cf44f5c1dc5bfccb23436149f3de5f4292fc141a9ec7f5349c5e31b2b483c176

Analysis

max time kernel
34s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x64/expections.exe
Size

49.1MB
MD5

e31a089b094ea6538148195df6ca7673
SHA1

9c6b3139d64f45907dc4cb51fdd1dc0347842f93
SHA256

2f209ea2d5c80892a323bd77a301de210026fb6d0d4bac2ea680f57830095d91
SHA512

0ae70e86ce8d5864ea6da33334343133a7bf13da2be4c19dc19ed2120d8fc0e94029d671ce9be56866c6b47d64e72ddce98ae089d0f085784a862b9523f48ec9
SSDEEP

393216:VMh9Sl6eQnIhATeD+C/pW/cRhuX9BVeZW2pRR5uH6+:M9kQI+qD+C/pWsuX/eZ4a

Score

8^/10

collection discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4420	powershell.exe
4880	powershell.exe
2008	powershell.exe
3860	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1636	cmd.exe
2532	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\expections.exe	expections.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\expections.exe	expections.exe

Loads dropped DLL 51 IoCs

pid	Process
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
21	raw.githubusercontent.com
25	discord.com
26	discord.com
33	discord.com
34	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	api.ipify.org
18	api.ipify.org
32	api.ipify.org

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral8/files/0x000700000002352f-101.dat	upx
behavioral8/memory/1092-105-0x00007FFD5E160000-0x00007FFD5E748000-memory.dmp	upx
behavioral8/files/0x0007000000023508-107.dat	upx
behavioral8/files/0x0007000000023529-114.dat	upx
behavioral8/memory/1092-115-0x00007FFD6E2A0000-0x00007FFD6E2AF000-memory.dmp	upx
behavioral8/memory/1092-113-0x00007FFD6E070000-0x00007FFD6E094000-memory.dmp	upx
behavioral8/files/0x0007000000023506-116.dat	upx
behavioral8/memory/1092-118-0x00007FFD6E050000-0x00007FFD6E069000-memory.dmp	upx
behavioral8/files/0x000700000002350b-119.dat	upx
behavioral8/memory/1092-121-0x00007FFD6DF80000-0x00007FFD6DFAD000-memory.dmp	upx
behavioral8/files/0x0007000000023528-122.dat	upx
behavioral8/files/0x000700000002352a-123.dat	upx
behavioral8/files/0x000700000002352d-124.dat	upx
behavioral8/files/0x000700000002353e-127.dat	upx
behavioral8/files/0x000700000002353d-126.dat	upx
behavioral8/files/0x0007000000023533-125.dat	upx
behavioral8/files/0x0007000000023505-129.dat	upx
behavioral8/files/0x0007000000023507-130.dat	upx
behavioral8/files/0x0007000000023509-131.dat	upx
behavioral8/files/0x000700000002350a-132.dat	upx
behavioral8/files/0x000700000002350d-134.dat	upx
behavioral8/files/0x000700000002350c-133.dat	upx
behavioral8/files/0x000700000002350e-135.dat	upx
behavioral8/files/0x000700000002350f-136.dat	upx
behavioral8/files/0x0007000000023511-138.dat	upx
behavioral8/files/0x0007000000023510-137.dat	upx
behavioral8/files/0x0007000000023512-139.dat	upx
behavioral8/memory/1092-141-0x00007FFD6DF60000-0x00007FFD6DF79000-memory.dmp	upx
behavioral8/memory/1092-143-0x00007FFD6E250000-0x00007FFD6E25D000-memory.dmp	upx
behavioral8/memory/1092-145-0x00007FFD6DF20000-0x00007FFD6DF55000-memory.dmp	upx
behavioral8/memory/1092-147-0x00007FFD6E130000-0x00007FFD6E13D000-memory.dmp	upx
behavioral8/files/0x0007000000023532-148.dat	upx
behavioral8/memory/1092-152-0x00007FFD6DEF0000-0x00007FFD6DF1E000-memory.dmp	upx
behavioral8/files/0x0007000000023531-151.dat	upx
behavioral8/memory/1092-155-0x00007FFD5E160000-0x00007FFD5E748000-memory.dmp	upx
behavioral8/memory/1092-156-0x00007FFD6DA90000-0x00007FFD6DB4C000-memory.dmp	upx
behavioral8/files/0x0007000000023541-154.dat	upx
behavioral8/memory/1092-159-0x00007FFD6DA60000-0x00007FFD6DA8B000-memory.dmp	upx
behavioral8/memory/1092-158-0x00007FFD6E070000-0x00007FFD6E094000-memory.dmp	upx
behavioral8/memory/1092-161-0x00007FFD6DA30000-0x00007FFD6DA5E000-memory.dmp	upx
behavioral8/memory/1092-164-0x00007FFD6D970000-0x00007FFD6DA28000-memory.dmp	upx
behavioral8/memory/1092-163-0x00007FFD6E050000-0x00007FFD6E069000-memory.dmp	upx
behavioral8/memory/1092-170-0x00007FFD6DF60000-0x00007FFD6DF79000-memory.dmp	upx
behavioral8/memory/1092-168-0x00007FFD5DDE0000-0x00007FFD5E155000-memory.dmp	upx
behavioral8/memory/1092-167-0x00007FFD6DF80000-0x00007FFD6DFAD000-memory.dmp	upx
behavioral8/memory/1092-173-0x00007FFD6D870000-0x00007FFD6D885000-memory.dmp	upx
behavioral8/memory/1092-172-0x00007FFD6E250000-0x00007FFD6E25D000-memory.dmp	upx
behavioral8/memory/1092-178-0x00007FFD6D6E0000-0x00007FFD6D6F2000-memory.dmp	upx
behavioral8/memory/1092-177-0x00007FFD6DF20000-0x00007FFD6DF55000-memory.dmp	upx
behavioral8/memory/1092-180-0x00007FFD6E130000-0x00007FFD6E13D000-memory.dmp	upx
behavioral8/memory/1092-181-0x00007FFD6D6B0000-0x00007FFD6D6D3000-memory.dmp	upx
behavioral8/memory/1092-184-0x00007FFD5DC60000-0x00007FFD5DDD3000-memory.dmp	upx
behavioral8/memory/1092-183-0x00007FFD6DEF0000-0x00007FFD6DF1E000-memory.dmp	upx
behavioral8/files/0x000700000002352c-185.dat	upx
behavioral8/memory/1092-187-0x00007FFD6D690000-0x00007FFD6D6A8000-memory.dmp	upx
behavioral8/memory/1092-190-0x00007FFD6D610000-0x00007FFD6D624000-memory.dmp	upx
behavioral8/memory/1092-189-0x00007FFD6DA60000-0x00007FFD6DA8B000-memory.dmp	upx
behavioral8/files/0x0007000000023518-191.dat	upx
behavioral8/memory/1092-194-0x00007FFD6DA30000-0x00007FFD6DA5E000-memory.dmp	upx
behavioral8/memory/1092-195-0x00007FFD6DEE0000-0x00007FFD6DEEB000-memory.dmp	upx
behavioral8/files/0x0007000000023519-193.dat	upx
behavioral8/memory/1092-197-0x00007FFD6D970000-0x00007FFD6DA28000-memory.dmp	upx
behavioral8/memory/1092-198-0x00007FFD6D5E0000-0x00007FFD6D606000-memory.dmp	upx
behavioral8/memory/1092-202-0x00007FFD5DB40000-0x00007FFD5DC5C000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4136	cmd.exe
1084	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4712	cmd.exe
4516	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1756	WMIC.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1084	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
2532	powershell.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
1092	expections.exe
2532	powershell.exe
4880	powershell.exe
4880	powershell.exe
2008	powershell.exe
2008	powershell.exe
3860	powershell.exe
3860	powershell.exe
4420	powershell.exe
4420	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1092	expections.exe
Token: SeIncreaseQuotaPrivilege	4292	WMIC.exe
Token: SeSecurityPrivilege	4292	WMIC.exe
Token: SeTakeOwnershipPrivilege	4292	WMIC.exe
Token: SeLoadDriverPrivilege	4292	WMIC.exe
Token: SeSystemProfilePrivilege	4292	WMIC.exe
Token: SeSystemtimePrivilege	4292	WMIC.exe
Token: SeProfSingleProcessPrivilege	4292	WMIC.exe
Token: SeIncBasePriorityPrivilege	4292	WMIC.exe
Token: SeCreatePagefilePrivilege	4292	WMIC.exe
Token: SeBackupPrivilege	4292	WMIC.exe
Token: SeRestorePrivilege	4292	WMIC.exe
Token: SeShutdownPrivilege	4292	WMIC.exe
Token: SeDebugPrivilege	4292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4292	WMIC.exe
Token: SeRemoteShutdownPrivilege	4292	WMIC.exe
Token: SeUndockPrivilege	4292	WMIC.exe
Token: SeManageVolumePrivilege	4292	WMIC.exe
Token: 33	4292	WMIC.exe
Token: 34	4292	WMIC.exe
Token: 35	4292	WMIC.exe
Token: 36	4292	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4292	WMIC.exe
Token: SeSecurityPrivilege	4292	WMIC.exe
Token: SeTakeOwnershipPrivilege	4292	WMIC.exe
Token: SeLoadDriverPrivilege	4292	WMIC.exe
Token: SeSystemProfilePrivilege	4292	WMIC.exe
Token: SeSystemtimePrivilege	4292	WMIC.exe
Token: SeProfSingleProcessPrivilege	4292	WMIC.exe
Token: SeIncBasePriorityPrivilege	4292	WMIC.exe
Token: SeCreatePagefilePrivilege	4292	WMIC.exe
Token: SeBackupPrivilege	4292	WMIC.exe
Token: SeRestorePrivilege	4292	WMIC.exe
Token: SeShutdownPrivilege	4292	WMIC.exe
Token: SeDebugPrivilege	4292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4292	WMIC.exe
Token: SeRemoteShutdownPrivilege	4292	WMIC.exe
Token: SeUndockPrivilege	4292	WMIC.exe
Token: SeManageVolumePrivilege	4292	WMIC.exe
Token: 33	4292	WMIC.exe
Token: 34	4292	WMIC.exe
Token: 35	4292	WMIC.exe
Token: 36	4292	WMIC.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeIncreaseQuotaPrivilege	4088	WMIC.exe
Token: SeSecurityPrivilege	4088	WMIC.exe
Token: SeTakeOwnershipPrivilege	4088	WMIC.exe
Token: SeLoadDriverPrivilege	4088	WMIC.exe
Token: SeSystemProfilePrivilege	4088	WMIC.exe
Token: SeSystemtimePrivilege	4088	WMIC.exe
Token: SeProfSingleProcessPrivilege	4088	WMIC.exe
Token: SeIncBasePriorityPrivilege	4088	WMIC.exe
Token: SeCreatePagefilePrivilege	4088	WMIC.exe
Token: SeBackupPrivilege	4088	WMIC.exe
Token: SeRestorePrivilege	4088	WMIC.exe
Token: SeShutdownPrivilege	4088	WMIC.exe
Token: SeDebugPrivilege	4088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4088	WMIC.exe
Token: SeRemoteShutdownPrivilege	4088	WMIC.exe
Token: SeUndockPrivilege	4088	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1092	2380	expections.exe	82
PID 2380 wrote to memory of 1092	2380	expections.exe	82
PID 1092 wrote to memory of 4804	1092	expections.exe	83
PID 1092 wrote to memory of 4804	1092	expections.exe	83
PID 1092 wrote to memory of 2304	1092	expections.exe	85
PID 1092 wrote to memory of 2304	1092	expections.exe	85
PID 2304 wrote to memory of 4292	2304	cmd.exe	87
PID 2304 wrote to memory of 4292	2304	cmd.exe	87
PID 1092 wrote to memory of 4712	1092	expections.exe	89
PID 1092 wrote to memory of 4712	1092	expections.exe	89
PID 1092 wrote to memory of 1636	1092	expections.exe	92
PID 1092 wrote to memory of 1636	1092	expections.exe	92
PID 4712 wrote to memory of 4516	4712	cmd.exe	91
PID 4712 wrote to memory of 4516	4712	cmd.exe	91
PID 1636 wrote to memory of 2532	1636	cmd.exe	94
PID 1636 wrote to memory of 2532	1636	cmd.exe	94
PID 1092 wrote to memory of 4852	1092	expections.exe	95
PID 1092 wrote to memory of 4852	1092	expections.exe	95
PID 4852 wrote to memory of 4880	4852	cmd.exe	97
PID 4852 wrote to memory of 4880	4852	cmd.exe	97
PID 4852 wrote to memory of 2008	4852	cmd.exe	98
PID 4852 wrote to memory of 2008	4852	cmd.exe	98
PID 4852 wrote to memory of 3860	4852	cmd.exe	99
PID 4852 wrote to memory of 3860	4852	cmd.exe	99
PID 4852 wrote to memory of 4420	4852	cmd.exe	100
PID 4852 wrote to memory of 4420	4852	cmd.exe	100
PID 1092 wrote to memory of 4584	1092	expections.exe	101
PID 1092 wrote to memory of 4584	1092	expections.exe	101
PID 4584 wrote to memory of 4088	4584	cmd.exe	103
PID 4584 wrote to memory of 4088	4584	cmd.exe	103
PID 1092 wrote to memory of 1688	1092	expections.exe	104
PID 1092 wrote to memory of 1688	1092	expections.exe	104
PID 1092 wrote to memory of 3500	1092	expections.exe	106
PID 1092 wrote to memory of 3500	1092	expections.exe	106
PID 3500 wrote to memory of 1756	3500	cmd.exe	108
PID 3500 wrote to memory of 1756	3500	cmd.exe	108
PID 1092 wrote to memory of 4444	1092	expections.exe	109
PID 1092 wrote to memory of 4444	1092	expections.exe	109
PID 4444 wrote to memory of 952	4444	cmd.exe	111
PID 4444 wrote to memory of 952	4444	cmd.exe	111
PID 1092 wrote to memory of 1384	1092	expections.exe	112
PID 1092 wrote to memory of 1384	1092	expections.exe	112
PID 1384 wrote to memory of 2280	1384	cmd.exe	114
PID 1384 wrote to memory of 2280	1384	cmd.exe	114
PID 1092 wrote to memory of 4136	1092	expections.exe	118
PID 1092 wrote to memory of 4136	1092	expections.exe	118
PID 4136 wrote to memory of 1084	4136	cmd.exe	120
PID 4136 wrote to memory of 1084	4136	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\x64\expections.exe
"C:\Users\Admin\AppData\Local\Temp\x64\expections.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\x64\expections.exe
  "C:\Users\Admin\AppData\Local\Temp\x64\expections.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4088
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3500
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1384
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      PID:2280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /F "C:\Users\Admin\AppData\Local\Temp\x64\expections.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Kuzf1qnnIk\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kuzf1qnnIk\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\Cryptodome\Cipher\_raw_ecb.pyd

Filesize
9KB

MD5
1a48e6e2a3243a0e38996e61f9f61a68

SHA1
488a1aa38cd3c068bdf24b96234a12232007616c

SHA256
c7b01a0290bc43910ee776bd90de05e37b77f5bd33feaf7d38f4c362e255e061

SHA512
d7acd779b7cab5577289511f137dc664966fcaac39748e33ca4d266a785b17766106944df21c8f2452fd28e008529f3e0097282ad3c69f1069a93df25c6da764

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\VCRUNTIME140_1.dll

Filesize
37KB

MD5
75e78e4bf561031d39f86143753400ff

SHA1
324c2a99e39f8992459495182677e91656a05206

SHA256
1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e

SHA512
ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\_asyncio.pyd

Filesize
34KB

MD5
b42a92003d73446d40da16e0f4d9f5ee

SHA1
3742fb1b2302864181d1568e3526aa63bd7db2c5

SHA256
6b12b8a4a3cdc802e53918ad30296fb4c9da639595463eb6249406e9256ffaa3

SHA512
7fd42f1aa5c96fcc1f5ed7289d4f9a1845174e47112dfa95ebbb23e22ab7ef93ad537f1b5dc9415ba78d71a84bcbeac35d9f27f202c4cd81d855907e1d90f91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\_bz2.pyd

Filesize
46KB

MD5
81578115dd99002ccdd4095b1152db1b

SHA1
e497a0761f2ac9eeba50e78e2d2f4c2349babcf2

SHA256
27b6bf8412d7b660939f31aeedd87585878470b7586a4361f0dccdadd7d64b45

SHA512
b468f71b15cf92164cee6b81bd840864d1d795b86ba3fb33317c4ec89959d5f10b62530a4edf8960e93741af54500a062c0713ab3a0d9ff929e6389633538796

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\_cffi_backend.cp311-win_amd64.pyd

Filesize
71KB

MD5
c1cd1d53ddfe5033a341f0c2051c4357

SHA1
b205344ada67dc82d208baf2d6b9cda4a497abea

SHA256
44381ffef40a5e344ca951de08f13fb4e25096c240d965acfaa47221b9f9ef52

SHA512
d4f509cfb8fa1f044ff4b0b55c5298ead40fd635cfb5a6c7d779a66eeb5f52d3e30a5b3e61507f2891e9ef1070e0c8eea1b698b680048fbb7cb5f15f4e26d309

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\_ctypes.pyd

Filesize
57KB

MD5
87e8cc70c59737ce8e248a35550086e6

SHA1
082b43a944ca3739602d0edf96e37784d32fc509

SHA256
e8a40dfc0d412329d8192d78bcd3d12199ef3551b61dcfa3eb852f86ac49a493

SHA512
d418f1cf437f4dd8797bedc7b909d2433ea03fecaadb34135db13d0eb34b9b16aedd1c340c4a5670fb05df420636a83ab704c0432a605cf5e95e9ebe87ef2a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\_decimal.pyd

Filesize
104KB

MD5
82ae89cf9d47eda296253e6a4b3bacd8

SHA1
5b593f3d8afe484b0afec866643b26b14cfef05b

SHA256
5dbd333752ed7a1767c8b67d3a6d36ff141b8752dfbdd70386341b4f55fae3dd

SHA512
245c6fd4a64c17e7936ad9a84299a7f5c4ef93ac2b1dcb86cccb10a7d51e443c3afd47822eb3962d37292015c34cef76f394c41b680b154ed18223b2e20c32f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\_hashlib.pyd

Filesize
33KB

MD5
44288ccbdf7e9b62b2b8b7c03257a8e8

SHA1
fe70c375cc865a5abcee331c069d4899604cfe1a

SHA256
d7cd29693e5632ee2e91b1f323b8eb5c20b65116e32c918a42c0da6256d83f9d

SHA512
ab517968ac5662221cb0b52d17a05211c601af17704c625c2f6d4fbce33b20f26a041a86707450297f1f3a4384589223cd8be7a482a7c37a516a2957dade0aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\_lzma.pyd

Filesize
84KB

MD5
351034ddaaf1234458e65b90c4189eb3

SHA1
246dc4c5011f9cb2b0c85e453f9276190a1b6c6e

SHA256
3af3703e458370997679dca6c2241a1fa1c799248c4e092e614e2c103690d23b

SHA512
18f110d73cf876638b72e2a877059f52e4cef4e2c2ff877b1bdd21747364f9f5a339a6d349a941e0a0fefa98e3e34ce5689a66caa1378f3c3ebcdf607a87eb13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\_multiprocessing.pyd

Filesize
25KB

MD5
d629edf1d6af8567aea57dab640b4174

SHA1
f920e358c0c429e87fe9ba4f34d8fd89996e82ea

SHA256
2487e57feac587a079879325fd447a48731ebd9c311e8553fd2a5dd60864068a

SHA512
29218a3adfe1d4a0a4bf6c22bf55d189e0836b45efad96b7a8eeede379e6918599c90a4c4c5185309e5991710b2162ec9e2c9fa50a62e31aaace380dfa7c03df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\_overlapped.pyd

Filesize
30KB

MD5
490665d832ff3c369fe9fc5aa9381288

SHA1
d5575d0ae9bcba972ecd928762db79f39f843ecf

SHA256
a5a1152e8ea3e16fe5bd5649216e36680a2afc03a1cf4c53c95c61db853375aa

SHA512
57124e754b112059219d4771d055f113e9af3d8086ab3b330ff0828224a82924f08fa863f009c653a789194bd93bfd4139cf0aad0d39c3896b3c15cbba754e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\_queue.pyd

Filesize
24KB

MD5
7ae2d836bf4420edc6a1213912074fcb

SHA1
bb9c4d90cc380c53082f77378f9f0ad2521efd6c

SHA256
4cd5f1721cb141f2b1cf79ed22b3fa873ff626b709c51f1d8b5f724ebe6533bc

SHA512
ed3785ec37deffdba391563daffde38af7dc33c2f2ff00b6420a04c7f99c9536168c9cc83fffa443948aa2c764fbd6ccd1b24dde3f7e51680225729e54b4e4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\_socket.pyd

Filesize
41KB

MD5
66ae8b5b160df4abffaf34c40adfe96b

SHA1
c86be1817815da8bc105a4b5dc49de61ef205577

SHA256
f87523cbfb071062d1988267373f8b66195a29e102d03c2e119f2f94e66b1f94

SHA512
5e1ca8e4214572422062d60f52746d57f2f55da2b39d73a4e108005859812f10c1bc40b8ac68019154c927427e43c76b7a6bff77a57c915b1122738c5a1264d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\_sqlite3.pyd

Filesize
54KB

MD5
2d78ce9e29b899cfca2684baacde5b25

SHA1
3c36b7ed168359a4c4375f0ae0141856cfa85203

SHA256
6d9f1d418adb30f53fb646848c16787b05ba6d9dffa22597d03bc2e49e80f3be

SHA512
15a62a0008f3749125dbc07ec3558bc7724e77e2ffa12989e6c4207e3f61ce01d7a0d715afc78057767593a8947449de087edb5a954a8ac5bdfb946d0fdee5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\_ssl.pyd

Filesize
60KB

MD5
917d1f89ffc7034efd9e8b6735315f01

SHA1
873d7aea27390959988cd4ff9f5206339a6694ea

SHA256
98818be47ef29fb5a3e7a774ace378fdb0b5822d7e877f0071f6b0654557b2b8

SHA512
744f2a85c16a0bfe54299898728c8bf3d8984ceb693fee5b0e6de9dd4fc5ea66b58633c599b0dc67022c916b99ce17a4b86430215c8973336df94c8debf508eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\_uuid.pyd

Filesize
21KB

MD5
81d18c8d2dbd64bf5518d9d389c18e37

SHA1
28f240ab3b5d23c5148aaff2752d1c93b9a82580

SHA256
3e59b1b0e920a492ceda8785d8e1a61cdcb392b9e68a79011024f0a2af36fb7a

SHA512
7dd9635189be0ff4991ea733a45ca166d98314f305da22da1589119cd7009ff25e12057303371b863a70fb1baaa7a8b05c9ac5178cea4c812532d281ebacaaa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\charset_normalizer\md.cp311-win_amd64.pyd

Filesize
9KB

MD5
3275f09e1d0e6b62848142457e500909

SHA1
a7d85bc1b3edd7cf26c88c5730105788702fe260

SHA256
cce797bfba0afdac27705a11f04427092c5c9f5ea14b7da329c2b76904ff3e2f

SHA512
6651c3c2cf301d885f1821c8b626b13f723f3b3936d99785ad84b9ea2779115c724cfcae9ed1ec87589719779d971a692c4034c9e149108b493de930f395286c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

Filesize
39KB

MD5
4261454f3bd706539298b0cf68f4fc74

SHA1
d1a3e574fe1fa93e7b3d2ff73198c62036b9ccec

SHA256
9ffc8239c0c136b090ab7bf16590198151aa5fd66a24f063bc9949bc9c213a93

SHA512
e71077f6559d110cefe4a3c034dda3c16208fdaafd8598a41f4175f26c31cd8592df76228f2c3fe97cf368854aa463e5e64f254b9291df0e7717c5ad28fe22fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\libcrypto-1_1.dll

Filesize
1.1MB

MD5
5ce966f78ba43eaccd0cc578ac78e6d8

SHA1
565743321bfd39126616296816b157cd520ba28f

SHA256
d47d421807495984d611c6f80d3be0d15568bce8a313df6a97cd862ba0524a0d

SHA512
204e54c2d45ef92d940c55f37dbc298e8861c3654ae978582637120d29ff141c184c7ec1b8658aeaa8341d8bf9157ad29b6f6187d5c8a019b56e3b7643037a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\libffi-8.dll

Filesize
24KB

MD5
cf6316144d6f3b5884f423b1ac6c3907

SHA1
6e05f6b2772230a8a7636fa5db81958fba5b28d4

SHA256
4022e7cf1dab9d68511b7235aa3a26aacf267ff23c30319f59b351b058691dc4

SHA512
f411aaacdbbd3b2aaf1c969c697b281c00922c43e7b4dee2c1f237f468bbf273f455bc11820c2ad0289efaa2f525920bcfa63d503e089322cc232717f8ad9d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\libssl-1_1.dll

Filesize
203KB

MD5
5bdcdfe8f74e6b1022224daea45e00dc

SHA1
1519130c894561067c5e146129ad9026da6a8f4d

SHA256
bfe8550987814eb740d4dc8321a52fc97582166541395bb802307b96a151baac

SHA512
276f4dac162fedc95a6a3924d7939ac9754a6738c0a487dc17ae1c148a7960fa47fd356f8bbff1c903624b1d631f5bbc27e7e51da0a79c99342be935eb5b8c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\psutil\_psutil_windows.pyd

Filesize
31KB

MD5
d2ab09582b4c649abf814cdce5d34701

SHA1
b7a3ebd6ff94710cf527baf0bb920b42d4055649

SHA256
571115cca942bc76010b379df5d28afcb0f0d0de65a3bac89a95c6a86838b983

SHA512
022ccaeb99dc08997d917f85c6bc3aefdad5074c995008942a2f35f46ba07d73bb5bc7bc971ec71cb0e60dcb096b2c990866fe29c57670d069e7bdc3b14f6172

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\pyexpat.pyd

Filesize
86KB

MD5
562cfdd2aea820c6721e6e1c6de927eb

SHA1
bdbf3f8b92a2eb12b8134be08a2fcd795a32ef25

SHA256
250b2e7962e2533bdc112346bbc5c5f66a574af0b87e18f261f48ef8cee3f1a5

SHA512
24df40a620fba22c5c0e3230bfb0eff617a905e134fe810a60020bd8db42032d848ebf5034267f181918cab8f754f826d4e17cb461b45a32ea59ded924a4d0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\python3.DLL

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\python311.dll

Filesize
1.6MB

MD5
527923fc1de5a440980010ea5a4aaba1

SHA1
ab2b5659b82a014e0804ab1a69412a465ae37d49

SHA256
d94637faaa6d0dbd87c7ad6193831af4553648f4c3024a8a8d8adf549f516c91

SHA512
51a67b02e49a36d11828831f334f4242dfa1c0ac557ed50892b5a7f4d6ff153edab5458c312e57d80ed1b40434037c75c9e933ccbf4a187ec57685bdb42cdfb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\pywin32_system32\pythoncom311.dll

Filesize
193KB

MD5
6aeb23912e08d018d7f32a28127e5494

SHA1
27e6c869b7b24757f7cb18ee2925d5e74024e8e2

SHA256
e1e3b7040846de45406e96585fc2baaca1853efcdf4fd402909a0b7f78d1ed7a

SHA512
4c24dae64a49b11af61882570607ad7d14ac794799904951221bf5c82b503768d018d13e24d1c66f70a43d0d900c596d60870eb26244812191a1d1ed36ba469e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\pywin32_system32\pywintypes311.dll

Filesize
62KB

MD5
51771d430061cf437733c45dd877d20d

SHA1
56d61b080e7c943978a43af77fef30c21d7b7455

SHA256
79e3a80f9d6a44d7cb466b51e6e23a862d8c1908a0cb32f9996ea6ebbfc12aa8

SHA512
3b30cfff85157167af8c6eb3d83547f03c9cea93fe796243451484a2f74b510fd8246639832cbb286be0019295e1a575dd69543b956393cac5b953ee52882de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\select.pyd

Filesize
24KB

MD5
9897d23e1dd3ebb9706d922160986806

SHA1
0e319352d8e7d4c3e68392b78417867dfcbaa41f

SHA256
d0a86b39b06741b3628211a5740d9b5a4719cd75b8876967776d6e4d433cf41d

SHA512
25bfa6cec4897094165d99fa888796897510c0ecaa05fae2992b469a7e035832b0c68789b9ca16e84a86cc09278a814539fdc5ec0b89f5efd66e61628cc165e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\sqlite3.dll

Filesize
608KB

MD5
20eb3b9f1713fc51d7b5fc7847786963

SHA1
d74ac2a3eaa387bd6698289a74622f0e7c2eb65d

SHA256
6edb12716ffbbbb17a5414c9366d66ebfdb172981261f7ca5be57cc81de57ebc

SHA512
7b566c98b1de0037ca0e3fb92a4e7b7338ed474a7e07789c544fc652cd24cff0c5c5b0856d4c95bbe46b59cdd942df49fa8a9322cdfa2777c148a9db805ed0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\unicodedata.pyd

Filesize
293KB

MD5
dbd7fc132fc99e953dffc746d996bc0d

SHA1
b8dfa120d81a6ec16bd152f84defbb3e2778f30b

SHA256
c2a740708514d5be94e69db82a82c82df7fc82cee4bd066249d6adce833a8656

SHA512
ce4fa63de7abbef0b28f6fe80fcff64211c650695a7f54eb1a3bb9fd8d8d11174e2ffc9c34b7e8176b4d6cac1eadff3e25e4be1d58e9646f546b3b2afa3f7721

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\win32\win32api.pyd

Filesize
48KB

MD5
d054b5a8a6f8cbcb6e3d339cc5b4fe97

SHA1
410c291809844c411324b5935b3dd11b1a718fe4

SHA256
03d2f3a3a0ed71a3a929c44aa6cd3cbd6543e9c1a490aa1ce079dacff7f7dfe5

SHA512
004b51f3c11a2571fa62f8d8601351f8529125c5e5b2ebcd816aa5295c2d0b133edad7778d7f22d722e6f8a5e09391ae4e37eb5dfb86887cb7ba322b75ed686b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_du0egk1y.ptd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1092-212-0x00007FFD5DC60000-0x00007FFD5DDD3000-memory.dmp

Filesize
1.4MB

Download
memory/1092-231-0x00007FFD5D8B0000-0x00007FFD5DB33000-memory.dmp

Filesize
2.5MB

Download
memory/1092-155-0x00007FFD5E160000-0x00007FFD5E748000-memory.dmp

Filesize
5.9MB

Download
memory/1092-156-0x00007FFD6DA90000-0x00007FFD6DB4C000-memory.dmp

Filesize
752KB

Download
memory/1092-147-0x00007FFD6E130000-0x00007FFD6E13D000-memory.dmp

Filesize
52KB

Download
memory/1092-159-0x00007FFD6DA60000-0x00007FFD6DA8B000-memory.dmp

Filesize
172KB

Download
memory/1092-158-0x00007FFD6E070000-0x00007FFD6E094000-memory.dmp

Filesize
144KB

Download
memory/1092-161-0x00007FFD6DA30000-0x00007FFD6DA5E000-memory.dmp

Filesize
184KB

Download
memory/1092-164-0x00007FFD6D970000-0x00007FFD6DA28000-memory.dmp

Filesize
736KB

Download
memory/1092-163-0x00007FFD6E050000-0x00007FFD6E069000-memory.dmp

Filesize
100KB

Download
memory/1092-169-0x0000016A050D0000-0x0000016A05445000-memory.dmp

Filesize
3.5MB

Download
memory/1092-170-0x00007FFD6DF60000-0x00007FFD6DF79000-memory.dmp

Filesize
100KB

Download
memory/1092-168-0x00007FFD5DDE0000-0x00007FFD5E155000-memory.dmp

Filesize
3.5MB

Download
memory/1092-167-0x00007FFD6DF80000-0x00007FFD6DFAD000-memory.dmp

Filesize
180KB

Download
memory/1092-173-0x00007FFD6D870000-0x00007FFD6D885000-memory.dmp

Filesize
84KB

Download
memory/1092-172-0x00007FFD6E250000-0x00007FFD6E25D000-memory.dmp

Filesize
52KB

Download
memory/1092-178-0x00007FFD6D6E0000-0x00007FFD6D6F2000-memory.dmp

Filesize
72KB

Download
memory/1092-177-0x00007FFD6DF20000-0x00007FFD6DF55000-memory.dmp

Filesize
212KB

Download
memory/1092-180-0x00007FFD6E130000-0x00007FFD6E13D000-memory.dmp

Filesize
52KB

Download
memory/1092-181-0x00007FFD6D6B0000-0x00007FFD6D6D3000-memory.dmp

Filesize
140KB

Download
memory/1092-184-0x00007FFD5DC60000-0x00007FFD5DDD3000-memory.dmp

Filesize
1.4MB

Download
memory/1092-183-0x00007FFD6DEF0000-0x00007FFD6DF1E000-memory.dmp

Filesize
184KB

Download
memory/1092-145-0x00007FFD6DF20000-0x00007FFD6DF55000-memory.dmp

Filesize
212KB

Download
memory/1092-187-0x00007FFD6D690000-0x00007FFD6D6A8000-memory.dmp

Filesize
96KB

Download
memory/1092-190-0x00007FFD6D610000-0x00007FFD6D624000-memory.dmp

Filesize
80KB

Download
memory/1092-189-0x00007FFD6DA60000-0x00007FFD6DA8B000-memory.dmp

Filesize
172KB

Download
memory/1092-143-0x00007FFD6E250000-0x00007FFD6E25D000-memory.dmp

Filesize
52KB

Download
memory/1092-194-0x00007FFD6DA30000-0x00007FFD6DA5E000-memory.dmp

Filesize
184KB

Download
memory/1092-195-0x00007FFD6DEE0000-0x00007FFD6DEEB000-memory.dmp

Filesize
44KB

Download
memory/1092-141-0x00007FFD6DF60000-0x00007FFD6DF79000-memory.dmp

Filesize
100KB

Download
memory/1092-197-0x00007FFD6D970000-0x00007FFD6DA28000-memory.dmp

Filesize
736KB

Download
memory/1092-198-0x00007FFD6D5E0000-0x00007FFD6D606000-memory.dmp

Filesize
152KB

Download
memory/1092-202-0x00007FFD5DB40000-0x00007FFD5DC5C000-memory.dmp

Filesize
1.1MB

Download
memory/1092-201-0x0000016A050D0000-0x0000016A05445000-memory.dmp

Filesize
3.5MB

Download
memory/1092-200-0x00007FFD5DDE0000-0x00007FFD5E155000-memory.dmp

Filesize
3.5MB

Download
memory/1092-204-0x00007FFD6D5A0000-0x00007FFD6D5D8000-memory.dmp

Filesize
224KB

Download
memory/1092-121-0x00007FFD6DF80000-0x00007FFD6DFAD000-memory.dmp

Filesize
180KB

Download
memory/1092-208-0x00007FFD6DD60000-0x00007FFD6DD6B000-memory.dmp

Filesize
44KB

Download
memory/1092-207-0x00007FFD6D870000-0x00007FFD6D885000-memory.dmp

Filesize
84KB

Download
memory/1092-209-0x00007FFD6DB90000-0x00007FFD6DB9B000-memory.dmp

Filesize
44KB

Download
memory/1092-210-0x00007FFD6D6B0000-0x00007FFD6D6D3000-memory.dmp

Filesize
140KB

Download
memory/1092-211-0x00007FFD6D960000-0x00007FFD6D96C000-memory.dmp

Filesize
48KB

Download
memory/1092-118-0x00007FFD6E050000-0x00007FFD6E069000-memory.dmp

Filesize
100KB

Download
memory/1092-213-0x00007FFD6D860000-0x00007FFD6D86B000-memory.dmp

Filesize
44KB

Download
memory/1092-215-0x00007FFD6D680000-0x00007FFD6D68C000-memory.dmp

Filesize
48KB

Download
memory/1092-214-0x00007FFD6D690000-0x00007FFD6D6A8000-memory.dmp

Filesize
96KB

Download
memory/1092-217-0x00007FFD6D580000-0x00007FFD6D58C000-memory.dmp

Filesize
48KB

Download
memory/1092-216-0x00007FFD6D590000-0x00007FFD6D59B000-memory.dmp

Filesize
44KB

Download
memory/1092-218-0x00007FFD6D5E0000-0x00007FFD6D606000-memory.dmp

Filesize
152KB

Download
memory/1092-219-0x00007FFD6D570000-0x00007FFD6D57C000-memory.dmp

Filesize
48KB

Download
memory/1092-220-0x00007FFD6D560000-0x00007FFD6D56E000-memory.dmp

Filesize
56KB

Download
memory/1092-222-0x00007FFD6D550000-0x00007FFD6D55C000-memory.dmp

Filesize
48KB

Download
memory/1092-221-0x00007FFD6D5A0000-0x00007FFD6D5D8000-memory.dmp

Filesize
224KB

Download
memory/1092-223-0x00007FFD6D540000-0x00007FFD6D54B000-memory.dmp

Filesize
44KB

Download
memory/1092-224-0x00007FFD6D530000-0x00007FFD6D53B000-memory.dmp

Filesize
44KB

Download
memory/1092-226-0x00007FFD6D510000-0x00007FFD6D51C000-memory.dmp

Filesize
48KB

Download
memory/1092-225-0x00007FFD6D520000-0x00007FFD6D52C000-memory.dmp

Filesize
48KB

Download
memory/1092-227-0x00007FFD6D500000-0x00007FFD6D50D000-memory.dmp

Filesize
52KB

Download
memory/1092-228-0x00007FFD6D4E0000-0x00007FFD6D4F2000-memory.dmp

Filesize
72KB

Download
memory/1092-230-0x00007FFD6D4B0000-0x00007FFD6D4BC000-memory.dmp

Filesize
48KB

Download
memory/1092-229-0x00007FFD6D580000-0x00007FFD6D58C000-memory.dmp

Filesize
48KB

Download
memory/1092-152-0x00007FFD6DEF0000-0x00007FFD6DF1E000-memory.dmp

Filesize
184KB

Download
memory/1092-234-0x00007FFD6D390000-0x00007FFD6D3B9000-memory.dmp

Filesize
164KB

Download
memory/1092-233-0x00007FFD6D550000-0x00007FFD6D55C000-memory.dmp

Filesize
48KB

Download
memory/1092-232-0x00007FFD6D3C0000-0x00007FFD6D3CA000-memory.dmp

Filesize
40KB

Download
memory/1092-375-0x00007FFD5D8B0000-0x00007FFD5DB33000-memory.dmp

Filesize
2.5MB

Download
memory/1092-113-0x00007FFD6E070000-0x00007FFD6E094000-memory.dmp

Filesize
144KB

Download
memory/1092-376-0x00007FFD6D3C0000-0x00007FFD6D3CA000-memory.dmp

Filesize
40KB

Download
memory/1092-377-0x00007FFD6D390000-0x00007FFD6D3B9000-memory.dmp

Filesize
164KB

Download
memory/1092-297-0x00007FFD6D530000-0x00007FFD6D53B000-memory.dmp

Filesize
44KB

Download
memory/1092-115-0x00007FFD6E2A0000-0x00007FFD6E2AF000-memory.dmp

Filesize
60KB

Download
memory/1092-105-0x00007FFD5E160000-0x00007FFD5E748000-memory.dmp

Filesize
5.9MB

Download
memory/1092-321-0x00007FFD6D520000-0x00007FFD6D52C000-memory.dmp

Filesize
48KB

Download
memory/1092-322-0x00007FFD6D510000-0x00007FFD6D51C000-memory.dmp

Filesize
48KB

Download
memory/1092-325-0x00007FFD6D1F0000-0x00007FFD6D1FF000-memory.dmp

Filesize
60KB

Download
memory/1092-324-0x00007FFD6D500000-0x00007FFD6D50D000-memory.dmp

Filesize
52KB

Download
memory/1092-328-0x00007FFD6D4E0000-0x00007FFD6D4F2000-memory.dmp

Filesize
72KB

Download
memory/1092-344-0x00007FFD5DDE0000-0x00007FFD5E155000-memory.dmp

Filesize
3.5MB

Download
memory/1092-359-0x00007FFD6E050000-0x00007FFD6E069000-memory.dmp

Filesize
100KB

Download
memory/1092-358-0x00007FFD6E2A0000-0x00007FFD6E2AF000-memory.dmp

Filesize
60KB

Download
memory/1092-356-0x00007FFD6DB90000-0x00007FFD6DB9B000-memory.dmp

Filesize
44KB

Download
memory/1092-355-0x00007FFD6DD60000-0x00007FFD6DD6B000-memory.dmp

Filesize
44KB

Download
memory/1092-354-0x00007FFD6D5A0000-0x00007FFD6D5D8000-memory.dmp

Filesize
224KB

Download
memory/1092-352-0x00007FFD6D5E0000-0x00007FFD6D606000-memory.dmp

Filesize
152KB

Download
memory/1092-351-0x00007FFD6DEE0000-0x00007FFD6DEEB000-memory.dmp

Filesize
44KB

Download
memory/1092-350-0x00007FFD6D610000-0x00007FFD6D624000-memory.dmp

Filesize
80KB

Download
memory/1092-349-0x00007FFD6D690000-0x00007FFD6D6A8000-memory.dmp

Filesize
96KB

Download
memory/1092-348-0x00007FFD5DC60000-0x00007FFD5DDD3000-memory.dmp

Filesize
1.4MB

Download
memory/1092-347-0x00007FFD6D6B0000-0x00007FFD6D6D3000-memory.dmp

Filesize
140KB

Download
memory/1092-346-0x00007FFD6D6E0000-0x00007FFD6D6F2000-memory.dmp

Filesize
72KB

Download
memory/1092-345-0x00007FFD6D870000-0x00007FFD6D885000-memory.dmp

Filesize
84KB

Download
memory/1092-343-0x00007FFD6D970000-0x00007FFD6DA28000-memory.dmp

Filesize
736KB

Download
memory/1092-342-0x00007FFD6DA30000-0x00007FFD6DA5E000-memory.dmp

Filesize
184KB

Download
memory/1092-340-0x00007FFD6DA90000-0x00007FFD6DB4C000-memory.dmp

Filesize
752KB

Download
memory/1092-339-0x00007FFD6DEF0000-0x00007FFD6DF1E000-memory.dmp

Filesize
184KB

Download
memory/1092-338-0x00007FFD6E130000-0x00007FFD6E13D000-memory.dmp

Filesize
52KB

Download
memory/1092-337-0x00007FFD6DF20000-0x00007FFD6DF55000-memory.dmp

Filesize
212KB

Download
memory/1092-336-0x00007FFD6E250000-0x00007FFD6E25D000-memory.dmp

Filesize
52KB

Download
memory/1092-335-0x00007FFD6DF60000-0x00007FFD6DF79000-memory.dmp

Filesize
100KB

Download
memory/1092-334-0x00007FFD6DF80000-0x00007FFD6DFAD000-memory.dmp

Filesize
180KB

Download
memory/1092-353-0x00007FFD5DB40000-0x00007FFD5DC5C000-memory.dmp

Filesize
1.1MB

Download
memory/1092-357-0x00007FFD6E070000-0x00007FFD6E094000-memory.dmp

Filesize
144KB

Download
memory/1092-341-0x00007FFD6DA60000-0x00007FFD6DA8B000-memory.dmp

Filesize
172KB

Download
memory/1092-330-0x00007FFD5E160000-0x00007FFD5E748000-memory.dmp

Filesize
5.9MB

Download
memory/1092-366-0x00007FFD6D560000-0x00007FFD6D56E000-memory.dmp

Filesize
56KB

Download
memory/1092-367-0x00007FFD6D550000-0x00007FFD6D55C000-memory.dmp

Filesize
48KB

Download
memory/1092-365-0x00007FFD6D570000-0x00007FFD6D57C000-memory.dmp

Filesize
48KB

Download
memory/1092-364-0x00007FFD6D590000-0x00007FFD6D59B000-memory.dmp

Filesize
44KB

Download
memory/1092-363-0x00007FFD6D680000-0x00007FFD6D68C000-memory.dmp

Filesize
48KB

Download
memory/1092-362-0x00007FFD6D860000-0x00007FFD6D86B000-memory.dmp

Filesize
44KB

Download
memory/1092-361-0x00007FFD6D960000-0x00007FFD6D96C000-memory.dmp

Filesize
48KB

Download
memory/1092-360-0x00007FFD6D580000-0x00007FFD6D58C000-memory.dmp

Filesize
48KB

Download
memory/1092-373-0x00007FFD6D4E0000-0x00007FFD6D4F2000-memory.dmp

Filesize
72KB

Download
memory/1092-372-0x00007FFD6D500000-0x00007FFD6D50D000-memory.dmp

Filesize
52KB

Download
memory/1092-371-0x00007FFD6D510000-0x00007FFD6D51C000-memory.dmp

Filesize
48KB

Download
memory/1092-370-0x00007FFD6D520000-0x00007FFD6D52C000-memory.dmp

Filesize
48KB

Download
memory/1092-369-0x00007FFD6D530000-0x00007FFD6D53B000-memory.dmp

Filesize
44KB

Download
memory/1092-368-0x00007FFD6D540000-0x00007FFD6D54B000-memory.dmp

Filesize
44KB

Download
memory/1092-374-0x00007FFD6D4B0000-0x00007FFD6D4BC000-memory.dmp

Filesize
48KB

Download
memory/2532-263-0x0000025C625B0000-0x0000025C625F8000-memory.dmp

Filesize
288KB

Download
memory/2532-262-0x0000025C62590000-0x0000025C625AE000-memory.dmp

Filesize
120KB

Download
memory/2532-259-0x0000025C7ABC0000-0x0000025C7ABE2000-memory.dmp

Filesize
136KB

Download