Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Resubmissions

08-02-2024 19:00

240208-xnla2ahe7z 10

08-02-2024 07:34

240208-jd5p2aefen 10

08-02-2024 04:47

240208-fevdxabb9y 10

Analysis

  • max time kernel
    300s
  • max time network
    299s
  • platform
    windows10-1703_x64
  • resource
    win10-20231220-en
  • resource tags

    arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08-02-2024 04:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe

  • Size

    5.5MB

  • MD5

    c4580e8db0c3dbc88891842fd8a31158

  • SHA1

    744f03fcf10db1459d3f40beaea2bfe1b000582b

  • SHA256

    1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922

  • SHA512

    cefd412e0d5aba56d6603fdc46a056474ce387dbb220b32a9317dca0822bef9320515afacc2ab2086db46f9e01b3456c87a0dc83bd99c246550d87efd3606945

  • SSDEEP

    98304:Fs9EI6sZJrf04Hr3VvPkrcRizJ6krK4JLQaEHlXU+vG9G1jMaZQRrkp:W+I6sU4HjZkwkVJo1+G1jMaZQpk

Score
10/10
dcratdjvufabookiegluptebasmokeloadervidar655507914130aa0fe72362726c206a7cpub1backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwareratrootkitspywarestealertrojanupx

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://habrafa.com/test1/get.php

Attributes
  • extension

    .ldhy

  • offline_id

    pIGzEr0bxHiTz7xnvNidWeqzKkxMfVdHTyCkzwt1

  • payload_url

    http://brusuax.com/dl/build2.exe

    http://habrafa.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-hPAqznkJKD Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0849ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.7

Botnet

655507914130aa0fe72362726c206a7c

C2

https://t.me/newagev

https://steamcommunity.com/profiles/76561199631487327
Attributes
  • profile_id_v2

    655507914130aa0fe72362726c206a7c

Signatures

  • DcRat 7 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detect Fabookie payload 2 IoCs
  • Detect Vidar Stealer 2 IoCs
    stealer
  • Detected Djvu ransomware 13 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 12 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 1 IoCs
  • Executes dropped EXE 32 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe
    "C:\Users\Admin\AppData\Local\Temp\1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Users\Admin\AppData\Local\Temp\u104.0.exe
        "C:\Users\Admin\AppData\Local\Temp\u104.0.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:360
      • C:\Users\Admin\AppData\Local\Temp\u104.1.exe
        "C:\Users\Admin\AppData\Local\Temp\u104.1.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1756
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3024
          • C:\Windows\SysWOW64\chcp.com
            chcp 1251
            5⤵
              PID:2808
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
              5⤵
              • DcRat
              • Creates scheduled task(s)
              PID:2112
      • C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
        "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4968
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3868
        • C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
          "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
          3⤵
          • DcRat
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:2816
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:1116
          • C:\Windows\System32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4488
            • C:\Windows\system32\netsh.exe
              netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
              5⤵
              • Modifies Windows Firewall
              PID:3892
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:4064
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:4212
          • C:\Windows\rss\csrss.exe
            C:\Windows\rss\csrss.exe
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Manipulates WinMonFS driver.
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4064
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              5⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious use of AdjustPrivilegeToken
              PID:5100
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
              5⤵
              • DcRat
              • Creates scheduled task(s)
              PID:1480
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /delete /tn ScheduledUpdate /f
              5⤵
                PID:4464
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                5⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                PID:3196
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                5⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                PID:4108
              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                5⤵
                • Executes dropped EXE
                PID:196
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                5⤵
                • DcRat
                • Creates scheduled task(s)
                PID:1028
              • C:\Windows\windefender.exe
                "C:\Windows\windefender.exe"
                5⤵
                • Executes dropped EXE
                PID:4568
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                  6⤵
                    PID:1012
                    • C:\Windows\SysWOW64\sc.exe
                      sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                      7⤵
                      • Launches sc.exe
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3704
          • C:\Users\Admin\AppData\Local\Temp\rty25.exe
            "C:\Users\Admin\AppData\Local\Temp\rty25.exe"
            2⤵
            • DcRat
            • Executes dropped EXE
            PID:3444
          • C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
            "C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
            2⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            PID:1836
        • C:\Users\Admin\AppData\Local\Temp\F7BE.exe
          C:\Users\Admin\AppData\Local\Temp\F7BE.exe
          1⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious behavior: MapViewOfSection
          PID:4372
        • C:\Users\Admin\AppData\Local\Temp\2111.exe
          C:\Users\Admin\AppData\Local\Temp\2111.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1800
          • C:\Users\Admin\AppData\Local\Temp\2111.exe
            C:\Users\Admin\AppData\Local\Temp\2111.exe
            2⤵
            • Executes dropped EXE
            • Adds Run key to start application
            PID:976
            • C:\Windows\SysWOW64\icacls.exe
              icacls "C:\Users\Admin\AppData\Local\9e8ebbe8-66e4-44cd-ab77-89988f12705a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
              3⤵
              • Modifies file permissions
              PID:3888
            • C:\Users\Admin\AppData\Local\Temp\2111.exe
              "C:\Users\Admin\AppData\Local\Temp\2111.exe" --Admin IsNotAutoStart IsNotTask
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:4128
              • C:\Users\Admin\AppData\Local\Temp\2111.exe
                "C:\Users\Admin\AppData\Local\Temp\2111.exe" --Admin IsNotAutoStart IsNotTask
                4⤵
                • Executes dropped EXE
                PID:1312
                • C:\Users\Admin\AppData\Local\1d11d2b2-5ee1-43b9-a043-f95908ba78db\build2.exe
                  "C:\Users\Admin\AppData\Local\1d11d2b2-5ee1-43b9-a043-f95908ba78db\build2.exe"
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  PID:2984
                  • C:\Users\Admin\AppData\Local\1d11d2b2-5ee1-43b9-a043-f95908ba78db\build2.exe
                    "C:\Users\Admin\AppData\Local\1d11d2b2-5ee1-43b9-a043-f95908ba78db\build2.exe"
                    6⤵
                    • Executes dropped EXE
                    PID:2172
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 2084
                      7⤵
                      • Program crash
                      PID:3400
                • C:\Users\Admin\AppData\Local\1d11d2b2-5ee1-43b9-a043-f95908ba78db\build3.exe
                  "C:\Users\Admin\AppData\Local\1d11d2b2-5ee1-43b9-a043-f95908ba78db\build3.exe"
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  PID:4672
                  • C:\Users\Admin\AppData\Local\1d11d2b2-5ee1-43b9-a043-f95908ba78db\build3.exe
                    "C:\Users\Admin\AppData\Local\1d11d2b2-5ee1-43b9-a043-f95908ba78db\build3.exe"
                    6⤵
                    • Executes dropped EXE
                    PID:2896
                    • C:\Windows\SysWOW64\schtasks.exe
                      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                      7⤵
                      • DcRat
                      • Creates scheduled task(s)
                      PID:4240
        • C:\Windows\windefender.exe
          C:\Windows\windefender.exe
          1⤵
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          PID:920
        • C:\Users\Admin\AppData\Local\Temp\9F89.exe
          C:\Users\Admin\AppData\Local\Temp\9F89.exe
          1⤵
          • Executes dropped EXE
          PID:2968
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 988
            2⤵
            • Program crash
            PID:2284
        • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          PID:2976
          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
            2⤵
            • Executes dropped EXE
            PID:5040
            • C:\Windows\SysWOW64\schtasks.exe
              /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
              3⤵
              • DcRat
              • Creates scheduled task(s)
              PID:1200
        • C:\Users\Admin\AppData\Local\Temp\E4.exe
          C:\Users\Admin\AppData\Local\Temp\E4.exe
          1⤵
          • Drops startup file
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2036
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
            2⤵
            • Executes dropped EXE
            PID:4228
        • C:\Users\Admin\AppData\Roaming\ithdjhb
          C:\Users\Admin\AppData\Roaming\ithdjhb
          1⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          PID:2216
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 484
            2⤵
            • Program crash
            PID:4572
        • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          PID:4788
          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
            2⤵
            • Executes dropped EXE
            PID:64
        • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          PID:3772
          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
            2⤵
            • Executes dropped EXE
            PID:4864
        • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          PID:1780
          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
            2⤵
            • Executes dropped EXE
            PID:3616

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Scheduled Task/Job

        1
        T1053

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Scheduled Task/Job

        1
        T1053

        Defense Evasion

        File and Directory Permissions Modification

        1
        T1222

        Impair Defenses

        3
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Disable or Modify Tools

        2
        T1562.001

        Modify Registry

        3
        T1112

        Credential Access

        Unsecured Credentials

        3
        T1552

        Credentials In Files

        3
        T1552.001

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        4
        T1012

        System Information Discovery

        4
        T1082

        Lateral Movement

        Collection

        Data from Local System

        3
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Are.docx
          Filesize

          11KB

          MD5

          a33e5b189842c5867f46566bdbf7a095

          SHA1

          e1c06359f6a76da90d19e8fd95e79c832edb3196

          SHA256

          5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

          SHA512

          f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

          Download Submit

        • C:\ProgramData\mozglue.dll
          Filesize

          593KB

          MD5

          c8fd9be83bc728cc04beffafc2907fe9

          SHA1

          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

          SHA256

          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

          SHA512

          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
          Filesize

          1KB

          MD5

          267f3fbb231876ea1b3de1b8aaea1917

          SHA1

          df0843fb7137e7e81e449ba3c05168fe892ffa78

          SHA256

          5157427e4c6e429f14a19cec39e30d37b17040ca86886879c0315d157e7b90d5

          SHA512

          dec882dbb4505cce10525f935a90c2a87552ddc08701e3faa8de7561dea23f4c029142154b6818e0a50599a2e3341fb12b5c4554d06a0ee5f2ab07941eeecc61

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
          Filesize

          724B

          MD5

          8202a1cd02e7d69597995cabbe881a12

          SHA1

          8858d9d934b7aa9330ee73de6c476acf19929ff6

          SHA256

          58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

          SHA512

          97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
          Filesize

          410B

          MD5

          856c6f761e9ae81c8792298cdce1e323

          SHA1

          3fef81b2b32f53435ca9106e0369205bf043ab02

          SHA256

          99b51aed617386db40324e48eab43a11de07048d14feffe98dd1214cebda8727

          SHA512

          6353aa47a1a6501899525d243dbb91d38b727c7d57598eb96d92f020184d98520f57574a43897675c21bbf3a7401757a6e069159f05f11067454bc2595dd9466

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
          Filesize

          392B

          MD5

          7ae0d94dd14527c4eab91e0b284141f7

          SHA1

          4893a78c47394ad618d70e72b8aa3a6181375e62

          SHA256

          fc1c396cb14e9c768d5724685d66ccc5b9449005825e2632936cc13bc15574bf

          SHA512

          959b147537bb87d754ff174b956f9f875db94a400656e6570e895f5f2a555ce62e034b94f2b6f3236ad97df1e694db43090770d9bd06dfd947ca28ff1bd1ad83

          Download Submit

        • C:\Users\Admin\AppData\Local\1d11d2b2-5ee1-43b9-a043-f95908ba78db\build2.exe
          Filesize

          332KB

          MD5

          a0cc1241aa4803dc23ff778af73e3768

          SHA1

          75d07c8f1784e8e64e7520c2666bc63c2a477ffa

          SHA256

          c0b12bbdcb41f6941d4356309fd8a43f61cbfd18eee044ff1771cbdbba248466

          SHA512

          3ccb46eca07827f5c86b31da5f7ab1b4a4b80f0cf3c1f8245c9ea57cf7c2244bc5f867a09696ce1c80cce38c631c7f6a13dca537b8e4b297735324f52cabb755

          Download Submit

        • C:\Users\Admin\AppData\Local\1d11d2b2-5ee1-43b9-a043-f95908ba78db\build3.exe
          Filesize

          299KB

          MD5

          41b883a061c95e9b9cb17d4ca50de770

          SHA1

          1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

          SHA256

          fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

          SHA512

          cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\2111.exe
          Filesize

          733KB

          MD5

          5b127dfb33460a1a7f49309e53e5074c

          SHA1

          2f372ad5bfe1395f703dfe0f63980bad366c726e

          SHA256

          e701ffa4d637b5a0dce41b547d1c7447a9fdc36198cd83c22a22a983ea828d40

          SHA512

          900a9ad9ac8c4dcc6db655d38498b2c2480a4525adfb590ed726d32ca876d89c6dc0565ec370e6a0b06eabdb2e14745c7a7e2b62e49fc05d5ab1354296eb785f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\9F89.exe
          Filesize

          6.0MB

          MD5

          95e59305ad61119cf15ee95562bd05ba

          SHA1

          0f0059cda9609c46105cf022f609c407f3718e04

          SHA256

          dd87f94c961b9612bbd65761bee6ed15318d63652f262e2c425bd177a2341a19

          SHA512

          5fbcfe79162460080e0c3944df747835f0b8f2cdb35b038eb69eadf2eb85a209f7d5432a328d0f0eeafba036012f48793e3c08d94531b98a12a498bcf3b00ad2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\E4.exe
          Filesize

          649KB

          MD5

          35ffefa212414c2538df410e5ad3afa7

          SHA1

          e7721fbb85e400c74c7f4de95f1c27b6318caabd

          SHA256

          9217999518147c602f16ed7d80c9b95dec621f442192ce49192736a27e73847f

          SHA512

          7bf9ffe99588a1e6e01a6c84fee7bd998b337653c908e33d3c10f1aa9abc7af925ca9d86a884099824133947614aa070181c973b220163dd99dde87765152a25

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\F7BE.exe
          Filesize

          234KB

          MD5

          d1b4b083e0ea20a087018bde31c37a75

          SHA1

          fe5a597a8a0dcf26204e99ef8f7abf2c9359e47f

          SHA256

          a578ab8f490d32d4ec916f02ce6ed22ef4572bf21db481dcce5b1b2ccf228d92

          SHA512

          30d41aa90f517119ac77ac0cc9fc86d6f17ccde315dfd05cdbbc7b27e38039a3c2772583c8cf206c21f5a92980cbf1a64f759b364529f88cbdaaa4d85350eb6d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe
          Filesize

          419KB

          MD5

          654abe1db0f972272b5b012914d9e5d6

          SHA1

          1ac7b42167369dcfa528837f13a2c80de7bcc161

          SHA256

          5f2bdf7f83ab075f7dafaf7493cbf4ab08d2e79b95cd3382621acfe73ba96094

          SHA512

          18823ab8a9a160ac169052ec210e6adb356190dc0644c8b5fd6f5ccbc8de2666c5e9d44ef90c954d5b6e948c81ef2666900c0fe40b7d5e4b644a39e8b93c1a12

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_44vldbnw.lgi.ps1
          Filesize

          1B

          MD5

          c4ca4238a0b923820dcc509a6f75849b

          SHA1

          356a192b7913b04c54574d18c28d46e6395428ab

          SHA256

          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

          SHA512

          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
          Filesize

          281KB

          MD5

          d98e33b66343e7c96158444127a117f6

          SHA1

          bb716c5509a2bf345c6c1152f6e3e1452d39d50d

          SHA256

          5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

          SHA512

          705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
          Filesize

          4.2MB

          MD5

          66560a15081c9dee9fed498d5f0a25a9

          SHA1

          fbd7626525777262423fb9beea1e5b7e50fda2b5

          SHA256

          11e2cfb1fb58a3f69826d5bc36e88fde44c53def20891739ea7054eaabf24551

          SHA512

          dbd84583c6248db88452ef12074aa668ee982a9fe18484611a1b6d67a7233f9f3fca466bc843dfbc227099a5fd67af24c98f2d5408b26f8cf9fd635f7c70ba07

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\rty25.exe
          Filesize

          715KB

          MD5

          8dc1f88ae1fcedeb3983c5f5c3d486b0

          SHA1

          d40e67ba5558d90cb11eeca04d213322159336fc

          SHA256

          4a15d91920a4da9a64935248c126fb60e8302198df8e5759da8129ac1841beca

          SHA512

          0b2263fe049e280af1178fd396a06a04e6b99f7c971839207ae225161257ed9d9b7eaa8d0ceb1f14d3aa2094b53ce91dd045ebc169102e707ea7285f91432ac1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
          Filesize

          238KB

          MD5

          8c20d9745afb54a1b59131314c15d61c

          SHA1

          1975f997e2db1e487c1caf570263a6a3ba135958

          SHA256

          a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1

          SHA512

          580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\u104.0.exe
          Filesize

          245KB

          MD5

          6bcb57185d8d60e412c18a77c073c282

          SHA1

          30dfe3fe86a5262fa6541f9f341dbf64257b3cd1

          SHA256

          273c007885a368407eb619a50c605396aa279e46c5ab89de04a0e75540a157c4

          SHA512

          37eeaf3bb36ecfea89cd800f8bdff9b821b76c557f503f84da5ca36e4ddea0fb06b493e13cbb4bb1e70827eb07ec2329c9d3fa8d270a716b7009e9dcd19332ef

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\u104.1.exe
          Filesize

          4.7MB

          MD5

          5e94f0f6265f9e8b2f706f1d46bbd39e

          SHA1

          d0189cba430f5eea07efe1ab4f89adf5ae2453db

          SHA256

          50a46b3120da828502ef0caba15defbad004a3adb88e6eacf1f9604572e2d503

          SHA512

          473dfa66a36feed9b29a43245074141478327ce22ba7cce512599379dcb783b4d665e2d65c5e9750b988c7ed8f6c3349a7a12d4b8b57c89840eee6ca6e1a30cd

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
          Filesize

          4KB

          MD5

          a5ce3aba68bdb438e98b1d0c70a3d95c

          SHA1

          013f5aa9057bf0b3c0c24824de9d075434501354

          SHA256

          9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

          SHA512

          7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Temp\Task.bat
          Filesize

          128B

          MD5

          11bb3db51f701d4e42d3287f71a6a43e

          SHA1

          63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

          SHA256

          6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

          SHA512

          907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          db01a2c1c7e70b2b038edf8ad5ad9826

          SHA1

          540217c647a73bad8d8a79e3a0f3998b5abd199b

          SHA256

          413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

          SHA512

          c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          18KB

          MD5

          f37d198bc3d134c79059c4adbea0b5a9

          SHA1

          8364cda4965e7c9434b41f697cfefb9ab622fbdb

          SHA256

          d43eb1f853ab99b7abb548c00025e7c21765dc5ad23ea13080d96b5b99673f28

          SHA512

          eb9172a3eaf5d723cfbbd1e23a24b1eb8ba07eca1f3bcf31e808764e4a0caf3c9ef6fcac2cb0f645592cb51278d709b22a7874ffe5fab4cba84c3be67b51b96e

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          18KB

          MD5

          89fe82ac7acd9d0769e89287a5445459

          SHA1

          17f822ffd5da59d8d724f4f60586c04d174c4901

          SHA256

          00a60cb9eb9d8d983cd92cacbb375c34dbbc865a9aa9715c75349219564de3b7

          SHA512

          a92d3e45ead2846c995c6dc79e7501c3ab7448da9534f18429ca6d7270fe2f7e352ad4a544d5b9c4d18435fcd980a59fcb8c3c849901c2308c2e7abd63e0cca8

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          18KB

          MD5

          f3e59a3f1cc710d969a7b13ecd179235

          SHA1

          285bcbf19b8ec30b3578fc57df82ac122eba3d1e

          SHA256

          5532d685dbc8ee777c7f1e05c8f511899e2902bb4a2642b612c4a5227f10e470

          SHA512

          f42ff5e331e862252b6afd9e74a45517b0723c3695ed450d50a6a2a4550c58e32cfae1033247f838fbe39d9239b580521de14b36ab131e87e24dd1d20380c734

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          18KB

          MD5

          b59017a8c30d7006d85ced2c9734eb50

          SHA1

          fb6c933d88b75101f4f2ee79d9d2d09a89a6d121

          SHA256

          67b72f157f829026c6c81abce46cab95972190061f45c2dc0c02394d48a71070

          SHA512

          2337d25ee6593031405d2bbddec7f0ee6c4d1bddd9326326ba89991465f6855f27d30f385940383d0cbd418a195e8ba02002d76c554da9966f42d236551b50bf

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          18KB

          MD5

          1e7d302e65ee9fc9d3345f0017436189

          SHA1

          30b248e176ff275b11b00fba9ea6a19bfdad64be

          SHA256

          4dc056c2cbdfd39cc5c164654ec3d3d3f55a0268714073c5a4e3ec040c66c5ad

          SHA512

          75222732d94815c5fead9ac8436060f6605554e80ca139f343337fca0c60da2f1f94c1d6db1f96f1f2874ef8f8fe4df73f1f4ffb6a89896589b9155a8751bb1b

          Download Submit

        • C:\Windows\windefender.exe
          Filesize

          2.0MB

          MD5

          8e67f58837092385dcf01e8a2b4f5783

          SHA1

          012c49cfd8c5d06795a6f67ea2baf2a082cf8625

          SHA256

          166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

          SHA512

          40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

          Download Submit

        • \ProgramData\nss3.dll
          Filesize

          2.0MB

          MD5

          1cc453cdf74f31e4d913ff9c10acdde2

          SHA1

          6e85eae544d6e965f15fa5c39700fa7202f3aafe

          SHA256

          ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

          SHA512

          dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

          Download Submit

        • memory/360-1407-0x0000000000400000-0x0000000000647000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/360-431-0x0000000000400000-0x0000000000647000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/360-444-0x0000000000860000-0x0000000000960000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/360-64-0x0000000000400000-0x0000000000647000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/360-947-0x0000000000400000-0x0000000000647000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/360-127-0x0000000061E00000-0x0000000061EF3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/360-61-0x0000000000860000-0x0000000000960000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/360-63-0x0000000002240000-0x0000000002274000-memory.dmp

          Filesize

          208KB

          Download

        • memory/920-2061-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/976-1994-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/976-1977-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/976-1979-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/976-1982-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1116-446-0x00000000078B0000-0x0000000007C00000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1116-471-0x000000007EA80000-0x000000007EA90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1116-472-0x00000000721E0000-0x000000007222B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/1116-694-0x0000000073940000-0x000000007402E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1116-447-0x0000000007E60000-0x0000000007EAB000-memory.dmp

          Filesize

          300KB

          Download

        • memory/1116-473-0x000000006FD20000-0x0000000070070000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1116-445-0x0000000073940000-0x000000007402E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1116-480-0x00000000011C0000-0x00000000011D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1116-478-0x00000000093D0000-0x0000000009475000-memory.dmp

          Filesize

          660KB

          Download

        • memory/1300-30-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/1300-29-0x00000000020A0000-0x0000000002107000-memory.dmp

          Filesize

          412KB

          Download

        • memory/1300-81-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/1300-28-0x0000000000480000-0x0000000000580000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1312-2003-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1312-2012-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1312-2019-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1312-2018-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1312-2051-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1312-2001-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1312-2029-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1312-2016-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1312-2011-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1756-470-0x0000000000910000-0x0000000000911000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1756-82-0x0000000000910000-0x0000000000911000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1756-443-0x0000000000400000-0x00000000008E2000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/1836-166-0x0000000000400000-0x000000000044A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1836-32-0x00000000006F0000-0x00000000007F0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1836-33-0x00000000004B0000-0x00000000004BB000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1836-34-0x0000000000400000-0x000000000044A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/2172-2043-0x0000000000400000-0x0000000000644000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2172-2038-0x0000000000400000-0x0000000000644000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2232-27-0x0000000073F90000-0x000000007467E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2232-0-0x00000000000B0000-0x0000000000640000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2232-1-0x0000000073F90000-0x000000007467E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2816-439-0x0000000002D90000-0x000000000367B000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/2816-440-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/2816-438-0x0000000002880000-0x0000000002C82000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/2816-971-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/2816-1196-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/3408-1840-0x0000000000BF0000-0x0000000000C06000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3408-164-0x0000000000B60000-0x0000000000B76000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3444-22-0x00007FF6C6880000-0x00007FF6C6937000-memory.dmp

          Filesize

          732KB

          Download

        • memory/3444-479-0x0000000003900000-0x0000000003A2C000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-92-0x00000000036C0000-0x00000000037CA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3444-94-0x0000000003900000-0x0000000003A2C000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3868-59-0x0000000007770000-0x00000000077D6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3868-66-0x0000000008A00000-0x0000000008A4B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/3868-53-0x0000000007380000-0x0000000007390000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3868-409-0x00000000072F0000-0x00000000072F8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3868-396-0x0000000007300000-0x000000000731A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3868-186-0x000000000A640000-0x000000000A6D4000-memory.dmp

          Filesize

          592KB

          Download

        • memory/3868-57-0x00000000079C0000-0x0000000007FE8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/3868-434-0x0000000073940000-0x000000007402E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3868-58-0x00000000076D0000-0x00000000076F2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3868-182-0x0000000007380000-0x0000000007390000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3868-49-0x0000000004FC0000-0x0000000004FF6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/3868-180-0x000000000A470000-0x000000000A515000-memory.dmp

          Filesize

          660KB

          Download

        • memory/3868-173-0x000000006FC50000-0x000000006FFA0000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3868-174-0x000000000A410000-0x000000000A42E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3868-170-0x000000007F800000-0x000000007F810000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3868-171-0x000000000A430000-0x000000000A463000-memory.dmp

          Filesize

          204KB

          Download

        • memory/3868-172-0x000000006F710000-0x000000006F75B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/3868-48-0x0000000073940000-0x000000007402E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3868-96-0x0000000009630000-0x000000000966C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/3868-60-0x0000000007950000-0x00000000079B6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3868-62-0x0000000008030000-0x0000000008380000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3868-83-0x0000000009480000-0x00000000094F6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3868-51-0x0000000007380000-0x0000000007390000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3868-65-0x0000000008470000-0x000000000848C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/4064-700-0x0000000004D60000-0x0000000004D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4064-724-0x00000000721E0000-0x000000007222B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/4064-2020-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4064-699-0x0000000004D60000-0x0000000004D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4064-2059-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4064-1741-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4064-698-0x0000000073940000-0x000000007402E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/4372-1845-0x0000000000400000-0x000000000044B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/4568-2028-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/4968-432-0x0000000002930000-0x0000000002D2D000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4968-436-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4968-181-0x0000000002E30000-0x000000000371B000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/4968-36-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4968-35-0x0000000002930000-0x0000000002D2D000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4968-31-0x0000000002E30000-0x000000000371B000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/4968-419-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download