glupteba | 07962afa3456e31a683847e0fac357a4c493033a0781664ba3a92e37f8a18240

Analysis

max time kernel
122s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2023 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

332KB
MD5

db651aa40e313bf53ff4e0e69dce3091
SHA1

687b4923a0607ff9ccabeee9ce9632024db6a68d
SHA256

07962afa3456e31a683847e0fac357a4c493033a0781664ba3a92e37f8a18240
SHA512

eede4b697f26dfeab7519ebedaec3d32a6fc1617250fdf67e8991d5a996962d91e2964fa2d082820a24c8d528fd7b36db3aa2de4e9728e6cfa97813080711b9f
SSDEEP

3072:nhBzFRhQwAKxd68Vja8JY73SnjUFVbrIVrc2fNhQ7UbLzg9gVnqWv/fnOpuk1a+O:nhdFvJpa8JS3SnGVb+A0NhrI9GVOp

Malware Config

Extracted

Family

smokeloader

Version

2022

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

http://humydrole.com/tmp/index.php

http://trunk-co.ru/tmp/index.php

http://weareelight.com/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

raccoon

Botnet

02715ba03fc9d768ba977c72db990ef6

http://193.233.132.30:80/

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (Bot: @logsdillabot)

45.15.156.187:23929

Extracted

Family

smokeloader

Botnet

pub1

Signatures

Detect Lumma Stealer payload V4 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1616-109-0x0000000000400000-0x000000000047E000-memory.dmp	family_lumma_v4
behavioral2/memory/1616-111-0x0000000000400000-0x000000000047E000-memory.dmp	family_lumma_v4
behavioral2/memory/1616-113-0x0000000000400000-0x000000000047E000-memory.dmp	family_lumma_v4
behavioral2/memory/1616-120-0x0000000000400000-0x000000000047E000-memory.dmp	family_lumma_v4

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4460-169-0x0000000000400000-0x0000000000F96000-memory.dmp	family_glupteba
behavioral2/memory/4460-196-0x0000000000400000-0x0000000000F96000-memory.dmp	family_glupteba
behavioral2/memory/1468-405-0x0000000000400000-0x0000000000F96000-memory.dmp	family_glupteba
behavioral2/memory/3716-428-0x0000000000400000-0x0000000000F96000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3604-19-0x0000000000AD0000-0x0000000000BD0000-memory.dmp	family_raccoon_v2
behavioral2/memory/3604-21-0x0000000000400000-0x000000000085E000-memory.dmp	family_raccoon_v2
behavioral2/memory/3604-20-0x0000000000960000-0x0000000000976000-memory.dmp	family_raccoon_v2
behavioral2/memory/3916-26-0x0000000000970000-0x0000000001574000-memory.dmp	family_raccoon_v2
behavioral2/memory/3604-49-0x0000000000400000-0x000000000085E000-memory.dmp	family_raccoon_v2

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4332-57-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

D785.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ D785.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

1020 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	D785.exe

pid	process
1020	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

D785.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	D785.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	D785.exe

Deletes itself 1 IoCs

Processes:

pid process

3260
Executes dropped EXE 6 IoCs

Processes:

B853.exeD785.exe481.exe88F5.exeB12F.exeB7B8.exe

pid process

3604 B853.exe
3916 D785.exe
4272 481.exe
1124 88F5.exe
1748 B12F.exe
4460 B7B8.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exe88F5.exe

pid process

2280 regsvr32.exe
1124 88F5.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3260

pid	process
3604	B853.exe
3916	D785.exe
4272	481.exe
1124	88F5.exe
1748	B12F.exe
4460	B7B8.exe

pid	process
2280	regsvr32.exe
1124	88F5.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\D785.exe	themida
C:\Users\Admin\AppData\Local\Temp\D785.exe	themida
behavioral2/memory/3916-39-0x0000000000970000-0x0000000001574000-memory.dmp	themida
behavioral2/memory/3916-40-0x0000000000970000-0x0000000001574000-memory.dmp	themida
behavioral2/memory/3916-75-0x0000000000970000-0x0000000001574000-memory.dmp	themida

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
behavioral2/memory/4244-436-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

D785.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA D785.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

D785.exe

pid process

3916 D785.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	D785.exe

pid	process
3916	D785.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

481.exe88F5.exe

description	pid	process	target process
PID 4272 set thread context of 4332	4272	481.exe	AppLaunch.exe
PID 1124 set thread context of 1616	1124	88F5.exe	RegSvcs.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3340 sc.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3704 3604 WerFault.exe B853.exe
4932 1616 WerFault.exe RegSvcs.exe

pid	process
3340	sc.exe

pid	pid_target	process	target process
3704	3604	WerFault.exe	B853.exe
4932	1616	WerFault.exe	RegSvcs.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exeB12F.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B12F.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B12F.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B12F.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2512 schtasks.exe
4300 schtasks.exe

pid	process
2512	schtasks.exe
4300	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
4788	file.exe
4788	file.exe
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260
3260

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

file.exeB12F.exe

pid process

4788 file.exe
3260
3260
3260
3260
1748 B12F.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

D785.exeAppLaunch.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3260
Token: SeCreatePagefilePrivilege	3260
Token: SeDebugPrivilege	3916	D785.exe
Token: SeDebugPrivilege	4332	AppLaunch.exe
Token: SeShutdownPrivilege	3260
Token: SeCreatePagefilePrivilege	3260
Token: SeShutdownPrivilege	3260
Token: SeCreatePagefilePrivilege	3260
Token: SeShutdownPrivilege	3260
Token: SeCreatePagefilePrivilege	3260
Token: SeShutdownPrivilege	3260
Token: SeCreatePagefilePrivilege	3260
Token: SeShutdownPrivilege	3260
Token: SeCreatePagefilePrivilege	3260
Token: SeShutdownPrivilege	3260
Token: SeCreatePagefilePrivilege	3260
Token: SeShutdownPrivilege	3260
Token: SeCreatePagefilePrivilege	3260
Token: SeDebugPrivilege	4872	powershell.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3260

pid	process
3260

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

481.exeregsvr32.exe88F5.exeB7B8.exe

description	pid	process	target process
PID 3260 wrote to memory of 3604	3260		B853.exe
PID 3260 wrote to memory of 3604	3260		B853.exe
PID 3260 wrote to memory of 3604	3260		B853.exe
PID 3260 wrote to memory of 3916	3260		D785.exe
PID 3260 wrote to memory of 3916	3260		D785.exe
PID 3260 wrote to memory of 3916	3260		D785.exe
PID 3260 wrote to memory of 4272	3260		481.exe
PID 3260 wrote to memory of 4272	3260		481.exe
PID 3260 wrote to memory of 4272	3260		481.exe
PID 4272 wrote to memory of 4332	4272	481.exe	AppLaunch.exe
PID 4272 wrote to memory of 4332	4272	481.exe	AppLaunch.exe
PID 4272 wrote to memory of 4332	4272	481.exe	AppLaunch.exe
PID 4272 wrote to memory of 4332	4272	481.exe	AppLaunch.exe
PID 4272 wrote to memory of 4332	4272	481.exe	AppLaunch.exe
PID 4272 wrote to memory of 4332	4272	481.exe	AppLaunch.exe
PID 4272 wrote to memory of 4332	4272	481.exe	AppLaunch.exe
PID 4272 wrote to memory of 4332	4272	481.exe	AppLaunch.exe
PID 3260 wrote to memory of 1124	3260		88F5.exe
PID 3260 wrote to memory of 1124	3260		88F5.exe
PID 3260 wrote to memory of 1124	3260		88F5.exe
PID 3260 wrote to memory of 436	3260		regsvr32.exe
PID 3260 wrote to memory of 436	3260		regsvr32.exe
PID 436 wrote to memory of 2280	436	regsvr32.exe	regsvr32.exe
PID 436 wrote to memory of 2280	436	regsvr32.exe	regsvr32.exe
PID 436 wrote to memory of 2280	436	regsvr32.exe	regsvr32.exe
PID 3260 wrote to memory of 1748	3260		B12F.exe
PID 3260 wrote to memory of 1748	3260		B12F.exe
PID 3260 wrote to memory of 1748	3260		B12F.exe
PID 1124 wrote to memory of 3296	1124	88F5.exe	RegSvcs.exe
PID 1124 wrote to memory of 3296	1124	88F5.exe	RegSvcs.exe
PID 1124 wrote to memory of 3296	1124	88F5.exe	RegSvcs.exe
PID 1124 wrote to memory of 1616	1124	88F5.exe	RegSvcs.exe
PID 1124 wrote to memory of 1616	1124	88F5.exe	RegSvcs.exe
PID 1124 wrote to memory of 1616	1124	88F5.exe	RegSvcs.exe
PID 1124 wrote to memory of 1616	1124	88F5.exe	RegSvcs.exe
PID 1124 wrote to memory of 1616	1124	88F5.exe	RegSvcs.exe
PID 1124 wrote to memory of 1616	1124	88F5.exe	RegSvcs.exe
PID 1124 wrote to memory of 1616	1124	88F5.exe	RegSvcs.exe
PID 1124 wrote to memory of 1616	1124	88F5.exe	RegSvcs.exe
PID 1124 wrote to memory of 1616	1124	88F5.exe	RegSvcs.exe
PID 3260 wrote to memory of 4460	3260		B7B8.exe
PID 3260 wrote to memory of 4460	3260		B7B8.exe
PID 3260 wrote to memory of 4460	3260		B7B8.exe
PID 3260 wrote to memory of 3600	3260		explorer.exe
PID 3260 wrote to memory of 3600	3260		explorer.exe
PID 3260 wrote to memory of 3600	3260		explorer.exe
PID 3260 wrote to memory of 3600	3260		explorer.exe
PID 3260 wrote to memory of 768	3260		explorer.exe
PID 3260 wrote to memory of 768	3260		explorer.exe
PID 3260 wrote to memory of 768	3260		explorer.exe
PID 4460 wrote to memory of 4872	4460	B7B8.exe	powershell.exe
PID 4460 wrote to memory of 4872	4460	B7B8.exe	powershell.exe
PID 4460 wrote to memory of 4872	4460	B7B8.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4788

C:\Users\Admin\AppData\Local\Temp\B853.exe
C:\Users\Admin\AppData\Local\Temp\B853.exe
1⤵
- Executes dropped EXE
PID:3604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 7968
  2⤵
  - Program crash
  PID:3704

C:\Users\Admin\AppData\Local\Temp\D785.exe
C:\Users\Admin\AppData\Local\Temp\D785.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Users\Admin\AppData\Local\Temp\481.exe
C:\Users\Admin\AppData\Local\Temp\481.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3604 -ip 3604
1⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\88F5.exe
C:\Users\Admin\AppData\Local\Temp\88F5.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 840
    3⤵
    - Program crash
    PID:4932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:3296

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AAA7.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\AAA7.dll
  2⤵
  - Loads dropped DLL
  PID:2280

C:\Users\Admin\AppData\Local\Temp\B12F.exe
C:\Users\Admin\AppData\Local\Temp\B12F.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1748

C:\Users\Admin\AppData\Local\Temp\B7B8.exe
C:\Users\Admin\AppData\Local\Temp\B7B8.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Users\Admin\AppData\Local\Temp\B7B8.exe
  "C:\Users\Admin\AppData\Local\Temp\B7B8.exe"
  2⤵
  PID:1468
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:3664
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:516
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:2040
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:3716
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:976
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2512
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:624
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:2460
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:3856
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4300
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:4244
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:4436
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:3340

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1616 -ip 1616
1⤵
PID:1508

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:768

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\481.exe

Filesize
405KB

MD5
006d7a5f1483ac70f754fd8240a2b7cc

SHA1
821711da60674cc73400cc6fcab9c3b218c6ac01

SHA256
d253c6cfeda65a40fa815cb4f9909a252798c4b1c63adab8238127e2238fff7d

SHA512
59eeee2d3e4900556f75cf0ec9ce7002bee8973d0a86de61d74caabbe52035454d6f3699ad22622f8d494ba253bd8aec6b8b9c274024f764f91a52db9e194d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\481.exe

Filesize
415KB

MD5
60a593844b8cd93e774780a8899761bb

SHA1
d3c46c664e8dfa1661367ec915513f7ce06827c7

SHA256
7dce43091513cf3381ea009a19a8ed059268d07cd7899c597dd71abe1d373722

SHA512
9fa66c7e5ca4a665153e2ae8a54a793a7c730a9aa8f3e796ae73fb7bb5c13a68fe29ff64822c75bcedb12f8a6511717f99ffbe545263fb9f2e48a56d90a61bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\88F5.exe

Filesize
932KB

MD5
03554c0c8059ebc29ea6b44b1dbfc5fb

SHA1
1cdf941bf621e767694d692437f3b488fb815c0d

SHA256
93ba3260311253962e7997aead50f8f17cfc0334124af6b3bea753c49436bfce

SHA512
16002728bd63af8a37421cf8f9410b41b4d49b061b9f830aba38d75070f39dbc5e66017dc31b7e71dbb8febf87ec67d458dd523c6f8ad7c53c2257dcd5dc0110

Download Submit
C:\Users\Admin\AppData\Local\Temp\88F5.exe

Filesize
729KB

MD5
354952081e17eb97c91dc1f4085af337

SHA1
c84f79feb46301325230feb5c96562008ae46f06

SHA256
0dc5f084d61db58a84fba4d348efc7c3422c9b2171d0034594533ae95e22e814

SHA512
318483bd5578bd11c60a377beff031f53708330b649bfebaf52bba62daa27a8a575a8c5f9a14cb216dec4d2fa2c997c2f960abe907dd9280313f7a5d52a4af64

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAA7.dll

Filesize
729KB

MD5
100fcd9d8e91a7be7b873545a3b8a3ee

SHA1
b4520366f0b5d1712ae1c5fa23b230ce7ebe6408

SHA256
6c53720e5418121993843a3b0c5d5fb1bd38406684b6297f2bb08d060fc7f8d6

SHA512
6d1d39928891fdcbe385123a30266f7e917fdc2d5f8f16443db4c325510496cc7c8dc092b7e47963e8cabd514764e0988b0769ae5a57ad8bce23c0204b844567

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAA7.dll

Filesize
623KB

MD5
03c9b7469805c04aa04d7761ecc0073b

SHA1
88a8939db5d0d7ae6b2c1a3eedc4beb2ed1d8d3e

SHA256
606a127e25b2a76064097a6e88349a9edfce812357a49de60e48249004dcd79e

SHA512
2b62a8d146366b8677327d4f71dba2716ce31fbe3aa08595c3c051e77943f53c552671d3603bc9f637fd2bcd08de607eed843e919192c65e78148876a697db4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B12F.exe

Filesize
332KB

MD5
2596748f9c5218ca15e033827620772d

SHA1
05a5e125cee8128a717f5029a790a287a3536384

SHA256
9715518d8593a8b7e4057a8f7eeef8ef0a1e52a21ba078fad9c1a462d6bcf7ce

SHA512
8633eda425a89c8c7c7e12e6252f5323165c697829dc89644a9817d6c435ddc0879f187fe1e0c6c2a594077b9abe778a24cf9468cd2e8bec515685e55d4ea924

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7B8.exe

Filesize
287KB

MD5
8369476a4d1ab35247a7cb293ec2b5f0

SHA1
e4321bb31d3e8313e76d24708729053e821fa0fa

SHA256
bcd9d9d0e7ba299c1ded6ac299223992d344cc3af85f14e657190e89b1690f0f

SHA512
64c4a8b701c92404bdd8579281f7638d860e18346bf1a3447d846401933defb9e48d5c5b99c758600fa09bbcfaf1d25e3accdf7e25d6791ab4c9f2c7adac9e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7B8.exe

Filesize
384KB

MD5
077c4d0861cd3534d2c7e1f00f5e6b4d

SHA1
b377d26067a7d98612051376af63c84be2eec0d4

SHA256
6e1dec284f90bc3dda4c073be31bf62b3c77baec6d8421d89b4bb11a72e884ba

SHA512
01e09d0892605a6215a7a950adc23fcf0a14f3d965fc0cbfe64e50647fbc7bc422118ccfcaf3f2a656e345116db33979fd81279d946a2a7331e2046a637c6f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7B8.exe

Filesize
1008KB

MD5
a2c3035cc70c46050f9417ce4b1779e2

SHA1
4b964286d6594ec618af178475e49bb40f35e6cd

SHA256
810689260f237ae5eecf8dd11fc1e6a6691b3396fe2219cdf57e477c0682701e

SHA512
b4d59b2a1d5c81b85dd63df46e49710581e280b7ca2877d99a077847e5dcbcdb01c47a20d2aca01599f1f767cb1c492a0110bcb16d4c23b1fc164d86e4ceaba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\B853.exe

Filesize
237KB

MD5
22a51b329fa194d51f68705a25d7396d

SHA1
aada03d8b7f1e28dbf6d72c1503981ccc5bb94da

SHA256
82857c5bbab91ba9c66bcd07c9f25c1b140e94fa892e97cc97db82fe06439742

SHA512
0d9a8a6b1df054a84bea0c4d38fd3c702f95c7d372bf2255c29611aec38fca5c81b972a2d45135a6488ba313d5674cf5e60e5bc7bdc888bb3524739e473ff821

Download Submit
C:\Users\Admin\AppData\Local\Temp\D785.exe

Filesize
1.6MB

MD5
4b17bc2fa655a878913ab2f9447c7b03

SHA1
b9ffd3ffbe3af9160ccc75688da283f6e0579cb9

SHA256
504d63fcebd25f30630a5b5b0d275c93e80dc80a783f32efc8c36d5fe447e0eb

SHA512
9cf18e7da3559f63d9ade955b7dc1dabd00159c956823f9346d5f15fa9aec67080e72edaebf8261f3dccc510eb614cbb3c019a63f67a6a8b3b0d08be85187c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\D785.exe

Filesize
1.8MB

MD5
4f088ddc85a9ffafa9fcaadd0cee0765

SHA1
d7d46047e35304183533698e67c9ba7dcb833105

SHA256
70cc114deed88be317e2c2292a1dbde9908b05975735d60e97385da8097079c0

SHA512
c4f24a31344da085513e73dd876cb6e88cc981fa4e17564ce143fab23a054287d0965255dd803638e4ae3999dbeb5ccbfbd69452bb029118ec6aa58200016d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
195KB

MD5
224deebcb4d8e6fea23b1d3d9d28c347

SHA1
6f8b5526a8980b4bf6107546582e5d689baafe80

SHA256
903fe4ce8b98df3ca32ab700771ba884baeb9b8bd8950088b4957a8e10a74562

SHA512
587fd07f2647fef2cd485a4fded44d40521d399330e716202c62ed468092f491c06b7cc03871af9ad417edcdcc61d9bd39987244c7eed33e3bc80f6e09f35b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_30agf4o3.kmn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
dd917f0d4e7b5cad6105bd2fe11b3cfc

SHA1
b61935febc2725367c494611609258c12bb885d0

SHA256
6be3c93ed8922948eac2a0af7a0c61f70c39a9dcbcbe3b538b667ca136b39c76

SHA512
e544efc42d3085179e81b141c410d4867b88e8a711962ca49904aa92b823ae0d8576922fb9a6c0148fd5395b063d77dfbd639c9dd751c02c92c120ab05695227

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
6e09d78fb0dfa41552a0437765907497

SHA1
0f827efc5be27a1d394d36d347e12caee7ac0107

SHA256
43c94aaacbcbdb58ce3da1b34a503293c28e537ad49b6a384d89c132be6664ea

SHA512
e093eda7fcbb79ce50cf83886600a429cbdc0c64018c7badbdca6583ab20430a65a232cc68cef6d77f20a19562db805351b7543d14ee8dd3b01d57a1f5d395a2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
03173546cc494067c4572649ccc913ab

SHA1
09988d483b87c976531079bbf0200f7fe8ddbd78

SHA256
71a96b293596cd1856acf96328d4cf82a2a4cae89c31f561fdbe573191367740

SHA512
3ecbf71f1ee03455fe4ab7b664ebea5b3994d4cac065080fea76bcf444ec6d2251663251af2e54261ecc4ccf4b4d55d40b6a2e61289a5c57f68f05a294b5008d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b69cc7a321e1811893b1dbecddc2d10d

SHA1
18d7d4d0e3a8fe00e8a4d1311ec46c0af02fa639

SHA256
ba4b33d459f7957c7276d9017300e912750d56827e7a98952eff7b488e028f01

SHA512
174e7bce785ffc90d44afe2237446137b0c61ce4a65c8fd1cacab3746fcf539fb89c5825139be503218a3ae278c33ce3ff3aec402f6b8531e78d17ab26a0f775

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
fcf5846fd1e4f75be31eff8e2b9e6438

SHA1
14da8b3857f0ebef5dd43a90fc4e36d649c412dd

SHA256
e1706d756c77b6bce4be33456a5352804c30c2bc2d5c1dbac4693c4f98714955

SHA512
3ff00988fd4d7904b9131f7920d3b7a70d22df8edbcefc782d5ac237ac92cc40675d228dea8b3a46a22718c9e95bf4db9b167479c3dbd5a795f2cab1aeecbd49

Download Submit
C:\Windows\rss\csrss.exe

Filesize
2.3MB

MD5
af0298559187d74a1165d9e2eb46a200

SHA1
348cf0312e2864dc3619edfe015ec15a1271d2db

SHA256
2835823c03b04ae335eab39b9689e23a7b68fc418c1bb94c45d793eda9c2c24d

SHA512
6d30405f05bb4089eb0c4f2df816140348a26420e268acdbe7760cb36d252628f81aa33bf20b2f310a106f9bbc028b3feee1907d1d3b1f89c76bee8dcf95c58f

Download Submit
C:\Windows\rss\csrss.exe

Filesize
2.1MB

MD5
6fd24c7397d75a9c5dd76f81804d4f59

SHA1
b45eda802f7c4a80f05e7ec5aab491e5b85b1b15

SHA256
af83161b08cd08e0a1e178eb5cbdbf8ec3222df7ba958d8bdd7c221634796428

SHA512
54abc3d9a943f3e21a52dd760fa0eb978111b1dd2470d26053c69d6a97278b32f250efc8d847a3078968c3cbe609943af87d74365e3d927770c673037dcbfd1d

Download Submit
C:\Windows\windefender.exe

Filesize
914KB

MD5
37abcd200ce873b69d74d625521356e1

SHA1
b8cfedf457ea1ec5c210ba2975801b335377f76c

SHA256
55ff8ee21f20dd3d05ee761c15487599a7013f34c78a4fbf68ca377c152c9264

SHA512
da8edc2ba70b861a6ee0e6308be953032e662cdc7bf6bf9763eb0e6a52b820ed59e7d25cddbb3a7996976e0880089219a0c38da1803f020c8a68c705ae6b6257

Download Submit
C:\Windows\windefender.exe

Filesize
1.3MB

MD5
506237dc750c2cf84d54a3ed62216266

SHA1
f6d609d031208016a9171d2425da1f82e23c73a4

SHA256
9e9fb355888a214efcbe7bb14e89b4399631bc10e5538c4fcf24ef9a99cf709c

SHA512
999fd10a02cdf66b82cd941b4def096ec1bcfca9ff080a87a62af70e4c322642d7145b5ca697925f1395680305b9bdf93cc4124c0c4b7e99cb10ff1f9324fbc1

Download Submit
C:\Windows\windefender.exe

Filesize
1.5MB

MD5
88f9af2d18814144dd3bbaff7f5dd0d0

SHA1
1a3d23b3f7f661084e449d832607633181487b18

SHA256
6a8ff7b61c7acd49f955ed7a061b020d7fb4472d47dd0bdc412e1f197116317d

SHA512
a3c5ec99e0e85cc26cf87f7421e3f21fecb87c65cdf10593e1a260a6c1105f9b7bd682f91b5d36fcecb0ec97ac01ea656448efda573d585bb16ba4666f3a6f24

Download Submit
memory/768-144-0x0000000000FA0000-0x0000000000FAC000-memory.dmp

Filesize
48KB

Download
memory/1124-99-0x0000000006D90000-0x0000000006F22000-memory.dmp

Filesize
1.6MB

Download
memory/1124-84-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1124-117-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1124-105-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/1124-115-0x0000000007570000-0x0000000007670000-memory.dmp

Filesize
1024KB

Download
memory/1124-85-0x00000000050A0000-0x000000000513C000-memory.dmp

Filesize
624KB

Download
memory/1124-98-0x0000000005A50000-0x0000000005C5C000-memory.dmp

Filesize
2.0MB

Download
memory/1124-83-0x0000000000030000-0x0000000000574000-memory.dmp

Filesize
5.3MB

Download
memory/1124-86-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/1124-107-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/1124-108-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/1124-106-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/1124-112-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/1124-110-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/1468-405-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/1616-111-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1616-109-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1616-120-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1616-113-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1748-167-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/1748-118-0x0000000000E00000-0x0000000000E0B000-memory.dmp

Filesize
44KB

Download
memory/1748-116-0x0000000000E40000-0x0000000000F40000-memory.dmp

Filesize
1024KB

Download
memory/1748-119-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2280-223-0x0000000002E80000-0x0000000002F95000-memory.dmp

Filesize
1.1MB

Download
memory/2280-217-0x0000000002D70000-0x0000000002E7D000-memory.dmp

Filesize
1.1MB

Download
memory/2280-127-0x0000000002640000-0x000000000275E000-memory.dmp

Filesize
1.1MB

Download
memory/2280-233-0x000000003FC10000-0x000000003FC62000-memory.dmp

Filesize
328KB

Download
memory/2280-168-0x0000000010000000-0x0000000010333000-memory.dmp

Filesize
3.2MB

Download
memory/2280-214-0x0000000002640000-0x000000000275E000-memory.dmp

Filesize
1.1MB

Download
memory/2280-215-0x0000000002760000-0x0000000002D65000-memory.dmp

Filesize
6.0MB

Download
memory/2280-130-0x0000000002640000-0x000000000275E000-memory.dmp

Filesize
1.1MB

Download
memory/2280-121-0x0000000002500000-0x000000000263C000-memory.dmp

Filesize
1.2MB

Download
memory/2280-91-0x0000000000530000-0x0000000000536000-memory.dmp

Filesize
24KB

Download
memory/2280-90-0x0000000010000000-0x0000000010333000-memory.dmp

Filesize
3.2MB

Download
memory/2280-229-0x0000000002E80000-0x0000000002F95000-memory.dmp

Filesize
1.1MB

Download
memory/2280-232-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/3260-164-0x0000000002DE0000-0x0000000002DF6000-memory.dmp

Filesize
88KB

Download
memory/3260-4-0x0000000000F10000-0x0000000000F26000-memory.dmp

Filesize
88KB

Download
memory/3600-132-0x0000000000600000-0x000000000066B000-memory.dmp

Filesize
428KB

Download
memory/3600-133-0x0000000000670000-0x00000000006E5000-memory.dmp

Filesize
468KB

Download
memory/3604-50-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

Filesize
1024KB

Download
memory/3604-19-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

Filesize
1024KB

Download
memory/3604-21-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/3604-20-0x0000000000960000-0x0000000000976000-memory.dmp

Filesize
88KB

Download
memory/3604-49-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/3716-428-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/3916-44-0x0000000008CA0000-0x00000000092B8000-memory.dmp

Filesize
6.1MB

Download
memory/3916-42-0x0000000007BC0000-0x0000000007C52000-memory.dmp

Filesize
584KB

Download
memory/3916-65-0x0000000077500000-0x00000000775F0000-memory.dmp

Filesize
960KB

Download
memory/3916-66-0x0000000077500000-0x00000000775F0000-memory.dmp

Filesize
960KB

Download
memory/3916-64-0x000000000A2B0000-0x000000000A300000-memory.dmp

Filesize
320KB

Download
memory/3916-62-0x0000000000970000-0x0000000001574000-memory.dmp

Filesize
12.0MB

Download
memory/3916-63-0x0000000077500000-0x00000000775F0000-memory.dmp

Filesize
960KB

Download
memory/3916-75-0x0000000000970000-0x0000000001574000-memory.dmp

Filesize
12.0MB

Download
memory/3916-76-0x0000000077500000-0x00000000775F0000-memory.dmp

Filesize
960KB

Download
memory/3916-69-0x0000000077500000-0x00000000775F0000-memory.dmp

Filesize
960KB

Download
memory/3916-51-0x0000000008870000-0x00000000088D6000-memory.dmp

Filesize
408KB

Download
memory/3916-70-0x0000000077500000-0x00000000775F0000-memory.dmp

Filesize
960KB

Download
memory/3916-72-0x0000000077500000-0x00000000775F0000-memory.dmp

Filesize
960KB

Download
memory/3916-26-0x0000000000970000-0x0000000001574000-memory.dmp

Filesize
12.0MB

Download
memory/3916-71-0x0000000077500000-0x00000000775F0000-memory.dmp

Filesize
960KB

Download
memory/3916-45-0x0000000007FB0000-0x00000000080BA000-memory.dmp

Filesize
1.0MB

Download
memory/3916-48-0x0000000007F20000-0x0000000007F6C000-memory.dmp

Filesize
304KB

Download
memory/3916-47-0x0000000007EE0000-0x0000000007F1C000-memory.dmp

Filesize
240KB

Download
memory/3916-46-0x0000000007BA0000-0x0000000007BB2000-memory.dmp

Filesize
72KB

Download
memory/3916-28-0x0000000077500000-0x00000000775F0000-memory.dmp

Filesize
960KB

Download
memory/3916-30-0x0000000077500000-0x00000000775F0000-memory.dmp

Filesize
960KB

Download
memory/3916-31-0x0000000077500000-0x00000000775F0000-memory.dmp

Filesize
960KB

Download
memory/3916-43-0x00000000016F0000-0x00000000016FA000-memory.dmp

Filesize
40KB

Download
memory/3916-32-0x0000000077500000-0x00000000775F0000-memory.dmp

Filesize
960KB

Download
memory/3916-41-0x00000000080D0000-0x0000000008674000-memory.dmp

Filesize
5.6MB

Download
memory/3916-40-0x0000000000970000-0x0000000001574000-memory.dmp

Filesize
12.0MB

Download
memory/3916-39-0x0000000000970000-0x0000000001574000-memory.dmp

Filesize
12.0MB

Download
memory/3916-27-0x0000000077500000-0x00000000775F0000-memory.dmp

Filesize
960KB

Download
memory/3916-29-0x0000000077500000-0x00000000775F0000-memory.dmp

Filesize
960KB

Download
memory/3916-38-0x0000000077674000-0x0000000077676000-memory.dmp

Filesize
8KB

Download
memory/3916-36-0x0000000077500000-0x00000000775F0000-memory.dmp

Filesize
960KB

Download
memory/3916-34-0x0000000077500000-0x00000000775F0000-memory.dmp

Filesize
960KB

Download
memory/4244-436-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4332-58-0x0000000073890000-0x0000000074040000-memory.dmp

Filesize
7.7MB

Download
memory/4332-78-0x0000000073890000-0x0000000074040000-memory.dmp

Filesize
7.7MB

Download
memory/4332-68-0x0000000009C20000-0x000000000A14C000-memory.dmp

Filesize
5.2MB

Download
memory/4332-60-0x0000000007860000-0x0000000007870000-memory.dmp

Filesize
64KB

Download
memory/4332-67-0x0000000009520000-0x00000000096E2000-memory.dmp

Filesize
1.8MB

Download
memory/4332-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4460-169-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/4460-196-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/4788-1-0x0000000000F10000-0x0000000001010000-memory.dmp

Filesize
1024KB

Download
memory/4788-5-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4788-3-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4788-2-0x0000000000CF0000-0x0000000000CFB000-memory.dmp

Filesize
44KB

Download