meduza | be61c1d0bf67dc6eab5099931f12ad2ab5a924b01273e656bf1982c159903e04

Analysis

max time kernel
121s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Polysy_Launcher.exe
Size

200.0MB
MD5

1adfc887018848dd5f4617827d978de8
SHA1

e0988dff57a4323164a9a8ab65f6cfc466c12b85
SHA256

be61c1d0bf67dc6eab5099931f12ad2ab5a924b01273e656bf1982c159903e04
SHA512

5028b871595e6002787e1f04b0b0525db23e4302149327c0b9ffab2c3d8273234057dc372dee1bb12a6aab5a2b7ab6ef25c41e45bdb80e4358d418c857f05203
SSDEEP

768:1FbpgqnVBXVGP/IX6X/kQPwtdfzXqYcV69izh:TacBF9X6XciE5jy69iz

Score

10^/10

meduza collection discovery execution spyware stealer

Malware Config

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b68-87.dat	family_meduza

Meduza family
meduza

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2316	powershell.exe
3076	powershell.exe
5040	powershell.exe
1068	powershell.exe
2940	powershell.exe
1932	powershell.exe
1648	powershell.exe
4648	powershell.exe
560	powershell.exe
1648	powershell.exe
4208	powershell.exe
4896	powershell.exe
4700	powershell.exe
4268	powershell.exe
3884	powershell.exe
3704	powershell.exe
1004	powershell.exe
5112	powershell.exe
760	powershell.exe
3780	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Polysy_Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	l1kldmd0.le1.exe

Executes dropped EXE 19 IoCs

pid	Process
4172	l1kldmd0.le1.exe
4704	fgdlff5i.i03.exe
5016	ji2pbk5p.tw4.exe
2712	zyecbsh5.kh5.exe
1820	yjgfuzqn.b5r.exe
2144	rmwjz0z5.uuj.exe
5004	zjrznj5s.ngt.exe
3864	4dtybwxw.rmf.exe
1848	i0si52sl.iqj.exe
4004	m54yuyqr.yfk.exe
2144	xigivwbt.uzq.exe
2300	c3sqwsyx.sbm.exe
472	hkeqrl5t.nbu.exe
3348	yulfp4cr.l4k.exe
4044	uwzp1v0s.vfj.exe
3532	lomgqtby.j0w.exe
4032	t00ryfo3.cuz.exe
944	ajshclgx.cvv.exe
328	usuxtzwk.voi.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	l1kldmd0.le1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	l1kldmd0.le1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	l1kldmd0.le1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	l1kldmd0.le1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	l1kldmd0.le1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	api.ipify.org
20	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Polysy_Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1648	powershell.exe
1648	powershell.exe
3076	powershell.exe
3076	powershell.exe
5040	powershell.exe
5040	powershell.exe
4172	l1kldmd0.le1.exe
4172	l1kldmd0.le1.exe
4648	powershell.exe
4648	powershell.exe
5112	powershell.exe
5112	powershell.exe
1068	powershell.exe
1068	powershell.exe
2940	powershell.exe
2940	powershell.exe
760	powershell.exe
760	powershell.exe
4700	powershell.exe
4700	powershell.exe
4268	powershell.exe
4268	powershell.exe
1932	powershell.exe
1932	powershell.exe
3884	powershell.exe
3884	powershell.exe
560	powershell.exe
560	powershell.exe
3704	powershell.exe
3704	powershell.exe
1004	powershell.exe
1004	powershell.exe
4208	powershell.exe
4208	powershell.exe
2316	powershell.exe
2316	powershell.exe
4896	powershell.exe
4896	powershell.exe
3780	powershell.exe
3780	powershell.exe
1648	powershell.exe
1648	powershell.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	3988	Polysy_Launcher.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeDebugPrivilege	4172	l1kldmd0.le1.exe
Token: SeImpersonatePrivilege	4172	l1kldmd0.le1.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	4704	fgdlff5i.i03.exe
Token: SeImpersonatePrivilege	4704	fgdlff5i.i03.exe
Token: SeDebugPrivilege	5016	ji2pbk5p.tw4.exe
Token: SeImpersonatePrivilege	5016	ji2pbk5p.tw4.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	2712	zyecbsh5.kh5.exe
Token: SeImpersonatePrivilege	2712	zyecbsh5.kh5.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	1820	yjgfuzqn.b5r.exe
Token: SeImpersonatePrivilege	1820	yjgfuzqn.b5r.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	2144	rmwjz0z5.uuj.exe
Token: SeImpersonatePrivilege	2144	rmwjz0z5.uuj.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	5004	zjrznj5s.ngt.exe
Token: SeImpersonatePrivilege	5004	zjrznj5s.ngt.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	3864	4dtybwxw.rmf.exe
Token: SeImpersonatePrivilege	3864	4dtybwxw.rmf.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	1848	i0si52sl.iqj.exe
Token: SeImpersonatePrivilege	1848	i0si52sl.iqj.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	4004	m54yuyqr.yfk.exe
Token: SeImpersonatePrivilege	4004	m54yuyqr.yfk.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2144	xigivwbt.uzq.exe
Token: SeImpersonatePrivilege	2144	xigivwbt.uzq.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	2300	c3sqwsyx.sbm.exe
Token: SeImpersonatePrivilege	2300	c3sqwsyx.sbm.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	472	hkeqrl5t.nbu.exe
Token: SeImpersonatePrivilege	472	hkeqrl5t.nbu.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	3348	yulfp4cr.l4k.exe
Token: SeImpersonatePrivilege	3348	yulfp4cr.l4k.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	4044	uwzp1v0s.vfj.exe
Token: SeImpersonatePrivilege	4044	uwzp1v0s.vfj.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	3532	lomgqtby.j0w.exe
Token: SeImpersonatePrivilege	3532	lomgqtby.j0w.exe
Token: SeDebugPrivilege	4032	t00ryfo3.cuz.exe
Token: SeImpersonatePrivilege	4032	t00ryfo3.cuz.exe
Token: SeDebugPrivilege	944	ajshclgx.cvv.exe
Token: SeImpersonatePrivilege	944	ajshclgx.cvv.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	328	usuxtzwk.voi.exe
Token: SeImpersonatePrivilege	328	usuxtzwk.voi.exe
Token: SeDebugPrivilege	1648	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 1648	3988	Polysy_Launcher.exe	82
PID 3988 wrote to memory of 1648	3988	Polysy_Launcher.exe	82
PID 3988 wrote to memory of 1648	3988	Polysy_Launcher.exe	82
PID 3988 wrote to memory of 3076	3988	Polysy_Launcher.exe	88
PID 3988 wrote to memory of 3076	3988	Polysy_Launcher.exe	88
PID 3988 wrote to memory of 3076	3988	Polysy_Launcher.exe	88
PID 3988 wrote to memory of 4172	3988	Polysy_Launcher.exe	91
PID 3988 wrote to memory of 4172	3988	Polysy_Launcher.exe	91
PID 3988 wrote to memory of 5040	3988	Polysy_Launcher.exe	92
PID 3988 wrote to memory of 5040	3988	Polysy_Launcher.exe	92
PID 3988 wrote to memory of 5040	3988	Polysy_Launcher.exe	92
PID 3988 wrote to memory of 4704	3988	Polysy_Launcher.exe	96
PID 3988 wrote to memory of 4704	3988	Polysy_Launcher.exe	96
PID 3988 wrote to memory of 5016	3988	Polysy_Launcher.exe	97
PID 3988 wrote to memory of 5016	3988	Polysy_Launcher.exe	97
PID 3988 wrote to memory of 4648	3988	Polysy_Launcher.exe	98
PID 3988 wrote to memory of 4648	3988	Polysy_Launcher.exe	98
PID 3988 wrote to memory of 4648	3988	Polysy_Launcher.exe	98
PID 3988 wrote to memory of 2712	3988	Polysy_Launcher.exe	100
PID 3988 wrote to memory of 2712	3988	Polysy_Launcher.exe	100
PID 3988 wrote to memory of 5112	3988	Polysy_Launcher.exe	102
PID 3988 wrote to memory of 5112	3988	Polysy_Launcher.exe	102
PID 3988 wrote to memory of 5112	3988	Polysy_Launcher.exe	102
PID 3988 wrote to memory of 1820	3988	Polysy_Launcher.exe	104
PID 3988 wrote to memory of 1820	3988	Polysy_Launcher.exe	104
PID 3988 wrote to memory of 1068	3988	Polysy_Launcher.exe	106
PID 3988 wrote to memory of 1068	3988	Polysy_Launcher.exe	106
PID 3988 wrote to memory of 1068	3988	Polysy_Launcher.exe	106
PID 3988 wrote to memory of 2144	3988	Polysy_Launcher.exe	108
PID 3988 wrote to memory of 2144	3988	Polysy_Launcher.exe	108
PID 3988 wrote to memory of 2940	3988	Polysy_Launcher.exe	109
PID 3988 wrote to memory of 2940	3988	Polysy_Launcher.exe	109
PID 3988 wrote to memory of 2940	3988	Polysy_Launcher.exe	109
PID 3988 wrote to memory of 5004	3988	Polysy_Launcher.exe	111
PID 3988 wrote to memory of 5004	3988	Polysy_Launcher.exe	111
PID 3988 wrote to memory of 760	3988	Polysy_Launcher.exe	112
PID 3988 wrote to memory of 760	3988	Polysy_Launcher.exe	112
PID 3988 wrote to memory of 760	3988	Polysy_Launcher.exe	112
PID 3988 wrote to memory of 3864	3988	Polysy_Launcher.exe	114
PID 3988 wrote to memory of 3864	3988	Polysy_Launcher.exe	114
PID 3988 wrote to memory of 4700	3988	Polysy_Launcher.exe	115
PID 3988 wrote to memory of 4700	3988	Polysy_Launcher.exe	115
PID 3988 wrote to memory of 4700	3988	Polysy_Launcher.exe	115
PID 3988 wrote to memory of 1848	3988	Polysy_Launcher.exe	117
PID 3988 wrote to memory of 1848	3988	Polysy_Launcher.exe	117
PID 3988 wrote to memory of 4268	3988	Polysy_Launcher.exe	118
PID 3988 wrote to memory of 4268	3988	Polysy_Launcher.exe	118
PID 3988 wrote to memory of 4268	3988	Polysy_Launcher.exe	118
PID 3988 wrote to memory of 4004	3988	Polysy_Launcher.exe	120
PID 3988 wrote to memory of 4004	3988	Polysy_Launcher.exe	120
PID 3988 wrote to memory of 1932	3988	Polysy_Launcher.exe	121
PID 3988 wrote to memory of 1932	3988	Polysy_Launcher.exe	121
PID 3988 wrote to memory of 1932	3988	Polysy_Launcher.exe	121
PID 3988 wrote to memory of 2144	3988	Polysy_Launcher.exe	123
PID 3988 wrote to memory of 2144	3988	Polysy_Launcher.exe	123
PID 3988 wrote to memory of 3884	3988	Polysy_Launcher.exe	124
PID 3988 wrote to memory of 3884	3988	Polysy_Launcher.exe	124
PID 3988 wrote to memory of 3884	3988	Polysy_Launcher.exe	124
PID 3988 wrote to memory of 2300	3988	Polysy_Launcher.exe	126
PID 3988 wrote to memory of 2300	3988	Polysy_Launcher.exe	126
PID 3988 wrote to memory of 560	3988	Polysy_Launcher.exe	127
PID 3988 wrote to memory of 560	3988	Polysy_Launcher.exe	127
PID 3988 wrote to memory of 560	3988	Polysy_Launcher.exe	127
PID 3988 wrote to memory of 472	3988	Polysy_Launcher.exe	129

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	l1kldmd0.le1.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	l1kldmd0.le1.exe

C:\Users\Admin\AppData\Local\Temp\Polysy_Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Polysy_Launcher.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3076
- C:\Windows\Temp\l1kldmd0.le1.exe
  "C:\Windows\Temp\l1kldmd0.le1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4172
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5040
- C:\Windows\Temp\fgdlff5i.i03.exe
  "C:\Windows\Temp\fgdlff5i.i03.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4704
- C:\Windows\Temp\ji2pbk5p.tw4.exe
  "C:\Windows\Temp\ji2pbk5p.tw4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4648
- C:\Windows\Temp\zyecbsh5.kh5.exe
  "C:\Windows\Temp\zyecbsh5.kh5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\Temp\yjgfuzqn.b5r.exe
  "C:\Windows\Temp\yjgfuzqn.b5r.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\Temp\rmwjz0z5.uuj.exe
  "C:\Windows\Temp\rmwjz0z5.uuj.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\Temp\zjrznj5s.ngt.exe
  "C:\Windows\Temp\zjrznj5s.ngt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5004
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\Temp\4dtybwxw.rmf.exe
  "C:\Windows\Temp\4dtybwxw.rmf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3864
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4700
- C:\Windows\Temp\i0si52sl.iqj.exe
  "C:\Windows\Temp\i0si52sl.iqj.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Windows\Temp\m54yuyqr.yfk.exe
  "C:\Windows\Temp\m54yuyqr.yfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\Temp\xigivwbt.uzq.exe
  "C:\Windows\Temp\xigivwbt.uzq.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- C:\Windows\Temp\c3sqwsyx.sbm.exe
  "C:\Windows\Temp\c3sqwsyx.sbm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\Temp\hkeqrl5t.nbu.exe
  "C:\Windows\Temp\hkeqrl5t.nbu.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Windows\Temp\yulfp4cr.l4k.exe
  "C:\Windows\Temp\yulfp4cr.l4k.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3348
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\Windows\Temp\uwzp1v0s.vfj.exe
  "C:\Windows\Temp\uwzp1v0s.vfj.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4044
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\Temp\lomgqtby.j0w.exe
  "C:\Windows\Temp\lomgqtby.j0w.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3532
- C:\Windows\Temp\t00ryfo3.cuz.exe
  "C:\Windows\Temp\t00ryfo3.cuz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4032
- C:\Windows\Temp\ajshclgx.cvv.exe
  "C:\Windows\Temp\ajshclgx.cvv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3780
- C:\Windows\Temp\usuxtzwk.voi.exe
  "C:\Windows\Temp\usuxtzwk.voi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
afc90aa8236a48555b957db9f7bfe25a

SHA1
c70701a0efe00920aead4857563c33c5bafd1656

SHA256
9519ca83a3fa266b6188b552f9e83af2e0d117af65c70a15d927fa59a0d40d1e

SHA512
5217e9931d06f638ccdcbe6c7a20040c61f1865c4c62195fd790f55831da87ff83301b841b1052fd7d3503a9e59734d8f8886d6577505b8d3970eef0ee0764e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c89a9dc8b2b1bde3d99f66836d678586

SHA1
7dcfaf5c5ce523929155275637b89e202a26d5fa

SHA256
9858e4a8287bddedab680019add2b4d2206e7be3dee95417768af103e49d53e7

SHA512
bdbcd38c8e0ab534f31cf28f06867cb1d4d3b145a846e68cc5620667252174149878bd05f90ea5e3d32f57ba16f2391aa0543d4582dbfd603341d506bde0240e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c599b3a1c129212f598de67ce1b6c136

SHA1
40be9b2e1739042c547da636aa4ac5d89658d48b

SHA256
70a3a01ccff725cde64f4318c8b9b1e8a01d0d5d2f1a8f566c3b086e1a560339

SHA512
4216652507996380ded7f8564a8c9f3a88695023d7652a5ba507a5d9dca18a2d5d53de57dec2789bb6b6a47e10e3eb0d29d78a388bfea87da74cf80fae1a7dd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
48d4bb916039efd6477685fc68ce7c89

SHA1
e7845dfdfe50095d3b2f5c5f5cb37fcd7df74e8b

SHA256
f15e343112f71db423bf15261772a2c49ef30ddd10bf9e3ca0877e1a3cfa30fb

SHA512
e5ad34559a6c5a2498aecabaf43b90025cdff36dca8b80b947a49ba57e71d92280957b27f5388f6ee1fdfbc56ab281a24bc9f2f093dff6379322f5d850862a29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f23d686c777b6f511db021e7b1f9bc46

SHA1
7da2cc44b5cbcf7c73770386ca8f1b03c2c79c86

SHA256
7ff0d0b2dec57af932bb1d68ec0edba59248cdab3656e4841a62d6341da5c72c

SHA512
b665e44178ccd2f7d8fde020b0a9b46ae4677d93f13cb20eeccf79d052d9e602da2defa86c85b5f7f557824a636dd33939ccf30327850df4689256c0dabe0345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
68b076b07b18349012edd2ace4948410

SHA1
12324715244fc325b2094ad82f8476d54dfd1b15

SHA256
ffa58f81ab399048825eadaa2c54047c21080bd272ef0f198cfaf2d6b1b3c607

SHA512
1f46887d597ea202c1891f50c41e8b9349280da02fe967cf70ae255ba2472d00cee2411cf0d16086b9da97e726cb9dc7f43a93d15ed423cf37d6f8c6ddfed1b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6faf77ff89b45088a382aa4bdf58dc64

SHA1
c2e7719c78f10aeff7048981abec769749ce9493

SHA256
d711f85582030b2d129fa192df0d95fb0fc9b4184afe6f2e262ffa506f73a5fd

SHA512
86ac13069a890c53ebae753d13b32e5fd3a288c20c22019fc282a030a4329a2251a353082cf72f0c2baad7e6065c3c624e0e45cd9e95c554b2021a7fac7b26a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
617557abb1fcb5410d594ccc8616e117

SHA1
7da938fa7a5d3bc698e9fbca6748037777ffe8a7

SHA256
e545a15ee38bd1c4d925338d89d71acaaf6a90b797bd17b6de984e67284fab22

SHA512
cabe538c4a0c7ceded46beb90fb52944581d92e5125a2eeb1596532d988fd619eb98aa4b357e6793fc6c8bf2e7a18396d832823f8e16dce21467009d3e1f006c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
164241406d261c873f386d87731fba45

SHA1
3d3a8caae657519b9390ce284811a5ea5774eb44

SHA256
6180db9603b94a7f81fc1aaa841fdf0d4f88ce46610ba8fb7665e41cfc33fb84

SHA512
532329208c98eef86740f695af900c8be1fc06eab8c9ce8737c5d9b1cfc0314d363ec877a3b7c2b27755b11a92fc1f5b02bf0af8b0144502c8728d430136a54f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cfd9476be37cfca7291f798c1601784a

SHA1
41c5cc711e940c91dd96cce121f49d66adf62b04

SHA256
9873d757c32c5c8a003cbb1f5e1b4d8cf4c7c8b781e4968438392f246f628b5c

SHA512
33bcd07e82d0a159dcae59c41465ab59820bb1a23e331e726c010c36b799166717afb3e298706bcb3989592729c21df0cdad1a1735993ec2b191d047e800a29a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4457430f156818df7d5eb7fefcb48b89

SHA1
4a44ce20b9d7915e2010470a5d568d626d4ebc85

SHA256
d59ce6853d89cdc3153f869106d13dee0b328b85abd0f84e4c398b59aa00e960

SHA512
b7e4e4e5fa226f371c22ef14ed3e163a0deffef4a18a94419e3ee4f0e6dbb26aea7c5f4a7b4ab98d77371421780fea1a46dc8d3c7da635934bf87188edcf17e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
783db369da5754221e15847b02b40e22

SHA1
b58d723826e536e995b3370610331a56a5781be1

SHA256
e25a41446d22ff51c611fbe98c7f4cf84b811f09d9e7a052c6a379ab43e108ad

SHA512
00825b3bf6c6407d6db25e8dc7d57f0be03f7ebc03b7288991ecab87e0a3070e758497d8fe79009e887cc4edf6b01630ba9c74e18b13a689c23a2c17772c32e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ef9630ebdf0be4b9833db0f95cc613da

SHA1
bb62644276268b8bf5780832b11013347a64bcec

SHA256
e9f11ae9b2700269102ed82f0483bc1f79b6967843720b12e6d3fe938246033f

SHA512
0dae9f8cab8d622032af9b9c06675f992f41794c3d19878447c7a9a523f71cccf65c73ac25d56db898aa21692cd60c9a450562e4b5631a9eb4b49378740a57ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
956e9ea10134a27cc1ad3b6f6545e772

SHA1
1d86a378393a01818d6e48bb946df219b85db69f

SHA256
1deaeef5e69959691b08ad59d7d54f3f4653d5f5fa07fbc1aea99a796686f3ba

SHA512
02730e43b1dbbadb5a726d6fef98de8f3036bcb9318d5846e19983eba51283f0ed0062e05da771efbaf956b50975eb6f37eb1d1f3b24f9be0d0e9e24bb2211ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
daab277d91db7ce201406a5990f82b7f

SHA1
c70495e22c4abdf2bcac88303efc1d34ce448a1e

SHA256
2053092bc4f2467a8f360300193e5ff57d42a3231d6297d3b95017176d709e1c

SHA512
25f98c46b1f629e4b5fc838a8ea08c53d6822fce714bbcf29b89bc09f6dabc249825db1879d331a2e85c27425c94d5389d0dd09fc15393caff664a7bc296302a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ac1b2e39f970298e8b7022c1eac92957

SHA1
b4a1b58272da78575433ed290241da9ca4a9c03c

SHA256
ebbd29544416ce48891a76085f16fbd39b5d284d5e3359a74392bf5a397fcd4a

SHA512
b2c3cdaeee0e039ec2370f6521dde071374411edddf95e806e89a10e9840481b997ddd2df8f3211ceb74fd1e20dc171bff8e3bc9feda13aab5b3410df9c1429a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9abfbba28593e783d9bcd6197f36a339

SHA1
9707f9c651ffae60393871c3ba4ab935994d7636

SHA256
7a5398603b29d4cbbc6ebe9658fa1bcd3202a36980ae116c5286509fec34f39a

SHA512
1fa281326ebfa385e3b380c071d264c3f676b845a6843891e11dcde1484aaeace15ccd9928b56e859eec0c38933f90afe6c5ca4733a21a64851520ff6bde0751

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8f0a885c567e6b38bbe5f47935a87370

SHA1
a74eea2e122cc5915c8b442f52a0433e9b2076de

SHA256
5877329c3b5b5c7721e21862603ce35acf0fb93981533906275acfe3967a3018

SHA512
3b9ac1121e71da701da42ceae281b7b514f184cdbf1435221dfd8ee7c9253cacc69a25213fb3fafbac5eb9809f14a064629b70011c1631a3128b7b3d644ddc22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d70534e0f50980735ea5a6ba08670312

SHA1
29d2cb0693e8ff585f43ef063c841723328c81a0

SHA256
0341c86e7684116c3a6e7afb1659e4ce07cffacad7e3f609ded5fd173779161a

SHA512
3cac4a471e22cb254a241545bc3bd78e3d66aff6b46f6ad85facb0d920a7f3f443903165e3eb105999a80422ccfec1550fd40c66440abead03766b7933c72569

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wxz3bm1w.bi5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Temp\l1kldmd0.le1.exe

Filesize
1.2MB

MD5
bee040fc0caf73ee0cb2e55d4c703f22

SHA1
6bf7f1fa9dcf930190cabfba9abde2e7faab486f

SHA256
940d413dd95bc28d5c724d814f2cd1ecca005d2cb58ed28788d9c07d962d829b

SHA512
ec45afc4a8626dc813462a3c65b57a75f96233e9e66a0d9d60953fa2e29ec1a1c48c9ccf00f8f0e0ad3ff37e8c98c673c5b2309ff77475896ec57897d73551b2

Download Submit
memory/560-402-0x0000000005670000-0x00000000059C4000-memory.dmp

Filesize
3.3MB

Download
memory/560-413-0x000000006F560000-0x000000006F5AC000-memory.dmp

Filesize
304KB

Download
memory/760-267-0x000000006F560000-0x000000006F5AC000-memory.dmp

Filesize
304KB

Download
memory/1004-470-0x0000000005BA0000-0x0000000005EF4000-memory.dmp

Filesize
3.3MB

Download
memory/1004-472-0x000000006F560000-0x000000006F5AC000-memory.dmp

Filesize
304KB

Download
memory/1068-209-0x000000006F560000-0x000000006F5AC000-memory.dmp

Filesize
304KB

Download
memory/1068-207-0x0000000005B10000-0x0000000005E64000-memory.dmp

Filesize
3.3MB

Download
memory/1648-39-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/1648-10-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/1648-48-0x0000000007A30000-0x0000000007A41000-memory.dmp

Filesize
68KB

Download
memory/1648-49-0x0000000007A60000-0x0000000007A6E000-memory.dmp

Filesize
56KB

Download
memory/1648-50-0x0000000007A70000-0x0000000007A84000-memory.dmp

Filesize
80KB

Download
memory/1648-51-0x0000000007B70000-0x0000000007B8A000-memory.dmp

Filesize
104KB

Download
memory/1648-52-0x0000000007B50000-0x0000000007B58000-memory.dmp

Filesize
32KB

Download
memory/1648-55-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/1648-618-0x000000006F560000-0x000000006F5AC000-memory.dmp

Filesize
304KB

Download
memory/1648-6-0x0000000002BC0000-0x0000000002BF6000-memory.dmp

Filesize
216KB

Download
memory/1648-46-0x00000000078A0000-0x00000000078AA000-memory.dmp

Filesize
40KB

Download
memory/1648-7-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/1648-9-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/1648-8-0x00000000057D0000-0x0000000005DF8000-memory.dmp

Filesize
6.2MB

Download
memory/1648-47-0x0000000007AB0000-0x0000000007B46000-memory.dmp

Filesize
600KB

Download
memory/1648-11-0x0000000005730000-0x0000000005752000-memory.dmp

Filesize
136KB

Download
memory/1648-44-0x0000000007830000-0x000000000784A000-memory.dmp

Filesize
104KB

Download
memory/1648-12-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/1648-43-0x0000000007EB0000-0x000000000852A000-memory.dmp

Filesize
6.5MB

Download
memory/1648-13-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/1648-23-0x00000000060C0000-0x0000000006414000-memory.dmp

Filesize
3.3MB

Download
memory/1648-24-0x00000000064F0000-0x000000000650E000-memory.dmp

Filesize
120KB

Download
memory/1648-25-0x0000000006580000-0x00000000065CC000-memory.dmp

Filesize
304KB

Download
memory/1648-27-0x0000000006AA0000-0x0000000006AD2000-memory.dmp

Filesize
200KB

Download
memory/1648-42-0x0000000007580000-0x0000000007623000-memory.dmp

Filesize
652KB

Download
memory/1648-28-0x000000006FFE0000-0x000000007002C000-memory.dmp

Filesize
304KB

Download
memory/1648-38-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/1648-41-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/1648-40-0x0000000006B00000-0x0000000006B1E000-memory.dmp

Filesize
120KB

Download
memory/1932-354-0x000000006F560000-0x000000006F5AC000-memory.dmp

Filesize
304KB

Download
memory/2316-522-0x000000006F560000-0x000000006F5AC000-memory.dmp

Filesize
304KB

Download
memory/2940-238-0x000000006F560000-0x000000006F5AC000-memory.dmp

Filesize
304KB

Download
memory/3076-79-0x0000000006EE0000-0x0000000006F83000-memory.dmp

Filesize
652KB

Download
memory/3076-68-0x0000000005C00000-0x0000000005C4C000-memory.dmp

Filesize
304KB

Download
memory/3076-80-0x00000000070D0000-0x00000000070E1000-memory.dmp

Filesize
68KB

Download
memory/3076-81-0x0000000007130000-0x0000000007144000-memory.dmp

Filesize
80KB

Download
memory/3076-66-0x00000000056A0000-0x00000000059F4000-memory.dmp

Filesize
3.3MB

Download
memory/3076-69-0x000000006FC50000-0x000000006FC9C000-memory.dmp

Filesize
304KB

Download
memory/3704-442-0x000000006F560000-0x000000006F5AC000-memory.dmp

Filesize
304KB

Download
memory/3780-589-0x000000006F560000-0x000000006F5AC000-memory.dmp

Filesize
304KB

Download
memory/3780-584-0x0000000005CB0000-0x0000000006004000-memory.dmp

Filesize
3.3MB

Download
memory/3884-383-0x000000006F560000-0x000000006F5AC000-memory.dmp

Filesize
304KB

Download
memory/3988-2-0x0000000012230000-0x00000000127D4000-memory.dmp

Filesize
5.6MB

Download
memory/3988-5-0x0000000011CE0000-0x0000000011CEA000-memory.dmp

Filesize
40KB

Download
memory/3988-0-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

Filesize
4KB

Download
memory/3988-4-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/3988-3-0x0000000011D20000-0x0000000011DB2000-memory.dmp

Filesize
584KB

Download
memory/3988-26-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

Filesize
4KB

Download
memory/3988-1-0x0000000000AD0000-0x0000000001AD0000-memory.dmp

Filesize
16.0MB

Download
memory/3988-45-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/4208-501-0x000000006F560000-0x000000006F5AC000-memory.dmp

Filesize
304KB

Download
memory/4268-325-0x000000006F560000-0x000000006F5AC000-memory.dmp

Filesize
304KB

Download
memory/4648-149-0x000000006F560000-0x000000006F5AC000-memory.dmp

Filesize
304KB

Download
memory/4700-296-0x000000006F560000-0x000000006F5AC000-memory.dmp

Filesize
304KB

Download
memory/4896-543-0x000000006F560000-0x000000006F5AC000-memory.dmp

Filesize
304KB

Download
memory/5040-91-0x0000000005E00000-0x0000000006154000-memory.dmp

Filesize
3.3MB

Download
memory/5040-102-0x00000000069D0000-0x0000000006A1C000-memory.dmp

Filesize
304KB

Download
memory/5040-103-0x000000006F560000-0x000000006F5AC000-memory.dmp

Filesize
304KB

Download
memory/5040-113-0x0000000007710000-0x00000000077B3000-memory.dmp

Filesize
652KB

Download
memory/5040-114-0x00000000079D0000-0x00000000079E1000-memory.dmp

Filesize
68KB

Download
memory/5040-115-0x0000000007A10000-0x0000000007A24000-memory.dmp

Filesize
80KB

Download
memory/5112-177-0x0000000005B90000-0x0000000005EE4000-memory.dmp

Filesize
3.3MB

Download
memory/5112-179-0x000000006F560000-0x000000006F5AC000-memory.dmp

Filesize
304KB

Download