Overview

overview

10

Static

static

3

a6bda3b1e9...9c.exe

windows7-x64

10

a6bda3b1e9...9c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/02/2024, 05:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exe

  • Size

    286KB

  • MD5

    b711abfd1d3f342fd53e7234672e23a3

  • SHA1

    abba6fdf4ce45cfc9121bc8f93658b0875ba1f4f

  • SHA256

    a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c

  • SHA512

    f3d3e2e2bad6975e45c9b90568604085c92b7016ee7c56504593d1fea695b3be5c05991515c7ebe9442cc315084a75f59d19630e108806f78f912521efa5e242

  • SSDEEP

    3072:Wz6T6oy729nhffLbCWeia4bU3qrf9tExSD2w3TA4xFgIzSUxaIa2Vd:3T6o28XC7AU3gvEx/6TA4LiUxaIh

Score
10/10
amadeydjvulgoogloaderlummaredlinesmokeloaderxmriglogsdiller cloud (telegram: @logsdillabot)pub1backdoordiscoverydownloaderevasioninfostealerminerpersistenceransomwarespywarestealerthemidatrojanupx

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://habrafa.com/test1/get.php

Attributes
  • extension

    .lkhy

  • offline_id

    OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1

  • payload_url

    http://brusuax.com/dl/build2.exe

    http://habrafa.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0851ASdw

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

C2

5.42.65.38:46185

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • install_dir

    00c07260dc

  • install_file

    explorgu.exe

  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Extracted

Family

lumma

C2

https://resergvearyinitiani.shop/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detected Djvu ransomware 10 IoCs
  • Detects LgoogLoader payload 1 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF 1 IoCs
  • Detects Windows executables referencing non-Windows User-Agents 1 IoCs
  • Detects executables containing artifacts associated with disabling Widnows Defender 1 IoCs
  • Detects executables embedding command execution via IExecuteCommand COM object 1 IoCs
  • Detects executables packed with Themida 14 IoCs
  • Detects executables packed with unregistered version of .NET Reactor 4 IoCs
  • Detects executables potentially checking for WinJail sandbox window 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    evasion
  • UPX dump on OEP (original entry point) 9 IoCs
  • XMRig Miner payload 5 IoCs
    miner
  • Blocklisted process makes network request 2 IoCs
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Drops file in Drivers directory 2 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 14 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 14 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exe
    "C:\Users\Admin\AppData\Local\Temp\a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3972
  • C:\Users\Admin\AppData\Local\Temp\971F.exe
    C:\Users\Admin\AppData\Local\Temp\971F.exe
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:1924
  • C:\Users\Admin\AppData\Local\Temp\A9CE.exe
    C:\Users\Admin\AppData\Local\Temp\A9CE.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Users\Admin\AppData\Local\Temp\A9CE.exe
      C:\Users\Admin\AppData\Local\Temp\A9CE.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\d8505720-1bf6-40ce-b0c3-5071a9d2bb7a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:3596
      • C:\Users\Admin\AppData\Local\Temp\A9CE.exe
        "C:\Users\Admin\AppData\Local\Temp\A9CE.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1472
        • C:\Users\Admin\AppData\Local\Temp\A9CE.exe
          "C:\Users\Admin\AppData\Local\Temp\A9CE.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Executes dropped EXE
          PID:1256
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 568
            5⤵
            • Program crash
            PID:2680
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1256 -ip 1256
    1⤵
      PID:3408
    • C:\Users\Admin\AppData\Local\Temp\BD95.exe
      C:\Users\Admin\AppData\Local\Temp\BD95.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4372
        • C:\Users\Admin\AppData\Local\Temp\filename.exe
          "C:\Users\Admin\AppData\Local\Temp\filename.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Drops file in Drivers directory
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          PID:3428
          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4832
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
            4⤵
              PID:5004
              • C:\Windows\system32\wusa.exe
                wusa /uninstall /kb:890830 /quiet /norestart
                5⤵
                  PID:4648
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop UsoSvc
                4⤵
                • Launches sc.exe
                PID:1424
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop WaaSMedicSvc
                4⤵
                • Launches sc.exe
                PID:4576
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop wuauserv
                4⤵
                • Launches sc.exe
                PID:1792
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop bits
                4⤵
                • Launches sc.exe
                PID:1924
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop dosvc
                4⤵
                • Launches sc.exe
                PID:3748
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2920
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1280
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3288
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3824
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
                4⤵
                • Launches sc.exe
                PID:724
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
                4⤵
                • Launches sc.exe
                PID:3284
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop eventlog
                4⤵
                • Launches sc.exe
                PID:3372
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
                4⤵
                • Launches sc.exe
                PID:1000
        • C:\Users\Admin\AppData\Local\Temp\EBAB.exe
          C:\Users\Admin\AppData\Local\Temp\EBAB.exe
          1⤵
          • Executes dropped EXE
          PID:3492
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F0CC.bat" "
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:436
          • C:\Windows\system32\reg.exe
            reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
            2⤵
              PID:3324
          • C:\Users\Admin\AppData\Local\Temp\F9D6.exe
            C:\Users\Admin\AppData\Local\Temp\F9D6.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2412
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              2⤵
              • Checks computer location settings
              • Drops startup file
              • Suspicious use of AdjustPrivilegeToken
              PID:3716
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
                3⤵
                • Executes dropped EXE
                PID:4704
          • C:\Users\Admin\AppData\Local\Temp\996.exe
            C:\Users\Admin\AppData\Local\Temp\996.exe
            1⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Drops file in Windows directory
            PID:2184
          • C:\Users\Admin\AppData\Local\Temp\E3B.exe
            C:\Users\Admin\AppData\Local\Temp\E3B.exe
            1⤵
            • UAC bypass
            • Windows security bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Windows security modification
            • Checks whether UAC is enabled
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:876
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\E3B.exe" -Force
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3240
            • C:\Windows\SysWOW64\calc.exe
              "C:\Windows\SYSWOW64\calc.exe"
              2⤵
                PID:4584
            • C:\ProgramData\Google\Chrome\updater.exe
              C:\ProgramData\Google\Chrome\updater.exe
              1⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Drops file in Drivers directory
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Drops file in System32 directory
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              PID:3956
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                2⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                PID:1444
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop WaaSMedicSvc
                2⤵
                • Launches sc.exe
                PID:5048
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop wuauserv
                2⤵
                • Launches sc.exe
                PID:1448
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop dosvc
                2⤵
                • Launches sc.exe
                PID:3472
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop bits
                2⤵
                • Launches sc.exe
                PID:1492
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop UsoSvc
                2⤵
                • Launches sc.exe
                PID:2468
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                2⤵
                  PID:4364
                • C:\Windows\system32\conhost.exe
                  C:\Windows\system32\conhost.exe
                  2⤵
                    PID:652
                  • C:\Windows\system32\powercfg.exe
                    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1312
                  • C:\Windows\system32\powercfg.exe
                    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4056
                  • C:\Windows\system32\powercfg.exe
                    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4148
                  • C:\Windows\system32\powercfg.exe
                    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3272
                  • C:\Windows\explorer.exe
                    explorer.exe
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3652
                • C:\Windows\system32\wusa.exe
                  wusa /uninstall /kb:890830 /quiet /norestart
                  1⤵
                    PID:2988
                  • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
                    C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    PID:3804
                    • C:\Windows\SysWOW64\rundll32.exe
                      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
                      2⤵
                      • Loads dropped DLL
                      PID:4656
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
                        3⤵
                        • Blocklisted process makes network request
                        • Loads dropped DLL
                        PID:2808
                        • C:\Windows\system32\netsh.exe
                          netsh wlan show profiles
                          4⤵
                            PID:3324
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\168293393341_Desktop.zip' -CompressionLevel Optimal
                            4⤵
                              PID:2992
                        • C:\Windows\SysWOW64\rundll32.exe
                          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                          2⤵
                          • Blocklisted process makes network request
                          • Loads dropped DLL
                          PID:2232

                      Network

                            MITRE ATT&CK Enterprise v15

                            Reconnaissance

                            Resource Development

                            Initial Access

                            Execution

                            Persistence

                            Boot or Logon Autostart Execution

                            1
                            T1547

                            Registry Run Keys / Startup Folder

                            1
                            T1547.001

                            Create or Modify System Process

                            2
                            T1543

                            Windows Service

                            2
                            T1543.003

                            Privilege Escalation

                            Abuse Elevation Control Mechanism

                            1
                            T1548

                            Bypass User Account Control

                            1
                            T1548.002

                            Boot or Logon Autostart Execution

                            1
                            T1547

                            Registry Run Keys / Startup Folder

                            1
                            T1547.001

                            Create or Modify System Process

                            2
                            T1543

                            Windows Service

                            2
                            T1543.003

                            Defense Evasion

                            Abuse Elevation Control Mechanism

                            1
                            T1548

                            Bypass User Account Control

                            1
                            T1548.002

                            File and Directory Permissions Modification

                            1
                            T1222

                            Impair Defenses

                            4
                            T1562

                            Disable or Modify Tools

                            3
                            T1562.001

                            Modify Registry

                            5
                            T1112

                            Virtualization/Sandbox Evasion

                            2
                            T1497

                            Credential Access

                            Unsecured Credentials

                            3
                            T1552

                            Credentials In Files

                            3
                            T1552.001

                            Discovery

                            Peripheral Device Discovery

                            1
                            T1120

                            Query Registry

                            7
                            T1012

                            System Information Discovery

                            5
                            T1082

                            Virtualization/Sandbox Evasion

                            2
                            T1497

                            Lateral Movement

                            Collection

                            Data from Local System

                            3
                            T1005

                            Command and Control

                            Exfiltration

                            Impact

                            Service Stop

                            1
                            T1489

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\ProgramData\Google\Chrome\updater.exe
                              Filesize

                              128KB

                              MD5

                              4441f05ac8dec68544e546329b79f347

                              SHA1

                              b6cd59f90cf793a060d55cb6d512d4cd02aa92ce

                              SHA256

                              71f61ce4f30dc92954abcb396ed306c30f83b98a08081b5088cf2c62f47932ef

                              SHA512

                              310319682a72ff27047fdd272bccae4f445835c204e47dce44643035b8f2c08200f38ab5435049287c76015e352ea256359ba809b4a8c5b99cca472272788d77

                              Download Submit

                            • C:\ProgramData\Google\Chrome\updater.exe
                              Filesize

                              7.1MB

                              MD5

                              448a4fe7cf78414bdf0b17c4e37bb867

                              SHA1

                              1fceca49b49953ab7b71782c435c923b640fe973

                              SHA256

                              b7c31c96bd76ea4fb440faf1df78e8c9ee42dcccfbfd1549b313a0cc992714ed

                              SHA512

                              ec75be5b46b4ca5938c5eff6a8c27d3d8daaab5edf7f78ded15ea829968464a98a5695dc70fcc72a03d17331bffde130dc29389dd0c6fd08155fcc9865deb465

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                              Filesize

                              2KB

                              MD5

                              d85ba6ff808d9e5444a4b369f5bc2730

                              SHA1

                              31aa9d96590fff6981b315e0b391b575e4c0804a

                              SHA256

                              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                              SHA512

                              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              18KB

                              MD5

                              6c8459e360a63712575e1141bd832d45

                              SHA1

                              2e88c55f5e673581ae25c2eba856c3e1e3d3cadf

                              SHA256

                              9d0ce10452c7fe5efcd82b3fc141db46e275bc9dfd850d13dc914898686894b9

                              SHA512

                              77ce5c5d64d4d17246d6b536fe1811049eaa6396b9c1fd675ff98ef24ccfe228f075061aa71f9f367add87b84f2845c81db09b1741288a7ce51fd4361357cd78

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              944B

                              MD5

                              9b80cd7a712469a4c45fec564313d9eb

                              SHA1

                              6125c01bc10d204ca36ad1110afe714678655f2d

                              SHA256

                              5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

                              SHA512

                              ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\971F.exe
                              Filesize

                              259KB

                              MD5

                              5ead0a4dc3bf605775d48f0442ba371e

                              SHA1

                              36250ca49ef272946f09e442a65625bbde8ce714

                              SHA256

                              4f61b6ed6fa23715adf50cd5f3a74a427fc65006404338d9d9ad242d02f1222f

                              SHA512

                              06f479022c5cb1de9fa5ae96766f8b35c8e692bb86f7bfad4fa583a65b0b44f68ce0b895f9845b55b02b49a02462377561a3d06eed00ef84ec9f3290a8bc2b85

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\996.exe
                              Filesize

                              1.8MB

                              MD5

                              01cc26ecbfdeebceb71a8164da05fef3

                              SHA1

                              2bcadbcc1329fde8d7eb7b4ddee33a9690715b0a

                              SHA256

                              b8c3dd017ddb8ea416e886acf134b17e91c44b8ccc1eec03f760bb4b328ab00f

                              SHA512

                              006da3cbcca6bebfa82bb6d6d046e1a9a9a5bf8346bbc5ce30c1eb8b8249b930f9aaf8bbf92058183529e31827a8504f8f6b3710c0bb3e6a8a02b888e6766bb1

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\A9CE.exe
                              Filesize

                              788KB

                              MD5

                              1e962c67893e14647c2b57a8b4fe25d4

                              SHA1

                              2f2ce07ed3712576d8629f42bc7d377cc5b2d62a

                              SHA256

                              c87c4bf8647258e7215f77f8b2ca29a4c507a2ff0f55f434cc3706f805291a3f

                              SHA512

                              1d256f3d66e252f54e46a56f01aca379d823d3e40af517604363a939084702e3ebb71eeed0c174ea608b4752b07f1f0493955f062167f0114462e06df58f1f37

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\A9CE.exe
                              Filesize

                              64KB

                              MD5

                              59dd29909befb805686848c910a6fdde

                              SHA1

                              48305e6e90f206ac7d5b2805cab0eb65f6ca8b69

                              SHA256

                              2745d3a9694961784385adb15bb26852f66e867bfa813244f80da8d37b0fa924

                              SHA512

                              97dc5fe9fa3488ca7b8f063f1f195a4628bd02afb5b89decc29b0d825e9e5312183c9164b3ff6bb4c91a06ffceb0ca38f9b98fb3aefb0a0ae3363e9b5ff3d3bc

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\BD95.exe
                              Filesize

                              2.4MB

                              MD5

                              7ea4ead4fc9c5c7a9f3309cab716a28f

                              SHA1

                              b5457c2c7529585e02dac132b5adeed3a4f1f260

                              SHA256

                              431452b0cb6b0ee3d623c3394b120b104e24826585530708942690eeba34055a

                              SHA512

                              f6ca00aa0331da628514f982a4627c338c1c9f29a70146c7324e9212f73487a1a146a93f438be93f13cf08574da73769bdfefdbb02b689ffa6d8fc98a6993d1b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\E3B.exe
                              Filesize

                              63KB

                              MD5

                              cbfbeaf0a6e70056f43406053cd61f1e

                              SHA1

                              b7088a9f29b8ab84aedaffec81441580775d5393

                              SHA256

                              fa776a4e5e0653f7856a19c3a9fbdad306eb9365cb553bc223d8075be5f5cd3b

                              SHA512

                              2930b11123191108d66e1bba5cb43f34ca963c424f6dd9c61751db62cef3039773dd100c179909d30099953513ca6eb07e29732af7928d2602c35a8020271c5c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\EBAB.exe
                              Filesize

                              6.3MB

                              MD5

                              b1e8d4d7dd26612c17eccbf66b280e7c

                              SHA1

                              97dd5e81a4014fb54ef5ac3f1db88519843c85c2

                              SHA256

                              e3940372b04a4cb2177ae409c195debccfe004600d73a39d429a577d248d4cb2

                              SHA512

                              ff70dd3103128cd36bd1da3a734e635ec76d53a5629fc1f05941d6cadb9e82310da0ea298dcf449ef17c42a70ea7d787a75585ffa37a74f9007ca91a4481ecc8

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\F0CC.bat
                              Filesize

                              77B

                              MD5

                              55cc761bf3429324e5a0095cab002113

                              SHA1

                              2cc1ef4542a4e92d4158ab3978425d517fafd16d

                              SHA256

                              d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

                              SHA512

                              33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\F9D6.exe
                              Filesize

                              535KB

                              MD5

                              c85359e6fcc2b3aad2407a8769d8d1f1

                              SHA1

                              77adb2c84465aeef9ef0f8ddb12b0165610b57da

                              SHA256

                              8934e11fa9c967fe8e67d9fc1c1f518f18c107b6abc91b143e03e5b18f892782

                              SHA512

                              2f3c97978972293ca5a17838d173ad4554731edcc12e848bc27063a13ed5ca9bf0b8483f247891cf97be83e531ddab011d3c2b8156c92da8ec56a1a0b4c033a3

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_33zpcdsf.mfm.ps1
                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\filename.exe
                              Filesize

                              2.7MB

                              MD5

                              8cae9c02800103cbbc078e51f21f3980

                              SHA1

                              c9e1916eac0fe681b8f534f34d26e68d1b4dbcba

                              SHA256

                              0a87d24d64c60b42d15f7a34b683b9c3d10972e623e35baad0d2525d9595430b

                              SHA512

                              51ddc863bab598866c92d6170c1482060b6e9bef7b420017708c5dab176858389ea153f8767b4eda2a44280d0f78dc062e31f6ce1fd2e3b21158211913f09475

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\filename.exe
                              Filesize

                              1.8MB

                              MD5

                              da6737aec1f8a62a0cfc56a5a5ceb1cd

                              SHA1

                              e44b2a27a9c493e989bc666f2de41b024cf03a99

                              SHA256

                              d8000ed61b73abc457336807d26187bc85234b222447e10b9e45072f31eda22e

                              SHA512

                              932a9f2f01ca2352443f434068d9ee85e6dfbf3746b6c8386e736904db370ef75addb69e56999d1844295cc1e54e4c5f87c011cece5b9b8f22c57266072f46c0

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\filename.exe
                              Filesize

                              2.3MB

                              MD5

                              39609539fee0f3b192d04f93a1d75606

                              SHA1

                              8cf6fd1a8858d6861926462405ecb203439d9908

                              SHA256

                              8e3432b341f9ebd8fe25ee6c2140b07d7b72e17cd10d7c0b2e26d2e4fbbda589

                              SHA512

                              6e42a9ed162d890ff2154a8c84edd6ec39ac9d3197a5bdb994113d09fdc171b110594a19dcc33d335edf702ae406d5110fd433d50764ee167ceae0c9acfcb83c

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                              Filesize

                              109KB

                              MD5

                              2afdbe3b99a4736083066a13e4b5d11a

                              SHA1

                              4d4856cf02b3123ac16e63d4a448cdbcb1633546

                              SHA256

                              8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

                              SHA512

                              d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
                              Filesize

                              1.2MB

                              MD5

                              92fbdfccf6a63acef2743631d16652a7

                              SHA1

                              971968b1378dd89d59d7f84bf92f16fc68664506

                              SHA256

                              b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

                              SHA512

                              b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                              Filesize

                              4KB

                              MD5

                              a5ce3aba68bdb438e98b1d0c70a3d95c

                              SHA1

                              013f5aa9057bf0b3c0c24824de9d075434501354

                              SHA256

                              9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

                              SHA512

                              7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

                              Download Submit

                            • C:\Windows\system32\drivers\etc\hosts
                              Filesize

                              3KB

                              MD5

                              2d29fd3ae57f422e2b2121141dc82253

                              SHA1

                              c2464c857779c0ab4f5e766f5028fcc651a6c6b7

                              SHA256

                              80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4

                              SHA512

                              077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

                              Download Submit

                            • memory/652-314-0x0000000140000000-0x000000014000E000-memory.dmp

                              Filesize

                              56KB

                              Download

                            • memory/652-312-0x0000000140000000-0x000000014000E000-memory.dmp

                              Filesize

                              56KB

                              Download

                            • memory/652-311-0x0000000140000000-0x000000014000E000-memory.dmp

                              Filesize

                              56KB

                              Download

                            • memory/652-310-0x0000000140000000-0x000000014000E000-memory.dmp

                              Filesize

                              56KB

                              Download

                            • memory/652-317-0x0000000140000000-0x000000014000E000-memory.dmp

                              Filesize

                              56KB

                              Download

                            • memory/652-313-0x0000000140000000-0x000000014000E000-memory.dmp

                              Filesize

                              56KB

                              Download

                            • memory/876-162-0x0000000074AE0000-0x0000000075290000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/876-155-0x0000000009830000-0x000000000994A000-memory.dmp

                              Filesize

                              1.1MB

                              Download

                            • memory/876-150-0x00000000050E0000-0x00000000050F0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/876-146-0x0000000004E20000-0x0000000004E30000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/876-145-0x0000000004D20000-0x0000000004D3A000-memory.dmp

                              Filesize

                              104KB

                              Download

                            • memory/876-144-0x0000000000540000-0x0000000000554000-memory.dmp

                              Filesize

                              80KB

                              Download

                            • memory/876-143-0x0000000074AE0000-0x0000000075290000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/1256-52-0x0000000000400000-0x0000000000537000-memory.dmp

                              Filesize

                              1.2MB

                              Download

                            • memory/1256-49-0x0000000000400000-0x0000000000537000-memory.dmp

                              Filesize

                              1.2MB

                              Download

                            • memory/1256-50-0x0000000000400000-0x0000000000537000-memory.dmp

                              Filesize

                              1.2MB

                              Download

                            • memory/1472-46-0x0000000004880000-0x0000000004916000-memory.dmp

                              Filesize

                              600KB

                              Download

                            • memory/1904-79-0x00000000049D0000-0x0000000004AEB000-memory.dmp

                              Filesize

                              1.1MB

                              Download

                            • memory/1904-26-0x0000000004900000-0x000000000499D000-memory.dmp

                              Filesize

                              628KB

                              Download

                            • memory/1904-27-0x00000000049D0000-0x0000000004AEB000-memory.dmp

                              Filesize

                              1.1MB

                              Download

                            • memory/1924-16-0x0000000002F80000-0x0000000003080000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/1924-17-0x0000000000400000-0x0000000002BEC000-memory.dmp

                              Filesize

                              39.9MB

                              Download

                            • memory/1924-31-0x0000000000400000-0x0000000002BEC000-memory.dmp

                              Filesize

                              39.9MB

                              Download

                            • memory/2056-63-0x00007FF7BC8B0000-0x00007FF7BCB7E000-memory.dmp

                              Filesize

                              2.8MB

                              Download

                            • memory/2184-154-0x0000000000660000-0x0000000000B0D000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/2184-149-0x0000000005070000-0x0000000005071000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2184-138-0x0000000000660000-0x0000000000B0D000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/2184-136-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2184-131-0x0000000077554000-0x0000000077556000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/2184-132-0x0000000005020000-0x0000000005021000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2184-135-0x0000000005050000-0x0000000005051000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2184-133-0x0000000005030000-0x0000000005031000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2184-134-0x0000000005010000-0x0000000005011000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2184-129-0x0000000000660000-0x0000000000B0D000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/2184-137-0x0000000005000000-0x0000000005001000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2184-148-0x0000000005080000-0x0000000005081000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2412-107-0x0000000004B80000-0x0000000004B90000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2412-116-0x0000000074AE0000-0x0000000075290000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/2412-102-0x0000000004B10000-0x0000000004B7C000-memory.dmp

                              Filesize

                              432KB

                              Download

                            • memory/2412-113-0x00000000025F0000-0x00000000045F0000-memory.dmp

                              Filesize

                              32.0MB

                              Download

                            • memory/2412-103-0x0000000074AE0000-0x0000000075290000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/2412-104-0x00000000051F0000-0x000000000525A000-memory.dmp

                              Filesize

                              424KB

                              Download

                            • memory/2412-105-0x0000000004B80000-0x0000000004B90000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2412-106-0x0000000004B80000-0x0000000004B90000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2412-108-0x0000000004B80000-0x0000000004B90000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2432-28-0x0000000000400000-0x0000000000537000-memory.dmp

                              Filesize

                              1.2MB

                              Download

                            • memory/2432-43-0x0000000000400000-0x0000000000537000-memory.dmp

                              Filesize

                              1.2MB

                              Download

                            • memory/2432-23-0x0000000000400000-0x0000000000537000-memory.dmp

                              Filesize

                              1.2MB

                              Download

                            • memory/2432-25-0x0000000000400000-0x0000000000537000-memory.dmp

                              Filesize

                              1.2MB

                              Download

                            • memory/2432-29-0x0000000000400000-0x0000000000537000-memory.dmp

                              Filesize

                              1.2MB

                              Download

                            • memory/3240-161-0x0000000074AE0000-0x0000000075290000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/3240-157-0x0000000002370000-0x00000000023A6000-memory.dmp

                              Filesize

                              216KB

                              Download

                            • memory/3240-163-0x00000000049D0000-0x00000000049E0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/3420-4-0x00000000027D0000-0x00000000027E6000-memory.dmp

                              Filesize

                              88KB

                              Download

                            • memory/3420-30-0x00000000027F0000-0x0000000002806000-memory.dmp

                              Filesize

                              88KB

                              Download

                            • memory/3428-221-0x00007FF667390000-0x00007FF6680E3000-memory.dmp

                              Filesize

                              13.3MB

                              Download

                            • memory/3428-225-0x00007FF667390000-0x00007FF6680E3000-memory.dmp

                              Filesize

                              13.3MB

                              Download

                            • memory/3428-263-0x00007FF667390000-0x00007FF6680E3000-memory.dmp

                              Filesize

                              13.3MB

                              Download

                            • memory/3428-243-0x00007FF667390000-0x00007FF6680E3000-memory.dmp

                              Filesize

                              13.3MB

                              Download

                            • memory/3428-227-0x00007FF667390000-0x00007FF6680E3000-memory.dmp

                              Filesize

                              13.3MB

                              Download

                            • memory/3492-80-0x0000000003470000-0x0000000003471000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3492-96-0x0000000000640000-0x000000000146B000-memory.dmp

                              Filesize

                              14.2MB

                              Download

                            • memory/3492-81-0x0000000003580000-0x0000000003581000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3492-83-0x00000000035C0000-0x00000000035C1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3492-82-0x0000000003590000-0x0000000003591000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3492-85-0x0000000000640000-0x000000000146B000-memory.dmp

                              Filesize

                              14.2MB

                              Download

                            • memory/3492-84-0x00000000035D0000-0x00000000035D1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3492-87-0x00000000035F0000-0x00000000035F1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3492-86-0x00000000035E0000-0x00000000035E1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3652-326-0x0000000140000000-0x0000000140848000-memory.dmp

                              Filesize

                              8.3MB

                              Download

                            • memory/3652-322-0x0000000140000000-0x0000000140848000-memory.dmp

                              Filesize

                              8.3MB

                              Download

                            • memory/3652-324-0x0000000140000000-0x0000000140848000-memory.dmp

                              Filesize

                              8.3MB

                              Download

                            • memory/3652-320-0x0000000140000000-0x0000000140848000-memory.dmp

                              Filesize

                              8.3MB

                              Download

                            • memory/3652-319-0x0000000140000000-0x0000000140848000-memory.dmp

                              Filesize

                              8.3MB

                              Download

                            • memory/3652-318-0x0000000140000000-0x0000000140848000-memory.dmp

                              Filesize

                              8.3MB

                              Download

                            • memory/3652-327-0x00000000016A0000-0x00000000016C0000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/3652-325-0x0000000140000000-0x0000000140848000-memory.dmp

                              Filesize

                              8.3MB

                              Download

                            • memory/3652-328-0x0000000140000000-0x0000000140848000-memory.dmp

                              Filesize

                              8.3MB

                              Download

                            • memory/3652-329-0x0000000140000000-0x0000000140848000-memory.dmp

                              Filesize

                              8.3MB

                              Download

                            • memory/3652-330-0x0000000140000000-0x0000000140848000-memory.dmp

                              Filesize

                              8.3MB

                              Download

                            • memory/3716-120-0x00000000062A0000-0x0000000006316000-memory.dmp

                              Filesize

                              472KB

                              Download

                            • memory/3716-121-0x0000000006340000-0x000000000635E000-memory.dmp

                              Filesize

                              120KB

                              Download

                            • memory/3716-122-0x00000000084C0000-0x0000000008682000-memory.dmp

                              Filesize

                              1.8MB

                              Download

                            • memory/3716-117-0x0000000074AE0000-0x0000000075290000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/3716-123-0x0000000008BC0000-0x00000000090EC000-memory.dmp

                              Filesize

                              5.2MB

                              Download

                            • memory/3716-115-0x0000000005130000-0x0000000005140000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/3716-111-0x0000000000400000-0x0000000000462000-memory.dmp

                              Filesize

                              392KB

                              Download

                            • memory/3956-269-0x00007FF6A65A0000-0x00007FF6A72F3000-memory.dmp

                              Filesize

                              13.3MB

                              Download

                            • memory/3956-321-0x00007FF6A65A0000-0x00007FF6A72F3000-memory.dmp

                              Filesize

                              13.3MB

                              Download

                            • memory/3956-270-0x00007FF6A65A0000-0x00007FF6A72F3000-memory.dmp

                              Filesize

                              13.3MB

                              Download

                            • memory/3956-271-0x00007FF6A65A0000-0x00007FF6A72F3000-memory.dmp

                              Filesize

                              13.3MB

                              Download

                            • memory/3972-1-0x0000000002C80000-0x0000000002D80000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/3972-2-0x0000000004940000-0x000000000494B000-memory.dmp

                              Filesize

                              44KB

                              Download

                            • memory/3972-3-0x0000000000400000-0x0000000002BF4000-memory.dmp

                              Filesize

                              40.0MB

                              Download

                            • memory/3972-5-0x0000000000400000-0x0000000002BF4000-memory.dmp

                              Filesize

                              40.0MB

                              Download

                            • memory/4372-72-0x0000000005350000-0x000000000538C000-memory.dmp

                              Filesize

                              240KB

                              Download

                            • memory/4372-130-0x0000000005030000-0x0000000005040000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/4372-65-0x0000000005500000-0x0000000005AA4000-memory.dmp

                              Filesize

                              5.6MB

                              Download

                            • memory/4372-64-0x0000000074AE0000-0x0000000075290000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/4372-70-0x00000000053C0000-0x00000000054CA000-memory.dmp

                              Filesize

                              1.0MB

                              Download

                            • memory/4372-69-0x00000000060D0000-0x00000000066E8000-memory.dmp

                              Filesize

                              6.1MB

                              Download

                            • memory/4372-68-0x0000000005210000-0x000000000521A000-memory.dmp

                              Filesize

                              40KB

                              Download

                            • memory/4372-67-0x0000000005030000-0x0000000005040000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/4372-62-0x0000000000B00000-0x0000000000B54000-memory.dmp

                              Filesize

                              336KB

                              Download

                            • memory/4372-71-0x00000000052F0000-0x0000000005302000-memory.dmp

                              Filesize

                              72KB

                              Download

                            • memory/4372-128-0x0000000074AE0000-0x0000000075290000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/4372-119-0x0000000006D80000-0x0000000006DD0000-memory.dmp

                              Filesize

                              320KB

                              Download

                            • memory/4372-73-0x0000000005AB0000-0x0000000005AFC000-memory.dmp

                              Filesize

                              304KB

                              Download

                            • memory/4372-66-0x0000000005050000-0x00000000050E2000-memory.dmp

                              Filesize

                              584KB

                              Download

                            • memory/4372-118-0x0000000005C00000-0x0000000005C66000-memory.dmp

                              Filesize

                              408KB

                              Download

                            • memory/4584-156-0x0000000000400000-0x000000000043D000-memory.dmp

                              Filesize

                              244KB

                              Download

                            • memory/4584-158-0x0000000000400000-0x000000000043D000-memory.dmp

                              Filesize

                              244KB

                              Download

                            • memory/4584-160-0x0000000000400000-0x000000000043D000-memory.dmp

                              Filesize

                              244KB

                              Download

                            • memory/4584-165-0x0000000001170000-0x000000000117D000-memory.dmp

                              Filesize

                              52KB

                              Download

                            • memory/4584-164-0x0000000001140000-0x0000000001149000-memory.dmp

                              Filesize

                              36KB

                              Download