agenttesla | 1eed2bbece7cb87fe2548552724b0e1c5cf400a14cfba0a3fe2959d27eae49b4

Analysis

max time kernel
118s
max time network
126s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
12-12-2023 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

purchase_order.exe
Size

882KB
MD5

f82b121e447bb312a0c383d78a90490f
SHA1

a2570c68231136bb0d7b260f906d1e5a78c25f48
SHA256

d61fdb59b0176c8e329052c1b577dd366f17f206b79769bf3ae56ed6d52575de
SHA512

cfcf833f59f3f47aea75ea62b79d5ca57fcad8e56943bb60cd4af0212baf3c6720d9f991a3dd8964a9e272b2b82f0416fa5d06988e90dc9fda2a0e56d649dc31
SSDEEP

12288:r6zcyAwHWZJOLMZ7vgg24T4xT0Wm6y7+uSm0POeB83mAQuaPc19LW1lVmt1XS/2E:r6TH2gK0xxm64+ut1F2fuaG35Cy

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bezzleauto.com
Port:
587
Username:
[email protected]
Password:
kex#-rHjHM4qKk52
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2492-2-0x0000000004670000-0x0000000004718000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-4-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-5-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-7-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-9-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-11-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-13-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-15-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-19-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-17-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-25-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-23-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-21-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-27-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-29-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-31-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-33-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-35-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-37-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-39-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-41-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-43-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-45-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-47-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-49-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-51-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-53-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-55-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-57-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-59-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-61-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-67-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-65-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-63-0x0000000004670000-0x0000000004713000-memory.dmp	family_zgrat_v1
behavioral1/memory/2492-930-0x0000000000A80000-0x0000000000AC0000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

purchase_order.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdf = "C:\\Users\\Admin\\AppData\\Roaming\\pdf.exe"	purchase_order.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

purchase_order.exe

description pid process target process

PID 2492 set thread context of 2152 2492 purchase_order.exe purchase_order.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

560 ipconfig.exe
1748 ipconfig.exe

description	pid	process	target process
PID 2492 set thread context of 2152	2492	purchase_order.exe	purchase_order.exe

pid	process
560	ipconfig.exe
1748	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000efee191c820df7499e31472656722fd500000000020000000000106600000001000020000000456e110ad2e2047c524d0afdb52f8a315ab2d4a5ac5b7df2990d5b4c2b29aaca000000000e80000000020000200000009e2a75624f3d3f6f0e42996b6b27b8eac81a39d19aeafd9efbb114bc3a7b62792000000005ef8f499126492bbc0bfd97753d8dc0c5fbcb552792a865c1be7bf6954f5e6640000000f05c2cad9f3e8562d8ab86b667664d4574ec97b7aedb25c04c196677373090c7a709fd7a5b6477d9681ad02be7ff69d24aa4d622ae8f32ab7016981cd2bb768a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "408557226"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{24D55641-9904-11EE-ADFB-D640E40AF572} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000efee191c820df7499e31472656722fd5000000000200000000001066000000010000200000000e598bb2b669b712a623140b434e13ad66e81eb43a1595a7e782d6c5f9424d27000000000e800000000200002000000035239a74199856e7011d6d1d8942d2f7ea7af0e89b9ce2848c257fc7f0632ad890000000c7ddcc76888afef19db03fb29188598997fcc54a59d589e999608b5c1358e815b5a1d662ef25e72c090edb8e35512496d86fe0dc80f42e58df053733575c7db818bc7a476907ab704eaf74940406c90d13c562d7b80847ff1890fb468503537d72e8e194cf7132226cfa2f310b36af28dab966819d5bd939124c5bbcd730664564249a755251d4f189acda8cc97525404000000079643b5ca26107d1e4bbdcb62b4e799810489ff7378359fff211f33157ad909cc440aaacb72e55f4e3fb598ad042adc66940ee12b937bacf67ab7c79004bfebd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6068fffa102dda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

purchase_order.exepowershell.exepurchase_order.exe

pid process

2492 purchase_order.exe
2828 powershell.exe
2152 purchase_order.exe
2152 purchase_order.exe

pid	process
2492	purchase_order.exe
2828	powershell.exe
2152	purchase_order.exe
2152	purchase_order.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

purchase_order.exepowershell.exepurchase_order.exe

description	pid	process
Token: SeDebugPrivilege	2492	purchase_order.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2152	purchase_order.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2960 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2960 iexplore.exe
2960 iexplore.exe
2432 IEXPLORE.EXE
2432 IEXPLORE.EXE
2432 IEXPLORE.EXE
2432 IEXPLORE.EXE

pid	process
2960	iexplore.exe

pid	process
2960	iexplore.exe
2960	iexplore.exe
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

purchase_order.execmd.execmd.exepowershell.exeiexplore.exe

description	pid	process	target process
PID 2492 wrote to memory of 1048	2492	purchase_order.exe	cmd.exe
PID 2492 wrote to memory of 1048	2492	purchase_order.exe	cmd.exe
PID 2492 wrote to memory of 1048	2492	purchase_order.exe	cmd.exe
PID 2492 wrote to memory of 1048	2492	purchase_order.exe	cmd.exe
PID 1048 wrote to memory of 560	1048	cmd.exe	ipconfig.exe
PID 1048 wrote to memory of 560	1048	cmd.exe	ipconfig.exe
PID 1048 wrote to memory of 560	1048	cmd.exe	ipconfig.exe
PID 1048 wrote to memory of 560	1048	cmd.exe	ipconfig.exe
PID 2492 wrote to memory of 2828	2492	purchase_order.exe	powershell.exe
PID 2492 wrote to memory of 2828	2492	purchase_order.exe	powershell.exe
PID 2492 wrote to memory of 2828	2492	purchase_order.exe	powershell.exe
PID 2492 wrote to memory of 2828	2492	purchase_order.exe	powershell.exe
PID 2492 wrote to memory of 1804	2492	purchase_order.exe	cmd.exe
PID 2492 wrote to memory of 1804	2492	purchase_order.exe	cmd.exe
PID 2492 wrote to memory of 1804	2492	purchase_order.exe	cmd.exe
PID 2492 wrote to memory of 1804	2492	purchase_order.exe	cmd.exe
PID 1804 wrote to memory of 1748	1804	cmd.exe	ipconfig.exe
PID 1804 wrote to memory of 1748	1804	cmd.exe	ipconfig.exe
PID 1804 wrote to memory of 1748	1804	cmd.exe	ipconfig.exe
PID 1804 wrote to memory of 1748	1804	cmd.exe	ipconfig.exe
PID 2828 wrote to memory of 2960	2828	powershell.exe	iexplore.exe
PID 2828 wrote to memory of 2960	2828	powershell.exe	iexplore.exe
PID 2828 wrote to memory of 2960	2828	powershell.exe	iexplore.exe
PID 2828 wrote to memory of 2960	2828	powershell.exe	iexplore.exe
PID 2960 wrote to memory of 2432	2960	iexplore.exe	IEXPLORE.EXE
PID 2960 wrote to memory of 2432	2960	iexplore.exe	IEXPLORE.EXE
PID 2960 wrote to memory of 2432	2960	iexplore.exe	IEXPLORE.EXE
PID 2960 wrote to memory of 2432	2960	iexplore.exe	IEXPLORE.EXE
PID 2492 wrote to memory of 2152	2492	purchase_order.exe	purchase_order.exe
PID 2492 wrote to memory of 2152	2492	purchase_order.exe	purchase_order.exe
PID 2492 wrote to memory of 2152	2492	purchase_order.exe	purchase_order.exe
PID 2492 wrote to memory of 2152	2492	purchase_order.exe	purchase_order.exe
PID 2492 wrote to memory of 2152	2492	purchase_order.exe	purchase_order.exe
PID 2492 wrote to memory of 2152	2492	purchase_order.exe	purchase_order.exe
PID 2492 wrote to memory of 2152	2492	purchase_order.exe	purchase_order.exe
PID 2492 wrote to memory of 2152	2492	purchase_order.exe	purchase_order.exe
PID 2492 wrote to memory of 2152	2492	purchase_order.exe	purchase_order.exe
PID 2492 wrote to memory of 2152	2492	purchase_order.exe	purchase_order.exe
PID 2492 wrote to memory of 2152	2492	purchase_order.exe	purchase_order.exe
PID 2492 wrote to memory of 2152	2492	purchase_order.exe	purchase_order.exe

C:\Users\Admin\AppData\Local\Temp\purchase_order.exe
"C:\Users\Admin\AppData\Local\Temp\purchase_order.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
2⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.com/
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2960 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
2⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
3⤵
- Gathers network information
PID:1748

C:\Users\Admin\AppData\Local\Temp\purchase_order.exe
C:\Users\Admin\AppData\Local\Temp\purchase_order.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
1814781350dbbb5f206cce9eb919ebc3

SHA1
b00a06e57e7ad3e6409523268e506597e7ed90d0

SHA256
64271f60773cb97400c29153c2a50ea9bb57d5562c51afefe37881bfddbb66c2

SHA512
19226f9ac52b6e10c5f2215f83d27bc3309a5fe32892aabe2add452a3fb20ad885349dc90acda4ce3ae90331d76136a8dcbeff0cf19ceb63c72a094a13d56829

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a292fe3fc85422a47b9c58de5150ffae

SHA1
7cad8bb6636047d46e9073d838ad7446e8acf9b4

SHA256
de074ccf1750f08adf679ffb77c0500af0279600ac6d062379ae3e69540ac74a

SHA512
805930e3da2d6f73d3f43ac28e04d172ff3ec826f6598d0b43f7d658745f9315018466780e879e9405675b7d737ecd0180a8b8748e34738aca711dd79ea7ffaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1214340318c87d9ea2f5f266050ddf79

SHA1
9f99aa9ea9b5feb850fad93890216ad2b1b47880

SHA256
c357740197e5c555111eea05f2c36be66c9e821fb40dea881bb7abdba88e45e2

SHA512
0ed587132b06524c539d0a541ef6d2a2929ebd86d943ce5cef9506135f084f2fe6870dc441829bde5f547f85baaf0e5e9e2fe67cdc34e642b05167769583cd24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1876835a91af815b8d2faf83e36031c6

SHA1
7af7215de42596c8bbd3a6ab5962ea2b7f635ca2

SHA256
149cab71eebae159226eb214ade6f5f864c3b4978269bb9be54521b25383a18f

SHA512
a20dc5012b76d901d8840c6b711f387542b929a3ffc008294ca46c87c3cb3f866d0b20df739372663fa39d1ef2c4ed7e8736530eef88da90cda71ae5b3b77083

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
568eb8b7d3813d2a7bd9f8ca485b9f22

SHA1
54723cbff494b6666be618a54c53f935ff791c7f

SHA256
85d7a1b518348cd19d372b6eed6c2d5b59dad2e88d2de5fb470d5e3d91cb12d7

SHA512
425f7b01dccf8af93229cc3f7d749009135d651af36ae39920ea2193ddb3b3b271941d5d2cc4433cb4a256b85bcd65af8e37b2d38fcd1b886e1af83429073c08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
856b830924bc62275e57f51ec885970a

SHA1
eb8448b6a149a8a3f5a9dc3948b4f7fd7ea9c7c8

SHA256
a12307c785533c6f5528878cde2ee38ace3b25213b98ebd8b6d84ad267925c27

SHA512
feea74a5992ce8c866c204ff770c8dc34e689666eb01a36bd29cf1b79017205c09088e27adfcff0c2224aaea4b10639ed521c3ccc59c8c1ade415cff0d0b6084

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba465b1c50b02cb8e8e37cfcd43624be

SHA1
5034e90a6a635b361add7ca9e36269664a870dca

SHA256
bec8da8b424077e69fd97e6274e18e7e52934f88ca5fc2cfc5078a234dc66a1f

SHA512
8b617e1ee28aea45be0794ed9740e615188ce1bfb65bdc6641095c5285e97419dbbbb62d5075e52e9b6d121af2fd310cfe8458a23639dc852d11a28f9afa1971

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8cad09893015904d8b8badd1ccedeb25

SHA1
07aed6ea20cf8327fa040a849c49735ad093cf69

SHA256
e35bac967407fabd60883c33d0a6805c9ae2eac8986003c45d6d44f2742bcbc4

SHA512
9be42b98685109f3773eec58f0488cc2cdcf7de954162f4cef1f97788ccbd8b8a1b59091a95eb4694dc75a5953068044f06b02c8b8ff4de626c76cb3ed578376

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
541d8584eedd523f5ce8defb6ca46db4

SHA1
7a0feaf3e4b35ae68798817539abbc34fcf0b987

SHA256
ce3f3e1fbb6628d431d936058de8b3e03640189d16e506d1f5ce66f380bda436

SHA512
c8c19bd0d09351661db8fdd7fae244792cc54f6f3cfafeaf752cdaf63fb8f2ef2b87b9897429a979f5a3860a7d8a78d2d14a00a8a6f53760556f696c0aac6da8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ea0a4b0f763c086266ba02a2b5c44b43

SHA1
146d528aee81b182968c8a5ed3736d175ea66cba

SHA256
29e6cfb90a007122a822ca717f23e3495c9a49ab39109a8861d2434ae23b2258

SHA512
37106e26580d0c53288175166c060976da30103f99e9e6078da45f473fb5baa7c30eb40e5d712aa705c21307234633e70f39dbef203d0b3153e03916f2f7d14f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a2ac10ec1458e5585c0b61c3ce874cfe

SHA1
2c1756e40ff076777202e256feb38079a392290f

SHA256
e43ed37d02362c3dfb8f6f7008afd5775d57a5552b9fc2265b719cc93192e99a

SHA512
4691e943ed0521c128e8e76e252057eaa28428fded27140f84371000129fb82446f2835b9f3b98719148358a2d8efd84e86d7e8468e26acd3fc97a9ceee7a468

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1dc3014e86646854202590395b5ac7eb

SHA1
b5ed8514d6a2d4185751e5325c5a30d935462d63

SHA256
39e8534bdee2dc519fff1b48d264149084d1d43af5b89a889201d18bb4a711ef

SHA512
1eb3609eb6c479c202edccb5d64e38ff8e07ee2194af097d5bf037ba694f3969846afa479320aeb9a7bcc955a46ec72475c350660b3dded2f12cc355c9929c86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3906890ac1c7e4b974d625c794c4012

SHA1
0ec50cbe0d622da3de85fc1500c8a6634cac4beb

SHA256
9991ffd6c17d7c2414cbc6ca5b3ba6d0831a62cec2dde7761d9e3ba117aea24e

SHA512
35e942b40f49dd0d43dca870706f142a9dbbeeb6e408b41247af1f7bcb7d667646e0170e37199126ae11fb3b4a0b796ff24a201f7f3ca35351e4065f99ab7dd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa2416310f7c206e31530fecfdcd14b3

SHA1
ef3a30f8c0c10c25715ab5cbfc48a6c0da68fbc5

SHA256
c1944ce366098c1386790c46f5dff77063827902911d14a65ba02049031499fa

SHA512
90b952dc681377f64ecba3f4a8ebcb67c93c0235c2d09991c82e687ef4d294f45e269247153cda3bfc83e1be8c9c11eb6d4916f6c3fc12edad4160650f6482ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
29d54b54da89cb4cc42e63131f33e84f

SHA1
3323cfc9cd70bca18c1f21e2aa58ed5b8c6edbbe

SHA256
7dacce3f7d941e9ecb025ded8f69cbdd4a00d74c5db92debc5d9d947fa2ab553

SHA512
1e24785713d6e444ef2b9d0378de9bd610c7dd356b230b6004936ee46262e148b30ea55db77f397d8e0f8f4bc30023e68c44968e8990deb651d3b23bc497afda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f7db11b5c28cc7c649f82d89426c8d10

SHA1
cb1069222f7c3b376805afa82df28cfd96b2d058

SHA256
a1262ddf5d165089b33f1622fa01129d6dc27d05a093f0ff8e8e5a809ea0189b

SHA512
f4d31e1f7dd1568b6a3cd0a9f791a0f7bf1abcc886229158befdd9ec69b40749f3bf7da139079327902d3e42b41ee1e2c7a8aa52bf00880b3e307b48d55aac03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e338c2829609ab231a984b85edb8a01

SHA1
54d3d3ba88c6b4c816a1e4993131fc1657f2a493

SHA256
3136465a411a8e234918f5196e7203a1ab0e593737ded93760506a0fca49b03d

SHA512
2aadbda0a90691370369aefeeb33ad5de420693e43403337710848016592d9bc6d3c9d15bcd4b02f431a95d7ff1e31714d48f70b9a164f14cc1c4bd9def76e1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
65e8c5b2a3c2ac8d34131d123065777c

SHA1
8ee6eb3fe9779f5a471bcac979f01e5b18769f07

SHA256
c3213be0f9d1141c7e5592b8f4978df12e5ce0238825eb7a5d1566fa3e71dd6e

SHA512
c620dc4d4ad6f2f52dc8f05ca5472c2d78a3c5ccbef5f7cff6ce1e6bf26991358721990ecaabaccf42d0cba2cbe27b608cfc01fa6c6e57e0acbea0bd94644678

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b5c47b7feb8fce38bfb28b5b59e7b10f

SHA1
52fc14ca728aac61587d6d0efa9aff790dfb4dd0

SHA256
7326ebd679833c978f9d9a59681dc36fa1cecd2a8f686747acedfd4e3201b807

SHA512
58fa6853bf5286b0667ba0dcf7d27bfaf02da606736d17ee872a8a9a870deb3f50534d307582f8b0c454aaf9e5d581a9dfab6401c2f2891bcc5781c992969055

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7f4b2c540b1c14881ebde2fa1c05d31

SHA1
df55837105cd784c2ebe730ca2d002dfb47ee078

SHA256
20e6fbee24b2de059a5414bfa1bb679bda363a72de0e6e5f4a3f3321d35da615

SHA512
8377da9f648db9e28e6c7db5a802590bb92ec57682a34f8c058a24947c01e2fe0a024caa0b4dc510cade876fe524042f0f6f665ae6595dec6eede37dad17f8fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ce9833e5718436e1051bd7942913ff2e

SHA1
848b32996d723eb29e74e3c5e4b3055aec90ae36

SHA256
2d2eb43ad43f9269ec06d17369a40c0903d1c80d4c8dae7b80004e3388f3c4d8

SHA512
55c484527bbb7421a3a038b997ddb96ae8e978c3fa87e53ae5016047cbbf3830a0629fc0bc0ddc8d9d4a764f42c6c43a738adc977f6a4946740b486d03d7afd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9dedfb1cd56cfd9e0dabba56b30fb6bf

SHA1
6d780be0471b83f92958e31a5fe29c3a0b5782fc

SHA256
ea69e302907da2f5c20712b16db83e7aa1fbc013e31a69f5b5992e0e95e1fb79

SHA512
f25824f202e55f625c6dd8acca91d3e47b66c4edea37fbdc3345fb3b8ce74f0e716973f05473d2208ecd4e3c4a3b28245a72b25275bc6ba7f48b410505f5e574

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ddb01c2792f02ac1765f64048551983f

SHA1
e54fb65756ec6da30a23d7e57524e7c4c35f2816

SHA256
a7fee1ba16df68ad0612c973745204811aaa8ceed9446a7f127fbca1ad9fe0ac

SHA512
43f59257887c44b7ba9639fd18d7229dddc435d32f8386b5e5474ccd89a9e4b3e61605f221f3de790270d94a9faa1f27887cb0bbd3280686316ba56875740af0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\p3auzoo\imagestore.dat

Filesize
5KB

MD5
911abe8a66b1d56f85df3107e5181165

SHA1
1d1fa00c9050b7b864c519256a079dc3aed6ba28

SHA256
b50d24b0fa32256061a7f2f81491b41cd8c88d056ac87c31bdd3f13a4fa0b681

SHA512
571c0337935897deb42fc90574acdc90594c23b38171733ed4304aeff7a8baed8041c72684ad51816e6b86d8185699808dd6e76c57007b7c98a9f1035457570b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H57AUUE9\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1ED8.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1EEA.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1F8C.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2152-998-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2152-1498-0x0000000000DB0000-0x0000000000DF0000-memory.dmp

Filesize
256KB

Download
memory/2152-1497-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2152-1009-0x0000000000DB0000-0x0000000000DF0000-memory.dmp

Filesize
256KB

Download
memory/2152-1002-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-35-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-43-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-927-0x0000000000A00000-0x0000000000A42000-memory.dmp

Filesize
264KB

Download
memory/2492-928-0x0000000002170000-0x00000000021BC000-memory.dmp

Filesize
304KB

Download
memory/2492-929-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-930-0x0000000000A80000-0x0000000000AC0000-memory.dmp

Filesize
256KB

Download
memory/2492-1-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-2-0x0000000004670000-0x0000000004718000-memory.dmp

Filesize
672KB

Download
memory/2492-3-0x0000000000A80000-0x0000000000AC0000-memory.dmp

Filesize
256KB

Download
memory/2492-4-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-996-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-63-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-65-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-67-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-61-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-59-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-57-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-55-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-53-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-51-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-49-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-47-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-45-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-926-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2492-41-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-39-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-37-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-0-0x0000000000B70000-0x0000000000C52000-memory.dmp

Filesize
904KB

Download
memory/2492-33-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-31-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-29-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-27-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-21-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-23-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-25-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-17-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-19-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-15-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-13-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-11-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-9-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-7-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2492-5-0x0000000004670000-0x0000000004713000-memory.dmp

Filesize
652KB

Download
memory/2828-937-0x000000006F220000-0x000000006F7CB000-memory.dmp

Filesize
5.7MB

Download
memory/2828-936-0x0000000002660000-0x00000000026A0000-memory.dmp

Filesize
256KB

Download
memory/2828-935-0x000000006F220000-0x000000006F7CB000-memory.dmp

Filesize
5.7MB

Download
memory/2828-934-0x000000006F220000-0x000000006F7CB000-memory.dmp

Filesize
5.7MB

Download