agenttesla | 15e029c3834435150c76741e714540fcb799662db8cc2c61ba4ef192a781727b

Analysis

max time kernel
93s
max time network
103s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
31/05/2023, 12:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe
Size

762KB
MD5

62f9618752fffbd4ff7d52fdc39ec5fb
SHA1

0aca420c79a13982f5ec8499a35684276bca4433
SHA256

f681c1f8c12956a20c27beb9be1112374fefc7651884d7dd92010b40db1e7bee
SHA512

f87598495b6bba85d77c2cfba2904060bd7031ff3e1a40cd44725e6485bd8c20f935fee360a9a5e7962601344bde64ef407d895346ed3f9c6e2148f0d02d06c9
SSDEEP

12288:+Qm+VW77777I777oE9K/zepqfxPCddcTvxlK2X+jmnhCMtOnMiJ6pD:HfVW77777I77774zepqfwdmrlujyhZ4k

Score

10^/10

agenttesla collection keylogger spyware stealer trojan upx

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 4 IoCs

resource	yara_rule
behavioral1/memory/1596-59-0x0000000000400000-0x00000000004A9000-memory.dmp	family_agenttesla
behavioral1/memory/1596-60-0x00000000003B0000-0x00000000003FE000-memory.dmp	family_agenttesla
behavioral1/memory/1596-61-0x00000000003B0000-0x00000000003FE000-memory.dmp	family_agenttesla
behavioral1/memory/1596-72-0x0000000000400000-0x00000000004A9000-memory.dmp	family_agenttesla

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1596-54-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/1596-58-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/1596-59-0x0000000000400000-0x00000000004A9000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1948 set thread context of 1596	1948	Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe	26

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{07C838A1-FFAE-11ED-B5FB-D6914D53598A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b77b42cf5b6ac1459da1c8993210767c00000000020000000000106600000001000020000000e4f6572dfab4e0019f94ac225c1c093ce9d5c6ef01f6547fdd1b8be45eea48ab000000000e80000000020000200000001102981f5f2071ca6e17c727d1d130cce5a3f45e700cb1a74ecff8fc206f2ec5200000006e9eaa80b9f3505a8ea5883f1a029ec97a4ee2c257848383a85023c5d7e652a04000000031005aca948cddce483844ad97decc798875d1055b499d3c8d9f29ae39d698cc36f7dc331acacb1754e4c51486df9c446fc3d27b52b521f65193cbe42820ee8e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7018b9dfba93d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b77b42cf5b6ac1459da1c8993210767c00000000020000000000106600000001000020000000735165d99d8e8e9f036aef23d3aae65fbbfd912f1609b18e8140ec817ebb19b1000000000e80000000020000200000007abdd634a3870a183b1fb0f2946fb1cd7c0ed892027764256cca2ba6cae0db199000000036ed507c036ffea15569c036c59eb74d69f3971a9872335a0869bb1dd148ce9b4dc85cc99fcf7c859c84e73471c3e5c877d202044c8698a1a2c005eaf18a568c732cd58d7001f47636fce39e2d34b390603d6c0184fcbcffae370b6e134782d653d1aa72d84b7a9b4f52f470d44ad98934694b19a9c7cee5e1190fd11014112b9e6353e09e5e8fabc5819d3994038dac40000000bd77f5588d11b3d169b8ff2d45c20bc4548feb586f5dfb1078aeb812a1e4870214aa8efc819916fb79bd1a3a7d1c03e52152b474e234e5b9de47708a27e09ba0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1688	vlc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1948	Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe
1596	Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe
1596	Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe
1592	chrome.exe
1592	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1688	vlc.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1948	Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
1660	iexplore.exe
1688	vlc.exe
1688	vlc.exe
1688	vlc.exe
1688	vlc.exe
1688	vlc.exe
1688	vlc.exe
1688	vlc.exe
1688	vlc.exe
1688	vlc.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
1688	vlc.exe
1688	vlc.exe
1688	vlc.exe
1688	vlc.exe
1688	vlc.exe
1688	vlc.exe
1688	vlc.exe
1688	vlc.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1660	iexplore.exe
1660	iexplore.exe
1568	IEXPLORE.EXE
1568	IEXPLORE.EXE
1568	IEXPLORE.EXE
1568	IEXPLORE.EXE
1688	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1596	1948	Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe	26
PID 1948 wrote to memory of 1596	1948	Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe	26
PID 1948 wrote to memory of 1596	1948	Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe	26
PID 1948 wrote to memory of 1596	1948	Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe	26
PID 1660 wrote to memory of 1568	1660	iexplore.exe	30
PID 1660 wrote to memory of 1568	1660	iexplore.exe	30
PID 1660 wrote to memory of 1568	1660	iexplore.exe	30
PID 1660 wrote to memory of 1568	1660	iexplore.exe	30
PID 1592 wrote to memory of 320	1592	chrome.exe	34
PID 1592 wrote to memory of 320	1592	chrome.exe	34
PID 1592 wrote to memory of 320	1592	chrome.exe	34
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 1516	1592	chrome.exe	35
PID 1592 wrote to memory of 580	1592	chrome.exe	36
PID 1592 wrote to memory of 580	1592	chrome.exe	36
PID 1592 wrote to memory of 580	1592	chrome.exe	36
PID 1592 wrote to memory of 1860	1592	chrome.exe	37
PID 1592 wrote to memory of 1860	1592	chrome.exe	37
PID 1592 wrote to memory of 1860	1592	chrome.exe	37
PID 1592 wrote to memory of 1860	1592	chrome.exe	37
PID 1592 wrote to memory of 1860	1592	chrome.exe	37
PID 1592 wrote to memory of 1860	1592	chrome.exe	37
PID 1592 wrote to memory of 1860	1592	chrome.exe	37
PID 1592 wrote to memory of 1860	1592	chrome.exe	37
PID 1592 wrote to memory of 1860	1592	chrome.exe	37
PID 1592 wrote to memory of 1860	1592	chrome.exe	37
PID 1592 wrote to memory of 1860	1592	chrome.exe	37

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe

C:\Users\Admin\AppData\Local\Temp\Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe
"C:\Users\Admin\AppData\Local\Temp\Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe
  "C:\Users\Admin\AppData\Local\Temp\Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\UseRepair.mhtml
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1568

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UpdateExit.mp2v"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2a89758,0x7fef2a89768,0x7fef2a89778
  2⤵
  PID:320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1220,i,6995030689118984204,4538844409218882115,131072 /prefetch:2
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1220,i,6995030689118984204,4538844409218882115,131072 /prefetch:8
  2⤵
  PID:580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1220,i,6995030689118984204,4538844409218882115,131072 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2360 --field-trial-handle=1220,i,6995030689118984204,4538844409218882115,131072 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2316 --field-trial-handle=1220,i,6995030689118984204,4538844409218882115,131072 /prefetch:1
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1276 --field-trial-handle=1220,i,6995030689118984204,4538844409218882115,131072 /prefetch:2
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3644 --field-trial-handle=1220,i,6995030689118984204,4538844409218882115,131072 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3908 --field-trial-handle=1220,i,6995030689118984204,4538844409218882115,131072 /prefetch:8
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4020 --field-trial-handle=1220,i,6995030689118984204,4538844409218882115,131072 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4120 --field-trial-handle=1220,i,6995030689118984204,4538844409218882115,131072 /prefetch:1
  2⤵
  PID:2732

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2072

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\Opened.docx"
1⤵
PID:2820
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
b5fcc55cffd66f38d548e8b63206c5e6

SHA1
79db08ababfa33a4f644fa8fe337195b5aba44c7

SHA256
7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

SHA512
aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
edf5fb8a72fa4cad4418da907985aa17

SHA1
b39e6381c238aab41a5f0577a8a3c43cb580b27a

SHA256
23cf166d21196e2b2c38c54f8e89db98b995aaba51ba2b72b203d5cca1cbd56b

SHA512
902819ad04260c3041a1b9c608bacc65e5a0eabe184ba0a6b56f8814504ae467004a094a057ca91a4fcccccc3de04f221d9fdb7faef72729906f0d066bac4f89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
08d86dc6bfeb93cceeb99cd759e06645

SHA1
8207c9c67a2e2c802367a11a6ed647d5c2e52a25

SHA256
e93799939bbbca3f125e277930dba52a7a029997d433430923f5f8e530a49c91

SHA512
2a581803e059eda7810a9f5ced542b94c2bd8e99e937a4862d2a6bf74e04c71795718bb7bc481ea3aa1f9c92304b2037d1179a055d5ba5714e20dd3b7774c038

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e2523a7f3e10c987f8b8fbd9d376aaca

SHA1
21c772be4f3ac273091197d44a80961f5fd6c80d

SHA256
71a9dd925dcf62b4917b3c49395767a33aa3c346c026545c67531488a86ebd6a

SHA512
340dff6e7da6960de7abe96e9311e37f9e702fd911520e5ef21ad73b139596bc1c3a5f8f0e0f410256c1763de4d08e0375384f082b7280881ec23f0a80b5fddd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97e9848cb49b8c5930cc212c13397c7f

SHA1
a976f30cf783a725ac42be3cbe81d24c89fda16c

SHA256
dfa0d0133321a026d8106480dda96eed9709673680845610f29e6b980af7f45a

SHA512
77ee1b28fe9fa5bcba11fb6f1b1a0b032502472b47458a6f39879406c540b74b502367b4155b1ceec686b880c7d2b43764ce6d8b018b92f86ad0bbcbe39f15ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2a7aeec76dbdffcaa32e4f3c82f52daa

SHA1
1e7682fe8cd3f95def0b40a7f9aa3b5552c8649d

SHA256
e19e036a01a819103894d2bee2af26003ec068fb47c83622f59e4ce2834c71f9

SHA512
2f3831bffa424c1d28edc9cb516c6d2bd0e3e100a9b9c4832a12e187b51d8131de0ed9f95d1d17c99dfac0f9748c1423444cd0cd1f0adb081b364e777e85c767

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3931afa0754b970da3142255b888cd8e

SHA1
fef485874a00397c7f4045b9bb7e3453a786da6d

SHA256
33fa67169a36902b6d81533791ad45961043d3714e0f43b9662de31b7a047f9a

SHA512
9038d9b05c33495dbe74d16e9709043c08dfb7e939ea353153bf09ac3d74ce5c98e34b040438ae5c719a002f5bfdaaa5dcd7ab4749c66a19c91d302642b6114c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a077ac73fbe4e73076c0bae77e22a147

SHA1
650b7dee3ec6c3c1eafc3847277ed885188870a3

SHA256
a51a32c2e815885fb33b03528c6d345614bb88b8e130e02af4ded1d370030da0

SHA512
8be487cf7888cb4fb8b99128423e6c72d5bfc5a790ffe928740fd39e8597463b94ed8c6c88f061ba2810bc91e29e4eb89c5e59004e94abaa01393998091544cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
328200da42b606d6301a9c21001afc88

SHA1
ff7b3d885222b1378eecf8aa50f91e984286d88a

SHA256
a31778dcadf8233a260fdf7abf43fa80b03ae63945ae9fe8ef1c9a61ee51fce6

SHA512
3258d2f18adc2db0b553a736a27e9ee93399cda1ebe90280a70539d9fa1829be38726e06e4265887b5668b04bff6c448fa960bd316f8f4fcab33b3a23ed5af33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
10d66897b3f6a86698114eca50de10f5

SHA1
b2a5f8c84eb04ca7d68af2c327ec0ecff3e9ac87

SHA256
4a18adbd8a75d249e9ec84dbc6f077d6c3f62e97b7c2d4ead3f0c832c2a20a3b

SHA512
36eb72d6f9102d4454c397c9d069ce7f4681784e0c6cd0ecb51d17cc532b12d06224c22aee0792d80904ddf6e383339ef35315f370c7ef7542751216c8816698

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\6b7a606d-4bff-4ce3-bbb4-f2181054e25c.tmp

Filesize
154KB

MD5
ccda4a025bbf172e83240ddb4adb16ba

SHA1
e6dafce678f86b1d0d794f4abd93d89a943ab81e

SHA256
6b77dc3216abe41c20a90e7c75616d1be892b1e789bd191914c6bf25d2644465

SHA512
5b5b871c6d879a82ab9018fe55007d5700af4cd00e77bb9f8fb7fe0fdcb3120b9fe4e473b1eef77fbde615c63e04bc5e0fa1378a0be964d6672f7c48659bf255

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
ff2bdc30dcc25502b73db2892c94cf8d

SHA1
4ad495b55be1f9b10eeacfc8682b5e0e0883cba6

SHA256
1a583182be6c76e55332adaeae3362159cc588a7b6b8c7ad56f64cf6b58cc982

SHA512
a6a15f8d2efd8fd08962ff6f2b271de44d4df9829c3fa7aad511cf1fed416e0d667582714370e3be83776df494aab3599a42414f0aa88052e67d49efbec5a4e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
c5f10638389b2a6c161b9ec904b882b5

SHA1
22bf5ac810787d0c21eb4ecfe9fdae84a16b970e

SHA256
a1087213d27b0434bfb07b207a5303d2332b1fe23826504a556c00eb907b07f5

SHA512
389860679a88d15c2f0d7c944c6e1ab38c9f3a432dd190f827eb4e8afe3964a3eb2ae890abfde84b7933d74a5379952197e8450f65d744aaf0d05015ec74dd5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2753.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar298B.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
a98bcab19aebb9fa0685866f2641b1e2

SHA1
af24850927aaefc39fe817596dbcf5ea4a18e470

SHA256
a14a6ca892bb3062788272d3623edbfee4becc991700ae21ca39ab97d2b9d5ac

SHA512
a2807b471d6848150ed50b5bf0eb567c70dcc57f2b38fdb49b8a9940229383c4f9a1286520e235935dc8a995604dd12644e5312284657664a9f1a0c5fb925649

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlcrc.1688

Filesize
93KB

MD5
478a4a09f4f74e97335cd4d5e9da7ab5

SHA1
3c4f1dc52a293f079095d0b0370428ec8e8f9315

SHA256
884b59950669842f3c45e6da3480cd9a553538b951fb155b435b48ff38683974

SHA512
e96719663cd264132a8e1ea8c3f8a148c778a0c68caa2468ba47629393605b197dd9e00efad91f389de9fcc77b04981a0cf87f785f3c645cdc9e4ebd98060ca1

Download Submit
memory/1596-72-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1596-75-0x0000000004940000-0x0000000004980000-memory.dmp

Filesize
256KB

Download
memory/1596-73-0x0000000004940000-0x0000000004980000-memory.dmp

Filesize
256KB

Download
memory/1596-61-0x00000000003B0000-0x00000000003FE000-memory.dmp

Filesize
312KB

Download
memory/1596-60-0x00000000003B0000-0x00000000003FE000-memory.dmp

Filesize
312KB

Download
memory/1596-59-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1596-58-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1596-54-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1688-515-0x000007FEF3C80000-0x000007FEF3C91000-memory.dmp

Filesize
68KB

Download
memory/1688-538-0x000007FEF3950000-0x000007FEF3963000-memory.dmp

Filesize
76KB

Download
memory/1688-506-0x000007FEF57A0000-0x000007FEF57BD000-memory.dmp

Filesize
116KB

Download
memory/1688-507-0x000007FEF5780000-0x000007FEF5791000-memory.dmp

Filesize
68KB

Download
memory/1688-508-0x000007FEF4DE0000-0x000007FEF4FE0000-memory.dmp

Filesize
2.0MB

Download
memory/1688-509-0x000007FEF3D30000-0x000007FEF4DDB000-memory.dmp

Filesize
16.7MB

Download
memory/1688-510-0x000007FEF5740000-0x000007FEF577F000-memory.dmp

Filesize
252KB

Download
memory/1688-511-0x000007FEF3D00000-0x000007FEF3D21000-memory.dmp

Filesize
132KB

Download
memory/1688-512-0x000007FEF3CE0000-0x000007FEF3CF8000-memory.dmp

Filesize
96KB

Download
memory/1688-513-0x000007FEF3CC0000-0x000007FEF3CD1000-memory.dmp

Filesize
68KB

Download
memory/1688-514-0x000007FEF3CA0000-0x000007FEF3CB1000-memory.dmp

Filesize
68KB

Download
memory/1688-504-0x000007FEF57E0000-0x000007FEF57F7000-memory.dmp

Filesize
92KB

Download
memory/1688-516-0x000007FEF3C60000-0x000007FEF3C7B000-memory.dmp

Filesize
108KB

Download
memory/1688-517-0x000007FEF3C40000-0x000007FEF3C51000-memory.dmp

Filesize
68KB

Download
memory/1688-518-0x000007FEF3C20000-0x000007FEF3C38000-memory.dmp

Filesize
96KB

Download
memory/1688-519-0x000007FEF3BF0000-0x000007FEF3C20000-memory.dmp

Filesize
192KB

Download
memory/1688-520-0x000007FEF3B80000-0x000007FEF3BE7000-memory.dmp

Filesize
412KB

Download
memory/1688-521-0x000007FEF3B10000-0x000007FEF3B7F000-memory.dmp

Filesize
444KB

Download
memory/1688-522-0x000007FEF3AF0000-0x000007FEF3B01000-memory.dmp

Filesize
68KB

Download
memory/1688-523-0x000007FEF3A90000-0x000007FEF3AE6000-memory.dmp

Filesize
344KB

Download
memory/1688-503-0x000007FEF5800000-0x000007FEF5811000-memory.dmp

Filesize
68KB

Download
memory/1688-524-0x000007FEF3A60000-0x000007FEF3A88000-memory.dmp

Filesize
160KB

Download
memory/1688-533-0x000007FEF3A10000-0x000007FEF3A27000-memory.dmp

Filesize
92KB

Download
memory/1688-534-0x000007FEF39E0000-0x000007FEF3A03000-memory.dmp

Filesize
140KB

Download
memory/1688-537-0x000007FEF3970000-0x000007FEF3991000-memory.dmp

Filesize
132KB

Download
memory/1688-505-0x000007FEF57C0000-0x000007FEF57D1000-memory.dmp

Filesize
68KB

Download
memory/1688-536-0x000007FEF39A0000-0x000007FEF39B2000-memory.dmp

Filesize
72KB

Download
memory/1688-539-0x000007FEF3930000-0x000007FEF3942000-memory.dmp

Filesize
72KB

Download
memory/1688-535-0x000007FEF39C0000-0x000007FEF39D1000-memory.dmp

Filesize
68KB

Download
memory/1688-532-0x000007FEF3A30000-0x000007FEF3A54000-memory.dmp

Filesize
144KB

Download
memory/1688-540-0x000007FEF37F0000-0x000007FEF392B000-memory.dmp

Filesize
1.2MB

Download
memory/1688-542-0x000007FEF37C0000-0x000007FEF37EC000-memory.dmp

Filesize
176KB

Download
memory/1688-543-0x000007FEF3600000-0x000007FEF37B2000-memory.dmp

Filesize
1.7MB

Download
memory/1688-552-0x000007FEF35A0000-0x000007FEF35FC000-memory.dmp

Filesize
368KB

Download
memory/1688-557-0x000007FEF3580000-0x000007FEF3591000-memory.dmp

Filesize
68KB

Download
memory/1688-562-0x000007FEF34E0000-0x000007FEF3577000-memory.dmp

Filesize
604KB

Download
memory/1688-563-0x000007FEF34C0000-0x000007FEF34D2000-memory.dmp

Filesize
72KB

Download
memory/1688-564-0x000007FEF3280000-0x000007FEF34B1000-memory.dmp

Filesize
2.2MB

Download
memory/1688-567-0x000007FEF3160000-0x000007FEF3272000-memory.dmp

Filesize
1.1MB

Download
memory/1688-568-0x000007FEF3120000-0x000007FEF3155000-memory.dmp

Filesize
212KB

Download
memory/1688-502-0x000007FEF5820000-0x000007FEF5837000-memory.dmp

Filesize
92KB

Download
memory/1688-603-0x000007FEF30D0000-0x000007FEF30E1000-memory.dmp

Filesize
68KB

Download
memory/1688-501-0x000007FEF6C20000-0x000007FEF6C38000-memory.dmp

Filesize
96KB

Download
memory/1688-621-0x000007FEF3060000-0x000007FEF30C1000-memory.dmp

Filesize
388KB

Download
memory/1688-488-0x000007FEF5110000-0x000007FEF53C4000-memory.dmp

Filesize
2.7MB

Download
memory/1688-626-0x000007FEF3040000-0x000007FEF3051000-memory.dmp

Filesize
68KB

Download
memory/1688-590-0x000007FEF30F0000-0x000007FEF3115000-memory.dmp

Filesize
148KB

Download
memory/1688-477-0x000007FEF5840000-0x000007FEF5874000-memory.dmp

Filesize
208KB

Download
memory/1688-475-0x000000013F840000-0x000000013F938000-memory.dmp

Filesize
992KB

Download
memory/1948-56-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1948-57-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download