33039c19bd44ea4e18623f1054a4b5285b4cba82ab4

SHA512
4e6e073baf3c580db8e8e2a1b3748c306bfe2bfaead1ea841012a76f13e4d18cab3f2decb7b83978999ef28dc8af5d0946a0b3d34af1e762902cbcac03d77a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20282\zstandard\backend_c.cp312-win_amd64.pyd

Filesize
174KB

MD5
4dd9c42a89ddf77fef7aa34a71c5b480

SHA1
fc4c03ffcf81fb255b54c4f16f6ed90d5a1f37d4

SHA256
f76dc6f9ace0d356dbfdea443c3d43232342f48384f4afc7293b2ace813477e7

SHA512
02c04fa2fa1d8136730f2596740049664a4f9343fb56de195988d80151cb38e67e7fee1c140d2c5d7c439f19df377cc6e253f5178711f72b821eae3076b4e142

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zsynez4n.nuj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3344-840-0x0000028236CA0000-0x0000028236CC2000-memory.dmp

Filesize
136KB

Download
memory/3344-858-0x0000028236C90000-0x0000028236C9C000-memory.dmp

Filesize
48KB

Download
memory/3344-855-0x0000028236C70000-0x0000028236C89000-memory.dmp

Filesize
100KB

Download
memory/3880-788-0x00007FFAE6DB0000-0x00007FFAE6DD4000-memory.dmp

Filesize
144KB

Download
memory/3880-730-0x00007FFAF5DE0000-0x00007FFAF5DF9000-memory.dmp

Filesize
100KB

Download
memory/3880-767-0x00007FFAEC2F0000-0x00007FFAEC302000-memory.dmp

Filesize
72KB

Download
memory/3880-766-0x00007FFAEC9C0000-0x00007FFAEC9D6000-memory.dmp

Filesize
88KB

Download
memory/3880-769-0x00007FFAE4D70000-0x00007FFAE4E8B000-memory.dmp

Filesize
1.1MB

Download
memory/3880-763-0x00007FFAE5090000-0x00007FFAE515D000-memory.dmp

Filesize
820KB

Download
memory/3880-772-0x00007FFAE4CE0000-0x00007FFAE4D67000-memory.dmp

Filesize
540KB

Download
memory/3880-760-0x00007FFAF1E70000-0x00007FFAF1EA3000-memory.dmp

Filesize
204KB

Download
memory/3880-758-0x00007FFAE5160000-0x00007FFAE5682000-memory.dmp

Filesize
5.1MB

Download
memory/3880-777-0x00007FFAF5CD0000-0x00007FFAF5CDD000-memory.dmp

Filesize
52KB

Download
memory/3880-778-0x00007FFAF5660000-0x00007FFAF566B000-memory.dmp

Filesize
44KB

Download
memory/3880-779-0x00007FFAE6FB0000-0x00007FFAE6FD7000-memory.dmp

Filesize
156KB

Download
memory/3880-756-0x00007FFAF4FF0000-0x00007FFAF5004000-memory.dmp

Filesize
80KB

Download
memory/3880-783-0x00007FFAE6DE0000-0x00007FFAE6DF8000-memory.dmp

Filesize
96KB

Download
memory/3880-786-0x00007FFAF4FF0000-0x00007FFAF5004000-memory.dmp

Filesize
80KB

Download
memory/3880-799-0x00007FFAF1220000-0x00007FFAF122B000-memory.dmp

Filesize
44KB

Download
memory/3880-798-0x00007FFAF4E00000-0x00007FFAF4E0B000-memory.dmp

Filesize
44KB

Download
memory/3880-797-0x00007FFAF2BD0000-0x00007FFAF2BDC000-memory.dmp

Filesize
48KB

Download
memory/3880-795-0x00007FFAE4B60000-0x00007FFAE4CD6000-memory.dmp

Filesize
1.5MB

Download
memory/3880-754-0x00007FFAF5C80000-0x00007FFAF5C8D000-memory.dmp

Filesize
52KB

Download
memory/3880-751-0x00007FFAF5CD0000-0x00007FFAF5CDD000-memory.dmp

Filesize
52KB

Download
memory/3880-796-0x00007FFAF40F0000-0x00007FFAF40FB000-memory.dmp

Filesize
44KB

Download
memory/3880-800-0x00007FFAF1E70000-0x00007FFAF1EA3000-memory.dmp

Filesize
204KB

Download
memory/3880-816-0x00007FFAE4AB0000-0x00007FFAE4AD9000-memory.dmp

Filesize
164KB

Download
memory/3880-815-0x00007FFAE4820000-0x00007FFAE4A65000-memory.dmp

Filesize
2.3MB

Download
memory/3880-814-0x00007FFAE4A80000-0x00007FFAE4AAE000-memory.dmp

Filesize
184KB

Download
memory/3880-813-0x00007FFAE4AE0000-0x00007FFAE4AEC000-memory.dmp

Filesize
48KB

Download
memory/3880-812-0x00007FFAE4AF0000-0x00007FFAE4B02000-memory.dmp

Filesize
72KB

Download
memory/3880-811-0x00007FFAE4B10000-0x00007FFAE4B1D000-memory.dmp

Filesize
52KB

Download
memory/3880-810-0x00007FFAE4B20000-0x00007FFAE4B2C000-memory.dmp

Filesize
48KB

Download
memory/3880-809-0x00007FFAE4B30000-0x00007FFAE4B3C000-memory.dmp

Filesize
48KB

Download
memory/3880-808-0x00007FFAE4B40000-0x00007FFAE4B4B000-memory.dmp

Filesize
44KB

Download
memory/3880-807-0x00007FFAE4B50000-0x00007FFAE4B5B000-memory.dmp

Filesize
44KB

Download
memory/3880-806-0x00007FFAE6590000-0x00007FFAE659C000-memory.dmp

Filesize
48KB

Download
memory/3880-805-0x00007FFAE65A0000-0x00007FFAE65AE000-memory.dmp

Filesize
56KB

Download
memory/3880-804-0x00007FFAE65B0000-0x00007FFAE65BC000-memory.dmp

Filesize
48KB

Download
memory/3880-803-0x00007FFAE65C0000-0x00007FFAE65CC000-memory.dmp

Filesize
48KB

Download
memory/3880-802-0x00007FFAE6FA0000-0x00007FFAE6FAB000-memory.dmp

Filesize
44KB

Download
memory/3880-801-0x00007FFAEEA40000-0x00007FFAEEA4C000-memory.dmp

Filesize
48KB

Download
memory/3880-752-0x00007FFAF5C90000-0x00007FFAF5CC5000-memory.dmp

Filesize
212KB

Download
memory/3880-748-0x00007FFAF5F20000-0x00007FFAF5F2D000-memory.dmp

Filesize
52KB

Download
memory/3880-787-0x00007FFAE5160000-0x00007FFAE5682000-memory.dmp

Filesize
5.1MB

Download
memory/3880-817-0x00007FFAE4540000-0x00007FFAE4820000-memory.dmp

Filesize
2.9MB

Download
memory/3880-818-0x00007FFAE23A0000-0x00007FFAE4493000-memory.dmp

Filesize
32.9MB

Download
memory/3880-820-0x00007FFAE44F0000-0x00007FFAE4511000-memory.dmp

Filesize
132KB

Download
memory/3880-821-0x00007FFAE4CE0000-0x00007FFAE4D67000-memory.dmp

Filesize
540KB

Download
memory/3880-823-0x00007FFAE6DE0000-0x00007FFAE6DF8000-memory.dmp

Filesize
96KB

Download
memory/3880-822-0x00007FFAE44C0000-0x00007FFAE44E2000-memory.dmp

Filesize
136KB

Download
memory/3880-826-0x00007FFAE1F80000-0x00007FFAE1FB0000-memory.dmp

Filesize
192KB

Download
memory/3880-825-0x00007FFAE1F40000-0x00007FFAE1F71000-memory.dmp

Filesize
196KB

Download
memory/3880-824-0x00007FFAE2300000-0x00007FFAE2399000-memory.dmp

Filesize
612KB

Download
memory/3880-819-0x00007FFAE4520000-0x00007FFAE4537000-memory.dmp

Filesize
92KB

Download
memory/3880-832-0x00007FFAE1DD0000-0x00007FFAE1E82000-memory.dmp

Filesize
712KB

Download
memory/3880-831-0x00007FFAE1E90000-0x00007FFAE1EA4000-memory.dmp

Filesize
80KB

Download
memory/3880-830-0x00007FFAE44A0000-0x00007FFAE44BC000-memory.dmp

Filesize
112KB

Download
memory/3880-829-0x00007FFAE1EB0000-0x00007FFAE1EC9000-memory.dmp

Filesize
100KB

Download
memory/3880-828-0x00007FFAE1ED0000-0x00007FFAE1EEA000-memory.dmp

Filesize
104KB

Download
memory/3880-827-0x00007FFAE1EF0000-0x00007FFAE1F31000-memory.dmp

Filesize
260KB

Download
memory/3880-746-0x00007FFAF5CE0000-0x00007FFAF5CF9000-memory.dmp

Filesize
100KB

Download
memory/3880-762-0x00007FFAE5690000-0x00007FFAE5D68000-memory.dmp

Filesize
6.8MB

Download
memory/3880-731-0x00007FFAF5D00000-0x00007FFAF5D2D000-memory.dmp

Filesize
180KB

Download
memory/3880-719-0x00007FFAF5E00000-0x00007FFAF5E25000-memory.dmp

Filesize
148KB

Download
memory/3880-888-0x00007FFAE4820000-0x00007FFAE4A65000-memory.dmp

Filesize
2.3MB

Download
memory/3880-720-0x00007FFAF6420000-0x00007FFAF642F000-memory.dmp

Filesize
60KB

Download
memory/3880-709-0x00007FFAE5690000-0x00007FFAE5D68000-memory.dmp

Filesize
6.8MB

Download
memory/3880-912-0x00007FFAE4540000-0x00007FFAE4820000-memory.dmp

Filesize
2.9MB

Download
memory/3880-915-0x00007FFAE5690000-0x00007FFAE5D68000-memory.dmp

Filesize
6.8MB

Download
memory/3880-937-0x00007FFAE4B60000-0x00007FFAE4CD6000-memory.dmp

Filesize
1.5MB

Download
memory/3880-935-0x00007FFAE6DE0000-0x00007FFAE6DF8000-memory.dmp

Filesize
96KB

Download
memory/3880-928-0x00007FFAE5090000-0x00007FFAE515D000-memory.dmp

Filesize
820KB

Download
memory/3880-927-0x00007FFAF1E70000-0x00007FFAF1EA3000-memory.dmp

Filesize
204KB

Download
memory/3880-926-0x00007FFAE5160000-0x00007FFAE5682000-memory.dmp

Filesize
5.1MB

Download
memory/3880-916-0x00007FFAF5E00000-0x00007FFAF5E25000-memory.dmp

Filesize
148KB

Download
memory/3880-961-0x00007FFAE5090000-0x00007FFAE515D000-memory.dmp

Filesize
820KB

Download
memory/3880-969-0x00007FFAE6DB0000-0x00007FFAE6DD4000-memory.dmp

Filesize
144KB

Download
memory/3880-991-0x00007FFAF1E70000-0x00007FFAF1EA3000-memory.dmp

Filesize
204KB

Download
memory/3880-994-0x00007FFAE4AB0000-0x00007FFAE4AD9000-memory.dmp

Filesize
164KB

Download
memory/3880-993-0x00007FFAE1F80000-0x00007FFAE1FB0000-memory.dmp

Filesize
192KB

Download
memory/3880-992-0x00007FFAE44F0000-0x00007FFAE4511000-memory.dmp

Filesize
132KB

Download
memory/3880-990-0x00007FFAEC2F0000-0x00007FFAEC302000-memory.dmp

Filesize
72KB

Download
memory/3880-989-0x00007FFAF4FF0000-0x00007FFAF5004000-memory.dmp

Filesize
80KB

Download
memory/3880-988-0x00007FFAF5C80000-0x00007FFAF5C8D000-memory.dmp

Filesize
52KB

Download
memory/3880-987-0x00007FFAF5C90000-0x00007FFAF5CC5000-memory.dmp

Filesize
212KB

Download
memory/3880-986-0x00007FFAF5CD0000-0x00007FFAF5CDD000-memory.dmp

Filesize
52KB

Download
memory/3880-985-0x00007FFAF5F20000-0x00007FFAF5F2D000-memory.dmp

Filesize
52KB

Download
memory/3880-984-0x00007FFAF5CE0000-0x00007FFAF5CF9000-memory.dmp

Filesize
100KB

Download
memory/3880-983-0x00007FFAF5D00000-0x00007FFAF5D2D000-memory.dmp

Filesize
180KB

Download
memory/3880-982-0x00007FFAF5DE0000-0x00007FFAF5DF9000-memory.dmp

Filesize
100KB

Download
memory/3880-981-0x00007FFAF6420000-0x00007FFAF642F000-memory.dmp

Filesize
60KB

Download
memory/3880-980-0x00007FFAF5E00000-0x00007FFAF5E25000-memory.dmp

Filesize
148KB

Download
memory/3880-977-0x00007FFAE65C0000-0x00007FFAE65CC000-memory.dmp

Filesize
48KB

Download
memory/3880-976-0x00007FFAE6FA0000-0x00007FFAE6FAB000-memory.dmp

Filesize
44KB

Download
memory/3880-975-0x00007FFAEEA40000-0x00007FFAEEA4C000-memory.dmp

Filesize
48KB

Download
memory/3880-974-0x00007FFAF1220000-0x00007FFAF122B000-memory.dmp

Filesize
44KB

Download
memory/3880-973-0x00007FFAF2BD0000-0x00007FFAF2BDC000-memory.dmp

Filesize
48KB

Download
memory/3880-972-0x00007FFAF40F0000-0x00007FFAF40FB000-memory.dmp

Filesize
44KB

Download
memory/3880-971-0x00007FFAF4E00000-0x00007FFAF4E0B000-memory.dmp

Filesize
44KB

Download
memory/3880-970-0x00007FFAE4B60000-0x00007FFAE4CD6000-memory.dmp

Filesize
1.5MB

Download
memory/3880-968-0x00007FFAE6DE0000-0x00007FFAE6DF8000-memory.dmp

Filesize
96KB

Download
memory/3880-967-0x00007FFAE6FB0000-0x00007FFAE6FD7000-memory.dmp

Filesize
156KB

Download
memory/3880-966-0x00007FFAF5660000-0x00007FFAF566B000-memory.dmp

Filesize
44KB

Download
memory/3880-965-0x00007FFAE4CE0000-0x00007FFAE4D67000-memory.dmp

Filesize
540KB

Download
memory/3880-964-0x00007FFAE4D70000-0x00007FFAE4E8B000-memory.dmp

Filesize
1.1MB

Download
memory/3880-962-0x00007FFAEC9C0000-0x00007FFAEC9D6000-memory.dmp

Filesize
88KB

Download
memory/3880-959-0x00007FFAE5160000-0x00007FFAE5682000-memory.dmp

Filesize
5.1MB

Download
memory/3880-948-0x00007FFAE5690000-0x00007FFAE5D68000-memory.dmp

Filesize
6.8MB

Download
memory/3880-1002-0x00007FFAE4B10000-0x00007FFAE4B1D000-memory.dmp

Filesize
52KB

Download
memory/3880-1005-0x00007FFAE4A80000-0x00007FFAE4AAE000-memory.dmp

Filesize
184KB

Download
memory/3880-1007-0x00007FFAE44C0000-0x00007FFAE44E2000-memory.dmp

Filesize
136KB

Download
memory/3880-1006-0x00007FFAE4820000-0x00007FFAE4A65000-memory.dmp

Filesize
2.3MB

Download
memory/3880-1004-0x00007FFAE4AE0000-0x00007FFAE4AEC000-memory.dmp

Filesize
48KB

Download
memory/3880-1003-0x00007FFAE4AF0000-0x00007FFAE4B02000-memory.dmp

Filesize
72KB

Download
memory/3880-1001-0x00007FFAE4B20000-0x00007FFAE4B2C000-memory.dmp

Filesize
48KB

Download
memory/3880-1000-0x00007FFAE4B30000-0x00007FFAE4B3C000-memory.dmp

Filesize
48KB

Download
memory/3880-999-0x00007FFAE4B40000-0x00007FFAE4B4B000-memory.dmp

Filesize
44KB

Download
memory/3880-998-0x00007FFAE4B50000-0x00007FFAE4B5B000-memory.dmp

Filesize
44KB

Download
memory/3880-997-0x00007FFAE6590000-0x00007FFAE659C000-memory.dmp

Filesize
48KB

Download
memory/3880-996-0x00007FFAE65A0000-0x00007FFAE65AE000-memory.dmp

Filesize
56KB

Download
memory/3880-995-0x00007FFAE65B0000-0x00007FFAE65BC000-memory.dmp

Filesize
48KB

Download
memory/3880-1008-0x00007FFAE23A0000-0x00007FFAE4493000-memory.dmp

Filesize
32.9MB

Download