Overview

overview

10

Static

static

3

a6bda3b1e9...9c.exe

windows7-x64

10

a6bda3b1e9...9c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-02-2024 05:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exe

  • Size

    286KB

  • MD5

    b711abfd1d3f342fd53e7234672e23a3

  • SHA1

    abba6fdf4ce45cfc9121bc8f93658b0875ba1f4f

  • SHA256

    a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c

  • SHA512

    f3d3e2e2bad6975e45c9b90568604085c92b7016ee7c56504593d1fea695b3be5c05991515c7ebe9442cc315084a75f59d19630e108806f78f912521efa5e242

  • SSDEEP

    3072:Wz6T6oy729nhffLbCWeia4bU3qrf9tExSD2w3TA4xFgIzSUxaIa2Vd:3T6o28XC7AU3gvEx/6TA4LiUxaIh

Score
10/10
amadeydjvulgoogloaderlummaredlinesmokeloaderxmriglogsdiller cloud (telegram: @logsdillabot)pub1backdoordiscoverydownloaderevasioninfostealerminerpersistenceransomwarespywarestealerthemidatrojanupx

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://habrafa.com/test1/get.php

Attributes
  • extension

    .lkhy

  • offline_id

    OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1

  • payload_url

    http://brusuax.com/dl/build2.exe

    http://habrafa.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0851ASdw

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

C2

5.42.65.38:46185

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • install_dir

    00c07260dc

  • install_file

    explorgu.exe

  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Extracted

Family

lumma

C2

https://resergvearyinitiani.shop/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detected Djvu ransomware 10 IoCs
  • Detects LgoogLoader payload 1 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF 1 IoCs
  • Detects Windows executables referencing non-Windows User-Agents 1 IoCs
  • Detects executables containing artifacts associated with disabling Widnows Defender 1 IoCs
  • Detects executables embedding command execution via IExecuteCommand COM object 1 IoCs
  • Detects executables packed with Themida 14 IoCs
  • Detects executables packed with unregistered version of .NET Reactor 4 IoCs
  • Detects executables potentially checking for WinJail sandbox window 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    evasion
  • UPX dump on OEP (original entry point) 9 IoCs
  • XMRig Miner payload 5 IoCs
    miner
  • Blocklisted process makes network request 2 IoCs
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Drops file in Drivers directory 2 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 14 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 14 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exe
    "C:\Users\Admin\AppData\Local\Temp\a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3972
  • C:\Users\Admin\AppData\Local\Temp\971F.exe
    C:\Users\Admin\AppData\Local\Temp\971F.exe
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:1924
  • C:\Users\Admin\AppData\Local\Temp\A9CE.exe
    C:\Users\Admin\AppData\Local\Temp\A9CE.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Users\Admin\AppData\Local\Temp\A9CE.exe
      C:\Users\Admin\AppData\Local\Temp\A9CE.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\d8505720-1bf6-40ce-b0c3-5071a9d2bb7a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:3596
      • C:\Users\Admin\AppData\Local\Temp\A9CE.exe
        "C:\Users\Admin\AppData\Local\Temp\A9CE.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1472
        • C:\Users\Admin\AppData\Local\Temp\A9CE.exe
          "C:\Users\Admin\AppData\Local\Temp\A9CE.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Executes dropped EXE
          PID:1256
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 568
            5⤵
            • Program crash
            PID:2680
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1256 -ip 1256
    1⤵
      PID:3408
    • C:\Users\Admin\AppData\Local\Temp\BD95.exe
      C:\Users\Admin\AppData\Local\Temp\BD95.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4372
        • C:\Users\Admin\AppData\Local\Temp\filename.exe
          "C:\Users\Admin\AppData\Local\Temp\filename.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Drops file in Drivers directory
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          PID:3428
          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4832
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
            4⤵
              PID:5004
              • C:\Windows\system32\wusa.exe
                wusa /uninstall /kb:890830 /quiet /norestart
                5⤵
                  PID:4648
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop UsoSvc
                4⤵
                • Launches sc.exe
                PID:1424
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop WaaSMedicSvc
                4⤵
                • Launches sc.exe
                PID:4576
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop wuauserv
                4⤵
                • Launches sc.exe
                PID:1792
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop bits
                4⤵
                • Launches sc.exe
                PID:1924
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop dosvc
                4⤵
                • Launches sc.exe
                PID:3748
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2920
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1280
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3288
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3824
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
                4⤵
                • Launches sc.exe
                PID:724
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
                4⤵
                • Launches sc.exe
                PID:3284
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop eventlog
                4⤵
                • Launches sc.exe
                PID:3372
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
                4⤵
                • Launches sc.exe
                PID:1000
        • C:\Users\Admin\AppData\Local\Temp\EBAB.exe
          C:\Users\Admin\AppData\Local\Temp\EBAB.exe
          1⤵
          • Executes dropped EXE
          PID:3492
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F0CC.bat" "
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:436
          • C:\Windows\system32\reg.exe
            reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
            2⤵
              PID:3324
          • C:\Users\Admin\AppData\Local\Temp\F9D6.exe
            C:\Users\Admin\AppData\Local\Temp\F9D6.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2412
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              2⤵
              • Checks computer location settings
              • Drops startup file
              • Suspicious use of AdjustPrivilegeToken
              PID:3716
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
                3⤵
                • Executes dropped EXE
                PID:4704
          • C:\Users\Admin\AppData\Local\Temp\996.exe
            C:\Users\Admin\AppData\Local\Temp\996.exe
            1⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Drops file in Windows directory
            PID:2184
          • C:\Users\Admin\AppData\Local\Temp\E3B.exe
            C:\Users\Admin\AppData\Local\Temp\E3B.exe
            1⤵
            • UAC bypass
            • Windows security bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Windows security modification
            • Checks whether UAC is enabled
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:876
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\E3B.exe" -Force
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3240
            • C:\Windows\SysWOW64\calc.exe
              "C:\Windows\SYSWOW64\calc.exe"
              2⤵
                PID:4584
            • C:\ProgramData\Google\Chrome\updater.exe
              C:\ProgramData\Google\Chrome\updater.exe
              1⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Drops file in Drivers directory
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Drops file in System32 directory
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              PID:3956
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                2⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                PID:1444
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop WaaSMedicSvc
                2⤵
                • Launches sc.exe
                PID:5048
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop wuauserv
                2⤵
                • Launches sc.exe
                PID:1448
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop dosvc
                2⤵
                • Launches sc.exe
                PID:3472
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop bits
                2⤵
                • Launches sc.exe
                PID:1492
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop UsoSvc
                2⤵
                • Launches sc.exe
                PID:2468
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                2⤵
                  PID:4364
                • C:\Windows\system32\conhost.exe
                  C:\Windows\system32\conhost.exe
                  2⤵
                    PID:652
                  • C:\Windows\system32\powercfg.exe
                    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1312
                  • C:\Windows\system32\powercfg.exe
                    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4056
                  • C:\Windows\system32\powercfg.exe
                    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4148
                  • C:\Windows\system32\powercfg.exe
                    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3272
                  • C:\Windows\explorer.exe
                    explorer.exe
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3652
                • C:\Windows\system32\wusa.exe
                  wusa /uninstall /kb:890830 /quiet /norestart
                  1⤵
                    PID:2988
                  • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
                    C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    PID:3804
                    • C:\Windows\SysWOW64\rundll32.exe
                      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
                      2⤵
                      • Loads dropped DLL
                      PID:4656
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
                        3⤵
                        • Blocklisted process makes network request
                        • Loads dropped DLL
                        PID:2808
                        • C:\Windows\system32\netsh.exe
                          netsh wlan show profiles
                          4⤵
                            PID:3324
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\168293393341_Desktop.zip' -CompressionLevel Optimal
                            4⤵
                              PID:2992
                        • C:\Windows\SysWOW64\rundll32.exe
                          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                          2⤵
                          • Blocklisted process makes network request
                          • Loads dropped DLL
                          PID:2232

                      Network

                      MITRE ATT&CK Enterprise v15

                      Reconnaissance

                      Resource Development

                      Initial Access

                      Execution

                      Persistence

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Create or Modify System Process

                      2
                      T1543

                      Windows Service

                      2
                      T1543.003

                      Privilege Escalation

                      Abuse Elevation Control Mechanism

                      1
                      T1548

                      Bypass User Account Control

                      1
                      T1548.002

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Create or Modify System Process

                      2
                      T1543

                      Windows Service

                      2
                      T1543.003

                      Defense Evasion

                      Abuse Elevation Control Mechanism

                      1
                      T1548

                      Bypass User Account Control

                      1
                      T1548.002

                      File and Directory Permissions Modification

                      1
                      T1222

                      Impair Defenses

                      4
                      T1562

                      Disable or Modify Tools

                      3
                      T1562.001

                      Modify Registry

                      5
                      T1112

                      Virtualization/Sandbox Evasion

                      2
                      T1497

                      Credential Access

                      Unsecured Credentials

                      3
                      T1552

                      Credentials In Files

                      3
                      T1552.001

                      Discovery

                      Peripheral Device Discovery

                      1
                      T1120

                      Query Registry

                      7
                      T1012

                      System Information Discovery

                      5
                      T1082

                      Virtualization/Sandbox Evasion

                      2
                      T1497

                      Lateral Movement

                      Collection

                      Data from Local System

                      3
                      T1005

                      Command and Control

                      Exfiltration

                      Impact

                      Service Stop

                      1
                      T1489

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\ProgramData\Google\Chrome\updater.exe
                        Filesize

                        128KB

                        MD5

                        4441f05ac8dec68544e546329b79f347

                        SHA1

                        b6cd59f90cf793a060d55cb6d512d4cd02aa92ce

                        SHA256

                        71f61ce4f30dc92954abcb396ed306c30f83b98a08081b5088cf2c62f47932ef

                        SHA512

                        310319682a72ff27047fdd272bccae4f445835c204e47dce44643035b8f2c08200f38ab5435049287c76015e352ea256359ba809b4a8c5b99cca472272788d77

                        Download Submit

                      • C:\ProgramData\Google\Chrome\updater.exe
                        Filesize

                        7.1MB

                        MD5

                        448a4fe7cf78414bdf0b17c4e37bb867

                        SHA1

                        1fceca49b49953ab7b71782c435c923b640fe973

                        SHA256

                        b7c31c96bd76ea4fb440faf1df78e8c9ee42dcccfbfd1549b313a0cc992714ed

                        SHA512

                        ec75be5b46b4ca5938c5eff6a8c27d3d8daaab5edf7f78ded15ea829968464a98a5695dc70fcc72a03d17331bffde130dc29389dd0c6fd08155fcc9865deb465

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                        Filesize

                        2KB

                        MD5

                        d85ba6ff808d9e5444a4b369f5bc2730

                        SHA1

                        31aa9d96590fff6981b315e0b391b575e4c0804a

                        SHA256

                        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                        SHA512

                        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        18KB

                        MD5

                        6c8459e360a63712575e1141bd832d45

                        SHA1

                        2e88c55f5e673581ae25c2eba856c3e1e3d3cadf

                        SHA256

                        9d0ce10452c7fe5efcd82b3fc141db46e275bc9dfd850d13dc914898686894b9

                        SHA512

                        77ce5c5d64d4d17246d6b536fe1811049eaa6396b9c1fd675ff98ef24ccfe228f075061aa71f9f367add87b84f2845c81db09b1741288a7ce51fd4361357cd78

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        9b80cd7a712469a4c45fec564313d9eb

                        SHA1

                        6125c01bc10d204ca36ad1110afe714678655f2d

                        SHA256

                        5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

                        SHA512

                        ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\971F.exe
                        Filesize

                        259KB

                        MD5

                        5ead0a4dc3bf605775d48f0442ba371e

                        SHA1

                        36250ca49ef272946f09e442a65625bbde8ce714

                        SHA256

                        4f61b6ed6fa23715adf50cd5f3a74a427fc65006404338d9d9ad242d02f1222f

                        SHA512

                        06f479022c5cb1de9fa5ae96766f8b35c8e692bb86f7bfad4fa583a65b0b44f68ce0b895f9845b55b02b49a02462377561a3d06eed00ef84ec9f3290a8bc2b85

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\996.exe
                        Filesize

                        1.8MB

                        MD5

                        01cc26ecbfdeebceb71a8164da05fef3

                        SHA1

                        2bcadbcc1329fde8d7eb7b4ddee33a9690715b0a

                        SHA256

                        b8c3dd017ddb8ea416e886acf134b17e91c44b8ccc1eec03f760bb4b328ab00f

                        SHA512

                        006da3cbcca6bebfa82bb6d6d046e1a9a9a5bf8346bbc5ce30c1eb8b8249b930f9aaf8bbf92058183529e31827a8504f8f6b3710c0bb3e6a8a02b888e6766bb1

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\A9CE.exe
                        Filesize

                        788KB

                        MD5

                        1e962c67893e14647c2b57a8b4fe25d4

                        SHA1

                        2f2ce07ed3712576d8629f42bc7d377cc5b2d62a

                        SHA256

                        c87c4bf8647258e7215f77f8b2ca29a4c507a2ff0f55f434cc3706f805291a3f

                        SHA512

                        1d256f3d66e252f54e46a56f01aca379d823d3e40af517604363a939084702e3ebb71eeed0c174ea608b4752b07f1f0493955f062167f0114462e06df58f1f37

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\A9CE.exe
                        Filesize

                        64KB

                        MD5

                        59dd29909befb805686848c910a6fdde

                        SHA1

                        48305e6e90f206ac7d5b2805cab0eb65f6ca8b69

                        SHA256

                        2745d3a9694961784385adb15bb26852f66e867bfa813244f80da8d37b0fa924

                        SHA512

                        97dc5fe9fa3488ca7b8f063f1f195a4628bd02afb5b89decc29b0d825e9e5312183c9164b3ff6bb4c91a06ffceb0ca38f9b98fb3aefb0a0ae3363e9b5ff3d3bc

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\BD95.exe
                        Filesize

                        2.4MB

                        MD5

                        7ea4ead4fc9c5c7a9f3309cab716a28f

                        SHA1

                        b5457c2c7529585e02dac132b5adeed3a4f1f260

                        SHA256

                        431452b0cb6b0ee3d623c3394b120b104e24826585530708942690eeba34055a

                        SHA512

                        f6ca00aa0331da628514f982a4627c338c1c9f29a70146c7324e9212f73487a1a146a93f438be93f13cf08574da73769bdfefdbb02b689ffa6d8fc98a6993d1b

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\E3B.exe
                        Filesize

                        63KB

                        MD5

                        cbfbeaf0a6e70056f43406053cd61f1e

                        SHA1

                        b7088a9f29b8ab84aedaffec81441580775d5393

                        SHA256

                        fa776a4e5e0653f7856a19c3a9fbdad306eb9365cb553bc223d8075be5f5cd3b

                        SHA512

                        2930b11123191108d66e1bba5cb43f34ca963c424f6dd9c61751db62cef3039773dd100c179909d30099953513ca6eb07e29732af7928d2602c35a8020271c5c

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\EBAB.exe
                        Filesize

                        6.3MB

                        MD5

                        b1e8d4d7dd26612c17eccbf66b280e7c

                        SHA1

                        97dd5e81a4014fb54ef5ac3f1db88519843c85c2

                        SHA256

                        e3940372b04a4cb2177ae409c195debccfe004600d73a39d429a577d248d4cb2

                        SHA512

                        ff70dd3103128cd36bd1da3a734e635ec76d53a5629fc1f05941d6cadb9e82310da0ea298dcf449ef17c42a70ea7d787a75585ffa37a74f9007ca91a4481ecc8

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\F0CC.bat
                        Filesize

                        77B

                        MD5

                        55cc761bf3429324e5a0095cab002113

                        SHA1

                        2cc1ef4542a4e92d4158ab3978425d517fafd16d

                        SHA256

                        d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

                        SHA512

                        33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\F9D6.exe
                        Filesize

                        535KB

                        MD5

                        c85359e6fcc2b3aad2407a8769d8d1f1

                        SHA1

                        77adb2c84465aeef9ef0f8ddb12b0165610b57da

                        SHA256

                        8934e11fa9c967fe8e67d9fc1c1f518f18c107b6abc91b143e03e5b18f892782

                        SHA512

                        2f3c97978972293ca5a17838d173ad4554731edcc12e848bc27063a13ed5ca9bf0b8483f247891cf97be83e531ddab011d3c2b8156c92da8ec56a1a0b4c033a3

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_33zpcdsf.mfm.ps1
                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\filename.exe
                        Filesize

                        2.7MB

                        MD5

                        8cae9c02800103cbbc078e51f21f3980

                        SHA1

                        c9e1916eac0fe681b8f534f34d26e68d1b4dbcba

                        SHA256

                        0a87d24d64c60b42d15f7a34b683b9c3d10972e623e35baad0d2525d9595430b

                        SHA512

                        51ddc863bab598866c92d6170c1482060b6e9bef7b420017708c5dab176858389ea153f8767b4eda2a44280d0f78dc062e31f6ce1fd2e3b21158211913f09475

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\filename.exe
                        Filesize

                        1.8MB

                        MD5

                        da6737aec1f8a62a0cfc56a5a5ceb1cd

                        SHA1

                        e44b2a27a9c493e989bc666f2de41b024cf03a99

                        SHA256

                        d8000ed61b73abc457336807d26187bc85234b222447e10b9e45072f31eda22e

                        SHA512

                        932a9f2f01ca2352443f434068d9ee85e6dfbf3746b6c8386e736904db370ef75addb69e56999d1844295cc1e54e4c5f87c011cece5b9b8f22c57266072f46c0

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\filename.exe
                        Filesize

                        2.3MB

                        MD5

                        39609539fee0f3b192d04f93a1d75606

                        SHA1

                        8cf6fd1a8858d6861926462405ecb203439d9908

                        SHA256

                        8e3432b341f9ebd8fe25ee6c2140b07d7b72e17cd10d7c0b2e26d2e4fbbda589

                        SHA512

                        6e42a9ed162d890ff2154a8c84edd6ec39ac9d3197a5bdb994113d09fdc171b110594a19dcc33d335edf702ae406d5110fd433d50764ee167ceae0c9acfcb83c

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                        Filesize

                        109KB

                        MD5

                        2afdbe3b99a4736083066a13e4b5d11a

                        SHA1

                        4d4856cf02b3123ac16e63d4a448cdbcb1633546

                        SHA256

                        8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

                        SHA512

                        d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
                        Filesize

                        1.2MB

                        MD5

                        92fbdfccf6a63acef2743631d16652a7

                        SHA1

                        971968b1378dd89d59d7f84bf92f16fc68664506

                        SHA256

                        b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

                        SHA512

                        b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                        Filesize

                        4KB

                        MD5

                        a5ce3aba68bdb438e98b1d0c70a3d95c

                        SHA1

                        013f5aa9057bf0b3c0c24824de9d075434501354

                        SHA256

                        9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

                        SHA512

                        7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

                        Download Submit

                      • C:\Windows\system32\drivers\etc\hosts
                        Filesize

                        3KB

                        MD5

                        2d29fd3ae57f422e2b2121141dc82253

                        SHA1

                        c2464c857779c0ab4f5e766f5028fcc651a6c6b7

                        SHA256

                        80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4

                        SHA512

                        077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

                        Download Submit

                      • memory/652-314-0x0000000140000000-0x000000014000E000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/652-312-0x0000000140000000-0x000000014000E000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/652-311-0x0000000140000000-0x000000014000E000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/652-310-0x0000000140000000-0x000000014000E000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/652-317-0x0000000140000000-0x000000014000E000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/652-313-0x0000000140000000-0x000000014000E000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/876-162-0x0000000074AE0000-0x0000000075290000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/876-155-0x0000000009830000-0x000000000994A000-memory.dmp

                        Filesize

                        1.1MB

                        Download

                      • memory/876-150-0x00000000050E0000-0x00000000050F0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/876-146-0x0000000004E20000-0x0000000004E30000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/876-145-0x0000000004D20000-0x0000000004D3A000-memory.dmp

                        Filesize

                        104KB

                        Download

                      • memory/876-144-0x0000000000540000-0x0000000000554000-memory.dmp

                        Filesize

                        80KB

                        Download

                      • memory/876-143-0x0000000074AE0000-0x0000000075290000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/1256-52-0x0000000000400000-0x0000000000537000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/1256-49-0x0000000000400000-0x0000000000537000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/1256-50-0x0000000000400000-0x0000000000537000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/1472-46-0x0000000004880000-0x0000000004916000-memory.dmp

                        Filesize

                        600KB

                        Download

                      • memory/1904-79-0x00000000049D0000-0x0000000004AEB000-memory.dmp

                        Filesize

                        1.1MB

                        Download

                      • memory/1904-26-0x0000000004900000-0x000000000499D000-memory.dmp

                        Filesize

                        628KB

                        Download

                      • memory/1904-27-0x00000000049D0000-0x0000000004AEB000-memory.dmp

                        Filesize

                        1.1MB

                        Download

                      • memory/1924-16-0x0000000002F80000-0x0000000003080000-memory.dmp

                        Filesize

                        1024KB

                        Download

                      • memory/1924-17-0x0000000000400000-0x0000000002BEC000-memory.dmp

                        Filesize

                        39.9MB

                        Download

                      • memory/1924-31-0x0000000000400000-0x0000000002BEC000-memory.dmp

                        Filesize

                        39.9MB

                        Download

                      • memory/2056-63-0x00007FF7BC8B0000-0x00007FF7BCB7E000-memory.dmp

                        Filesize

                        2.8MB

                        Download

                      • memory/2184-154-0x0000000000660000-0x0000000000B0D000-memory.dmp

                        Filesize

                        4.7MB

                        Download

                      • memory/2184-149-0x0000000005070000-0x0000000005071000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2184-138-0x0000000000660000-0x0000000000B0D000-memory.dmp

                        Filesize

                        4.7MB

                        Download

                      • memory/2184-136-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2184-131-0x0000000077554000-0x0000000077556000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/2184-132-0x0000000005020000-0x0000000005021000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2184-135-0x0000000005050000-0x0000000005051000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2184-133-0x0000000005030000-0x0000000005031000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2184-134-0x0000000005010000-0x0000000005011000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2184-129-0x0000000000660000-0x0000000000B0D000-memory.dmp

                        Filesize

                        4.7MB

                        Download

                      • memory/2184-137-0x0000000005000000-0x0000000005001000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2184-148-0x0000000005080000-0x0000000005081000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2412-107-0x0000000004B80000-0x0000000004B90000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2412-116-0x0000000074AE0000-0x0000000075290000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/2412-102-0x0000000004B10000-0x0000000004B7C000-memory.dmp

                        Filesize

                        432KB

                        Download

                      • memory/2412-113-0x00000000025F0000-0x00000000045F0000-memory.dmp

                        Filesize

                        32.0MB

                        Download

                      • memory/2412-103-0x0000000074AE0000-0x0000000075290000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/2412-104-0x00000000051F0000-0x000000000525A000-memory.dmp

                        Filesize

                        424KB

                        Download

                      • memory/2412-105-0x0000000004B80000-0x0000000004B90000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2412-106-0x0000000004B80000-0x0000000004B90000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2412-108-0x0000000004B80000-0x0000000004B90000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2432-28-0x0000000000400000-0x0000000000537000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/2432-43-0x0000000000400000-0x0000000000537000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/2432-23-0x0000000000400000-0x0000000000537000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/2432-25-0x0000000000400000-0x0000000000537000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/2432-29-0x0000000000400000-0x0000000000537000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/3240-161-0x0000000074AE0000-0x0000000075290000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/3240-157-0x0000000002370000-0x00000000023A6000-memory.dmp

                        Filesize

                        216KB

                        Download

                      • memory/3240-163-0x00000000049D0000-0x00000000049E0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3420-4-0x00000000027D0000-0x00000000027E6000-memory.dmp

                        Filesize

                        88KB

                        Download

                      • memory/3420-30-0x00000000027F0000-0x0000000002806000-memory.dmp

                        Filesize

                        88KB

                        Download

                      • memory/3428-221-0x00007FF667390000-0x00007FF6680E3000-memory.dmp

                        Filesize

                        13.3MB

                        Download

                      • memory/3428-225-0x00007FF667390000-0x00007FF6680E3000-memory.dmp

                        Filesize

                        13.3MB

                        Download

                      • memory/3428-263-0x00007FF667390000-0x00007FF6680E3000-memory.dmp

                        Filesize

                        13.3MB

                        Download

                      • memory/3428-243-0x00007FF667390000-0x00007FF6680E3000-memory.dmp

                        Filesize

                        13.3MB

                        Download

                      • memory/3428-227-0x00007FF667390000-0x00007FF6680E3000-memory.dmp

                        Filesize

                        13.3MB

                        Download

                      • memory/3492-80-0x0000000003470000-0x0000000003471000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3492-96-0x0000000000640000-0x000000000146B000-memory.dmp

                        Filesize

                        14.2MB

                        Download

                      • memory/3492-81-0x0000000003580000-0x0000000003581000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3492-83-0x00000000035C0000-0x00000000035C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3492-82-0x0000000003590000-0x0000000003591000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3492-85-0x0000000000640000-0x000000000146B000-memory.dmp

                        Filesize

                        14.2MB

                        Download

                      • memory/3492-84-0x00000000035D0000-0x00000000035D1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3492-87-0x00000000035F0000-0x00000000035F1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3492-86-0x00000000035E0000-0x00000000035E1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3652-326-0x0000000140000000-0x0000000140848000-memory.dmp

                        Filesize

                        8.3MB

                        Download

                      • memory/3652-319-0x0000000140000000-0x0000000140848000-memory.dmp

                        Filesize

                        8.3MB

                        Download

                      • memory/3652-328-0x0000000140000000-0x0000000140848000-memory.dmp

                        Filesize

                        8.3MB

                        Download

                      • memory/3652-325-0x0000000140000000-0x0000000140848000-memory.dmp

                        Filesize

                        8.3MB

                        Download

                      • memory/3652-327-0x00000000016A0000-0x00000000016C0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3652-324-0x0000000140000000-0x0000000140848000-memory.dmp

                        Filesize

                        8.3MB

                        Download

                      • memory/3652-318-0x0000000140000000-0x0000000140848000-memory.dmp

                        Filesize

                        8.3MB

                        Download

                      • memory/3652-320-0x0000000140000000-0x0000000140848000-memory.dmp

                        Filesize

                        8.3MB

                        Download

                      • memory/3652-322-0x0000000140000000-0x0000000140848000-memory.dmp

                        Filesize

                        8.3MB

                        Download

                      • memory/3652-329-0x0000000140000000-0x0000000140848000-memory.dmp

                        Filesize

                        8.3MB

                        Download

                      • memory/3652-330-0x0000000140000000-0x0000000140848000-memory.dmp

                        Filesize

                        8.3MB

                        Download

                      • memory/3716-117-0x0000000074AE0000-0x0000000075290000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/3716-121-0x0000000006340000-0x000000000635E000-memory.dmp

                        Filesize

                        120KB

                        Download

                      • memory/3716-115-0x0000000005130000-0x0000000005140000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3716-123-0x0000000008BC0000-0x00000000090EC000-memory.dmp

                        Filesize

                        5.2MB

                        Download

                      • memory/3716-122-0x00000000084C0000-0x0000000008682000-memory.dmp

                        Filesize

                        1.8MB

                        Download

                      • memory/3716-120-0x00000000062A0000-0x0000000006316000-memory.dmp

                        Filesize

                        472KB

                        Download

                      • memory/3716-111-0x0000000000400000-0x0000000000462000-memory.dmp

                        Filesize

                        392KB

                        Download

                      • memory/3956-321-0x00007FF6A65A0000-0x00007FF6A72F3000-memory.dmp

                        Filesize

                        13.3MB

                        Download

                      • memory/3956-271-0x00007FF6A65A0000-0x00007FF6A72F3000-memory.dmp

                        Filesize

                        13.3MB

                        Download

                      • memory/3956-269-0x00007FF6A65A0000-0x00007FF6A72F3000-memory.dmp

                        Filesize

                        13.3MB

                        Download

                      • memory/3956-270-0x00007FF6A65A0000-0x00007FF6A72F3000-memory.dmp

                        Filesize

                        13.3MB

                        Download

                      • memory/3972-5-0x0000000000400000-0x0000000002BF4000-memory.dmp

                        Filesize

                        40.0MB

                        Download

                      • memory/3972-1-0x0000000002C80000-0x0000000002D80000-memory.dmp

                        Filesize

                        1024KB

                        Download

                      • memory/3972-2-0x0000000004940000-0x000000000494B000-memory.dmp

                        Filesize

                        44KB

                        Download

                      • memory/3972-3-0x0000000000400000-0x0000000002BF4000-memory.dmp

                        Filesize

                        40.0MB

                        Download

                      • memory/4372-128-0x0000000074AE0000-0x0000000075290000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/4372-70-0x00000000053C0000-0x00000000054CA000-memory.dmp

                        Filesize

                        1.0MB

                        Download

                      • memory/4372-71-0x00000000052F0000-0x0000000005302000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/4372-64-0x0000000074AE0000-0x0000000075290000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/4372-65-0x0000000005500000-0x0000000005AA4000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/4372-73-0x0000000005AB0000-0x0000000005AFC000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/4372-130-0x0000000005030000-0x0000000005040000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4372-119-0x0000000006D80000-0x0000000006DD0000-memory.dmp

                        Filesize

                        320KB

                        Download

                      • memory/4372-67-0x0000000005030000-0x0000000005040000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4372-66-0x0000000005050000-0x00000000050E2000-memory.dmp

                        Filesize

                        584KB

                        Download

                      • memory/4372-69-0x00000000060D0000-0x00000000066E8000-memory.dmp

                        Filesize

                        6.1MB

                        Download

                      • memory/4372-68-0x0000000005210000-0x000000000521A000-memory.dmp

                        Filesize

                        40KB

                        Download

                      • memory/4372-72-0x0000000005350000-0x000000000538C000-memory.dmp

                        Filesize

                        240KB

                        Download

                      • memory/4372-62-0x0000000000B00000-0x0000000000B54000-memory.dmp

                        Filesize

                        336KB

                        Download

                      • memory/4372-118-0x0000000005C00000-0x0000000005C66000-memory.dmp

                        Filesize

                        408KB

                        Download

                      • memory/4584-164-0x0000000001140000-0x0000000001149000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/4584-156-0x0000000000400000-0x000000000043D000-memory.dmp

                        Filesize

                        244KB

                        Download

                      • memory/4584-158-0x0000000000400000-0x000000000043D000-memory.dmp

                        Filesize

                        244KB

                        Download

                      • memory/4584-160-0x0000000000400000-0x000000000043D000-memory.dmp

                        Filesize

                        244KB

                        Download

                      • memory/4584-165-0x0000000001170000-0x000000000117D000-memory.dmp

                        Filesize

                        52KB

                        Download