Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    113s
  • max time network
    139s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29-03-2024 10:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af.exe

  • Size

    203KB

  • MD5

    cfef270ab5ce465d112890717e9be5a6

  • SHA1

    38a935c3c1178a5ecb98232c92e3208f2fd39103

  • SHA256

    29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af

  • SHA512

    e37d52416e72dc9f1fc173da7d8d834baa28df1480edb2f23ae0075277e6bc92b4d8aeeba4e6a6f59e20908f53df36378ed6950ab198335b203dce490c01ece9

  • SSDEEP

    3072:4XqLqhgTFZ5/VAGuI4bSaeHnbVVsD8Lgz2oaIrPBUwM9Mu+:4HhgTFZhGG94bSaAbHeQgjaIDJM9N+

Score
10/10
dcratdjvugluptebaredlinesmokeloaderlogsdiller cloud (tg: @logsdillabot)pub1backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwareratspywarestealertrojanupx

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://sajdfue.com/test1/get.php

Attributes
  • extension

    .vook

  • offline_id

    1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1

  • payload_url

    http://sdfjhuz.com/dl/build2.exe

    http://sajdfue.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

5.42.65.0:29587

Signatures

  • DcRat 4 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detected Djvu ransomware 9 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 4 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 10 IoCs
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af.exe
    "C:\Users\Admin\AppData\Local\Temp\29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af.exe"
    1⤵
    • DcRat
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3284
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AB44.bat" "
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4488
    • C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
      2⤵
        PID:4940
    • C:\Users\Admin\AppData\Local\Temp\3C69.exe
      C:\Users\Admin\AppData\Local\Temp\3C69.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4408
      • C:\Users\Admin\AppData\Local\Temp\3C69.exe
        C:\Users\Admin\AppData\Local\Temp\3C69.exe
        2⤵
        • DcRat
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2412
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Users\Admin\AppData\Local\e20989a0-f031-48ef-81ca-a054cbbe7cf9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
          3⤵
          • Modifies file permissions
          PID:952
        • C:\Users\Admin\AppData\Local\Temp\3C69.exe
          "C:\Users\Admin\AppData\Local\Temp\3C69.exe" --Admin IsNotAutoStart IsNotTask
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4580
          • C:\Users\Admin\AppData\Local\Temp\3C69.exe
            "C:\Users\Admin\AppData\Local\Temp\3C69.exe" --Admin IsNotAutoStart IsNotTask
            4⤵
            • Executes dropped EXE
            PID:3164
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 600
              5⤵
              • Program crash
              PID:1928
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3164 -ip 3164
      1⤵
        PID:4960
      • C:\Users\Admin\AppData\Local\Temp\4CA6.exe
        C:\Users\Admin\AppData\Local\Temp\4CA6.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3160
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          2⤵
            PID:3248
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2904
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 844
            2⤵
            • Program crash
            PID:608
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3160 -ip 3160
          1⤵
            PID:2116
          • C:\Users\Admin\AppData\Local\Temp\7240.exe
            C:\Users\Admin\AppData\Local\Temp\7240.exe
            1⤵
            • Executes dropped EXE
            PID:2428
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7454.bat" "
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:1160
            • C:\Windows\system32\reg.exe
              reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
              2⤵
                PID:1896
            • C:\Users\Admin\AppData\Local\Temp\9D88.exe
              C:\Users\Admin\AppData\Local\Temp\9D88.exe
              1⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of AdjustPrivilegeToken
              PID:3100
              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                2⤵
                  PID:800
              • C:\Users\Admin\AppData\Roaming\jjdftet
                C:\Users\Admin\AppData\Roaming\jjdftet
                1⤵
                • Executes dropped EXE
                • Checks SCSI registry key(s)
                • Suspicious behavior: MapViewOfSection
                PID:4968
              • C:\Users\Admin\AppData\Local\Temp\B21B.exe
                C:\Users\Admin\AppData\Local\Temp\B21B.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:3572
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  2⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4124
                • C:\Users\Admin\AppData\Local\Temp\B21B.exe
                  "C:\Users\Admin\AppData\Local\Temp\B21B.exe"
                  2⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Checks for VirtualBox DLLs, possible anti-VM trick
                  • Drops file in Windows directory
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:2224
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    3⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    PID:3944
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                    3⤵
                      PID:4968
                      • C:\Windows\system32\netsh.exe
                        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                        4⤵
                        • Modifies Windows Firewall
                        PID:3140
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -nologo -noprofile
                      3⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      PID:1072
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -nologo -noprofile
                      3⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      PID:4208
                    • C:\Windows\rss\csrss.exe
                      C:\Windows\rss\csrss.exe
                      3⤵
                      • Executes dropped EXE
                      PID:3844
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -nologo -noprofile
                        4⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        PID:4296
                      • C:\Windows\SYSTEM32\schtasks.exe
                        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                        4⤵
                        • DcRat
                        • Creates scheduled task(s)
                        PID:3116
                      • C:\Windows\SYSTEM32\schtasks.exe
                        schtasks /delete /tn ScheduledUpdate /f
                        4⤵
                          PID:5024
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -nologo -noprofile
                          4⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:2104
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -nologo -noprofile
                          4⤵
                          • Modifies data under HKEY_USERS
                          PID:5004
                        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                          C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                          4⤵
                            PID:4408
                            • C:\Windows\System32\Conhost.exe
                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              5⤵
                                PID:3140
                            • C:\Windows\SYSTEM32\schtasks.exe
                              schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                              4⤵
                              • DcRat
                              • Creates scheduled task(s)
                              PID:2244
                            • C:\Windows\windefender.exe
                              "C:\Windows\windefender.exe"
                              4⤵
                                PID:2984
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                  5⤵
                                    PID:3680
                                    • C:\Windows\SysWOW64\sc.exe
                                      sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                      6⤵
                                      • Launches sc.exe
                                      PID:3504
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                            • Modifies Installed Components in the registry
                            • Enumerates connected drives
                            • Checks SCSI registry key(s)
                            • Modifies registry class
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            • Suspicious use of SetWindowsHookEx
                            PID:952
                          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                            1⤵
                            • Enumerates system info in registry
                            • Modifies Internet Explorer settings
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:3300
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:3144
                          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                            1⤵
                            • Enumerates system info in registry
                            • Modifies Internet Explorer settings
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:5020
                          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                            1⤵
                            • Enumerates system info in registry
                            • Modifies Internet Explorer settings
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:3836
                          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                            1⤵
                            • Enumerates system info in registry
                            • Modifies Internet Explorer settings
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:128
                          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                            1⤵
                            • Enumerates system info in registry
                            • Modifies Internet Explorer settings
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:4220
                          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                            1⤵
                              PID:1808
                            • C:\Windows\explorer.exe
                              explorer.exe
                              1⤵
                                PID:4132
                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                1⤵
                                  PID:3452
                                • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                  1⤵
                                    PID:2560
                                  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                    1⤵
                                      PID:4512
                                    • C:\Windows\windefender.exe
                                      C:\Windows\windefender.exe
                                      1⤵
                                        PID:3300
                                      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                        1⤵
                                          PID:1952
                                        • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                          "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                          1⤵
                                            PID:3796
                                          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                            1⤵
                                              PID:3680
                                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                              1⤵
                                                PID:3892

                                              Network

                                              MITRE ATT&CK Matrix ATT&CK v13

                                              Initial Access

                                              Execution

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Persistence

                                              Boot or Logon Autostart Execution

                                              2
                                              T1547

                                              Registry Run Keys / Startup Folder

                                              2
                                              T1547.001

                                              Create or Modify System Process

                                              1
                                              T1543

                                              Windows Service

                                              1
                                              T1543.003

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Privilege Escalation

                                              Boot or Logon Autostart Execution

                                              2
                                              T1547

                                              Registry Run Keys / Startup Folder

                                              2
                                              T1547.001

                                              Create or Modify System Process

                                              1
                                              T1543

                                              Windows Service

                                              1
                                              T1543.003

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Defense Evasion

                                              Modify Registry

                                              3
                                              T1112

                                              Impair Defenses

                                              1
                                              T1562

                                              Disable or Modify System Firewall

                                              1
                                              T1562.004

                                              File and Directory Permissions Modification

                                              1
                                              T1222

                                              Credential Access

                                              Unsecured Credentials

                                              3
                                              T1552

                                              Credentials In Files

                                              3
                                              T1552.001

                                              Discovery

                                              Query Registry

                                              5
                                              T1012

                                              Peripheral Device Discovery

                                              2
                                              T1120

                                              System Information Discovery

                                              5
                                              T1082

                                              Lateral Movement

                                              Collection

                                              Data from Local System

                                              3
                                              T1005

                                              Exfiltration

                                              Command and Control

                                              Web Service

                                              1
                                              T1102

                                              Impact

                                              Resource Development

                                              Reconnaissance

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
                                                Filesize

                                                1022B

                                                MD5

                                                8b49dcb57e60b0f3119fce871f5e4967

                                                SHA1

                                                ab8d426c87a29ce0d209cbb242d89cb3d7d0694b

                                                SHA256

                                                0249caa6faaf0444570c414191f87511d81f908f28217f7d0990c43e921684c2

                                                SHA512

                                                2ef7f7d74e1733792dd4a08bf6f9761de794bb9ca7808a84150ff81f65c5b1a2f8ee73c4e6d8ec43b90ff31513617bf44977c262156eb19a10412affcb66cb3d

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\start.bin
                                                Filesize

                                                4KB

                                                MD5

                                                3b02a9238bac39c792db7ea6b8fab2c3

                                                SHA1

                                                b1984eb6a37057b97dbbbd8f178136648a4becae

                                                SHA256

                                                810bb6c9d28d848bd766bba5030f4b8c8ea080e142cf6826c95943f79212dcb1

                                                SHA512

                                                d6cbe9a32919663203633cee9667e957bc63e4dabb74ad2a861839add45ba9ffce2714e18eea055a72e9bee9b9f20b5e6108c26e7d3fed42ff3a4e9a155576b4

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\D08ZSWUJ\www.bing[1].xml
                                                Filesize

                                                2KB

                                                MD5

                                                0e121900c089e96faa52e59373b3c471

                                                SHA1

                                                dd3d268faeeb40894da52eeba9cde9679dda1143

                                                SHA256

                                                08c5f4453a8f4406c9cb8b364fd78448a2af902d46faae58ea3975392d29d052

                                                SHA512

                                                0209f432f0ad3ac64ee529abe46f56c8417bf98945874f09d4a31528f705a921122e3202205e7314d57b67c64ae333d7e907340361fcb177fd7e51fe97f5d823

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Temp\3C69.exe
                                                Filesize

                                                732KB

                                                MD5

                                                b083f4e64b747efd38ec736c231e04bd

                                                SHA1

                                                2f92f6177f7a0648b12d0d5826ce30d20de92c3a

                                                SHA256

                                                b3a7c556f5971016f0ba97d5cf78b5d1a4e750f2be82898166526721092de3d4

                                                SHA512

                                                93e7a201aa0de2c75d38d893b24f9e8cf9f46c23867b06270ca0d7964676c9c4ee4d76e929890b71a668d6934f377035ce946e2d228b37c4c2964e1aa4cab4b9

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Temp\4CA6.exe
                                                Filesize

                                                392KB

                                                MD5

                                                89ec2c6bf09ed9a38bd11acb2a41cd1b

                                                SHA1

                                                408549982b687ca8dd5efb0e8b704a374bd8909d

                                                SHA256

                                                da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d

                                                SHA512

                                                c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Temp\7240.exe
                                                Filesize

                                                6.5MB

                                                MD5

                                                9e52aa572f0afc888c098db4c0f687ff

                                                SHA1

                                                ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b

                                                SHA256

                                                4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443

                                                SHA512

                                                d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Temp\9D88.exe
                                                Filesize

                                                30.6MB

                                                MD5

                                                ff35671d54d612772b0c22c141a3056e

                                                SHA1

                                                d005a27cd48556bf17eb9c2b43af49b67347cc0e

                                                SHA256

                                                2f625ea35f82332c639049c4a849f39cd2b74acb013880d156a2f647497c2512

                                                SHA512

                                                9a40a657f196036ef07c410db225f7a023f7299abc078cefd5d97489e7359ce9c640d72b98fedbf3f11ebaba1987b0acd5c7892b1ba5b5ae18709037df45790e

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Temp\AB44.bat
                                                Filesize

                                                77B

                                                MD5

                                                55cc761bf3429324e5a0095cab002113

                                                SHA1

                                                2cc1ef4542a4e92d4158ab3978425d517fafd16d

                                                SHA256

                                                d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

                                                SHA512

                                                33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Temp\B21B.exe
                                                Filesize

                                                4.1MB

                                                MD5

                                                7091c95d0e653c2e7d850f88f5bba15c

                                                SHA1

                                                392393b21629fdf7fb2de6c9bfd3b682a895e4b9

                                                SHA256

                                                d81632251a3226bc66d8b12af2d823c1987b22846889deed45a8dde6832d6638

                                                SHA512

                                                56ebc586f24c75d701110a18b243ebf5c6dabc2003e78cd9014b1626de2ffe24d56479c89d59c9daa493e96560bb8dca3713be0a78d51d7a1fef803acad7fdbe

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ryokhuv1.lyu.ps1
                                                Filesize

                                                60B

                                                MD5

                                                d17fe0a3f47be24a6453e9ef58c94641

                                                SHA1

                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                SHA256

                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                SHA512

                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                                Filesize

                                                281KB

                                                MD5

                                                d98e33b66343e7c96158444127a117f6

                                                SHA1

                                                bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                                                SHA256

                                                5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                                                SHA512

                                                705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                                                Download Submit
                                              • C:\Users\Admin\AppData\Roaming\jjdftet
                                                Filesize

                                                203KB

                                                MD5

                                                cfef270ab5ce465d112890717e9be5a6

                                                SHA1

                                                38a935c3c1178a5ecb98232c92e3208f2fd39103

                                                SHA256

                                                29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af

                                                SHA512

                                                e37d52416e72dc9f1fc173da7d8d834baa28df1480edb2f23ae0075277e6bc92b4d8aeeba4e6a6f59e20908f53df36378ed6950ab198335b203dce490c01ece9

                                                Download Submit
                                              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                Filesize

                                                2KB

                                                MD5

                                                ac4917a885cf6050b1a483e4bc4d2ea5

                                                SHA1

                                                b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

                                                SHA256

                                                e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

                                                SHA512

                                                092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

                                                Download Submit
                                              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                Filesize

                                                19KB

                                                MD5

                                                d8552a155ebc882b35ae6be396613316

                                                SHA1

                                                97c9f7b93e45d2dcf6893a7f9b2536df56a2a8fc

                                                SHA256

                                                abfa2e41d9631d65e1f19df402a2977930cd4132e4e03c15365c41b7e326133a

                                                SHA512

                                                ca67fcf2ddf60f0033b7eeca3bc8709d5dca3f2d01de4533f32159fd221a1cad8249cb9d33aec2402b680bf7f87ac82e7df13842a92a50a8f41c234c3990c484

                                                Download Submit
                                              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                Filesize

                                                19KB

                                                MD5

                                                7feeb24e8fafa550631c0868ba76b762

                                                SHA1

                                                71c65277ad77a7f16c3edc6a49a1dd1dc4d6b7c0

                                                SHA256

                                                d4522683cb0354074be0a38a64ae7a6c8f9ffc1d36a4d12a2ce07d4aba1177be

                                                SHA512

                                                ad879ae550682912ff7a07c97a7220bda2dd6b2e47399d5f507173d4262a8d24727445485a536f31c36fee381c67b0a1e56ee6f22a21e700356083053df533f5

                                                Download Submit
                                              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                Filesize

                                                19KB

                                                MD5

                                                43d2f2de6edba035afd83fc0a4b8066d

                                                SHA1

                                                6464a2f38fade93743ef555f7ddd9367c034152a

                                                SHA256

                                                7bf07656f79253e1de5ad91d9ee0ef6cbe4e25bb78c8e2db382590ed239d19c2

                                                SHA512

                                                65a0071b1ea796b627fe76858e02aa5361319af62275b132551e278993929d694c514b138644e9d6ed58d1022868245312cfaab0b59cb0c952d51cade38cfb2f

                                                Download Submit
                                              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                Filesize

                                                19KB

                                                MD5

                                                2c6d72203ab33311553c3c7d8c8bf6e3

                                                SHA1

                                                429369d60ec905c4387bd0aa8e80b7be22e643e3

                                                SHA256

                                                56c48ba1706c7d09076c35db0fca3c6b07bae2bd0a35b36e1d0f8263fb0474b9

                                                SHA512

                                                1c45356dd0a36685d14fe1cdf7e40f785222081865902cf7733738b99671a093373e9d66af34c1b3bae4cd2d8961c8b6e90edb51e7b65fcb8860c1315819be60

                                                Download Submit
                                              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                Filesize

                                                19KB

                                                MD5

                                                b5d42737e9e6034bea04d340c5465852

                                                SHA1

                                                b83ef8f567ef7147af97ddde04135b0874c19315

                                                SHA256

                                                54f42591c42ee1f0f4b666a1751ac6f4a26fe2bc9105db3fccec84bd2fdaaeef

                                                SHA512

                                                f7f8959429aa716cc2df5421e67d07feccfce146df3f104936873b510107d05fcf833697f449fc33712fa5a7ae214c1793d0ede53268f2f6bbef1f9bbf1b9654

                                                Download Submit
                                              • C:\Windows\windefender.exe
                                                Filesize

                                                2.0MB

                                                MD5

                                                8e67f58837092385dcf01e8a2b4f5783

                                                SHA1

                                                012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                                                SHA256

                                                166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                                                SHA512

                                                40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                                                Download Submit
                                              • memory/128-478-0x00000181D8D40000-0x00000181D8D60000-memory.dmp
                                                Filesize

                                                128KB

                                                Download
                                              • memory/800-491-0x0000000000730000-0x000000000077B000-memory.dmp
                                                Filesize

                                                300KB

                                                Download
                                              • memory/800-496-0x0000000000730000-0x000000000077B000-memory.dmp
                                                Filesize

                                                300KB

                                                Download
                                              • memory/952-271-0x0000000008980000-0x0000000008996000-memory.dmp
                                                Filesize

                                                88KB

                                                Download
                                              • memory/2224-502-0x0000000000400000-0x0000000000D1C000-memory.dmp
                                                Filesize

                                                9.1MB

                                                Download
                                              • memory/2412-38-0x0000000000400000-0x0000000000537000-memory.dmp
                                                Filesize

                                                1.2MB

                                                Download
                                              • memory/2412-26-0x0000000000400000-0x0000000000537000-memory.dmp
                                                Filesize

                                                1.2MB

                                                Download
                                              • memory/2412-25-0x0000000000400000-0x0000000000537000-memory.dmp
                                                Filesize

                                                1.2MB

                                                Download
                                              • memory/2412-24-0x0000000000400000-0x0000000000537000-memory.dmp
                                                Filesize

                                                1.2MB

                                                Download
                                              • memory/2412-22-0x0000000000400000-0x0000000000537000-memory.dmp
                                                Filesize

                                                1.2MB

                                                Download
                                              • memory/2428-122-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-137-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-147-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-146-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-144-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-145-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-143-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-142-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-141-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-139-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-140-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-138-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-99-0x00000000003D0000-0x00000000010B5000-memory.dmp
                                                Filesize

                                                12.9MB

                                                Download
                                              • memory/2428-109-0x0000000001640000-0x0000000001641000-memory.dmp
                                                Filesize

                                                4KB

                                                Download
                                              • memory/2428-108-0x0000000001630000-0x0000000001631000-memory.dmp
                                                Filesize

                                                4KB

                                                Download
                                              • memory/2428-107-0x0000000001620000-0x0000000001621000-memory.dmp
                                                Filesize

                                                4KB

                                                Download
                                              • memory/2428-106-0x0000000001600000-0x0000000001601000-memory.dmp
                                                Filesize

                                                4KB

                                                Download
                                              • memory/2428-105-0x00000000015D0000-0x00000000015D1000-memory.dmp
                                                Filesize

                                                4KB

                                                Download
                                              • memory/2428-104-0x00000000015C0000-0x00000000015C1000-memory.dmp
                                                Filesize

                                                4KB

                                                Download
                                              • memory/2428-111-0x00000000003D0000-0x00000000010B5000-memory.dmp
                                                Filesize

                                                12.9MB

                                                Download
                                              • memory/2428-112-0x0000000001650000-0x0000000001651000-memory.dmp
                                                Filesize

                                                4KB

                                                Download
                                              • memory/2428-113-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-116-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-115-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-114-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-117-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-119-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-118-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-120-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-136-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-123-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-121-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-124-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-129-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-130-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-128-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-127-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-131-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-132-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-126-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-125-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-133-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-134-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2428-135-0x0000000003D10000-0x0000000003E10000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/2560-735-0x000001EED23B0000-0x000001EED23D0000-memory.dmp
                                                Filesize

                                                128KB

                                                Download
                                              • memory/2904-88-0x0000000006CE0000-0x0000000006D30000-memory.dmp
                                                Filesize

                                                320KB

                                                Download
                                              • memory/2904-75-0x00000000057A0000-0x0000000005D46000-memory.dmp
                                                Filesize

                                                5.6MB

                                                Download
                                              • memory/2904-84-0x0000000005490000-0x00000000054A2000-memory.dmp
                                                Filesize

                                                72KB

                                                Download
                                              • memory/2904-89-0x0000000007070000-0x0000000007232000-memory.dmp
                                                Filesize

                                                1.8MB

                                                Download
                                              • memory/2904-83-0x00000000055A0000-0x00000000056AA000-memory.dmp
                                                Filesize

                                                1.0MB

                                                Download
                                              • memory/2904-87-0x0000000005DC0000-0x0000000005E26000-memory.dmp
                                                Filesize

                                                408KB

                                                Download
                                              • memory/2904-86-0x0000000005530000-0x000000000557C000-memory.dmp
                                                Filesize

                                                304KB

                                                Download
                                              • memory/2904-85-0x00000000054B0000-0x00000000054EC000-memory.dmp
                                                Filesize

                                                240KB

                                                Download
                                              • memory/2904-90-0x0000000007E40000-0x000000000836C000-memory.dmp
                                                Filesize

                                                5.2MB

                                                Download
                                              • memory/2904-73-0x0000000000400000-0x0000000000450000-memory.dmp
                                                Filesize

                                                320KB

                                                Download
                                              • memory/2904-78-0x00000000747A0000-0x0000000074F51000-memory.dmp
                                                Filesize

                                                7.7MB

                                                Download
                                              • memory/2904-82-0x0000000006370000-0x0000000006988000-memory.dmp
                                                Filesize

                                                6.1MB

                                                Download
                                              • memory/2904-79-0x0000000005480000-0x0000000005490000-memory.dmp
                                                Filesize

                                                64KB

                                                Download
                                              • memory/2904-80-0x0000000005210000-0x000000000521A000-memory.dmp
                                                Filesize

                                                40KB

                                                Download
                                              • memory/2904-77-0x0000000005290000-0x0000000005322000-memory.dmp
                                                Filesize

                                                584KB

                                                Download
                                              • memory/2984-760-0x0000000000400000-0x00000000008DF000-memory.dmp
                                                Filesize

                                                4.9MB

                                                Download
                                              • memory/3100-495-0x00007FF768A60000-0x00007FF76A9AC000-memory.dmp
                                                Filesize

                                                31.3MB

                                                Download
                                              • memory/3100-479-0x00007FF768A60000-0x00007FF76A9AC000-memory.dmp
                                                Filesize

                                                31.3MB

                                                Download
                                              • memory/3100-320-0x00007FF768A60000-0x00007FF76A9AC000-memory.dmp
                                                Filesize

                                                31.3MB

                                                Download
                                              • memory/3160-69-0x0000000005160000-0x0000000005170000-memory.dmp
                                                Filesize

                                                64KB

                                                Download
                                              • memory/3160-72-0x0000000004F00000-0x0000000004F01000-memory.dmp
                                                Filesize

                                                4KB

                                                Download
                                              • memory/3160-81-0x00000000747A0000-0x0000000074F51000-memory.dmp
                                                Filesize

                                                7.7MB

                                                Download
                                              • memory/3160-68-0x00000000747A0000-0x0000000074F51000-memory.dmp
                                                Filesize

                                                7.7MB

                                                Download
                                              • memory/3160-76-0x00000000029E0000-0x00000000049E0000-memory.dmp
                                                Filesize

                                                32.0MB

                                                Download
                                              • memory/3160-67-0x00000000004E0000-0x0000000000544000-memory.dmp
                                                Filesize

                                                400KB

                                                Download
                                              • memory/3164-45-0x0000000000400000-0x0000000000537000-memory.dmp
                                                Filesize

                                                1.2MB

                                                Download
                                              • memory/3164-44-0x0000000000400000-0x0000000000537000-memory.dmp
                                                Filesize

                                                1.2MB

                                                Download
                                              • memory/3164-47-0x0000000000400000-0x0000000000537000-memory.dmp
                                                Filesize

                                                1.2MB

                                                Download
                                              • memory/3240-266-0x00000000011F0000-0x00000000011F1000-memory.dmp
                                                Filesize

                                                4KB

                                                Download
                                              • memory/3240-4-0x00000000011C0000-0x00000000011D6000-memory.dmp
                                                Filesize

                                                88KB

                                                Download
                                              • memory/3284-5-0x0000000000400000-0x0000000000536000-memory.dmp
                                                Filesize

                                                1.2MB

                                                Download
                                              • memory/3284-3-0x0000000000400000-0x0000000000536000-memory.dmp
                                                Filesize

                                                1.2MB

                                                Download
                                              • memory/3284-1-0x00000000006A0000-0x00000000007A0000-memory.dmp
                                                Filesize

                                                1024KB

                                                Download
                                              • memory/3284-2-0x0000000000690000-0x000000000069B000-memory.dmp
                                                Filesize

                                                44KB

                                                Download
                                              • memory/3300-807-0x0000000000400000-0x00000000008DF000-memory.dmp
                                                Filesize

                                                4.9MB

                                                Download
                                              • memory/3796-791-0x0000011DB3D20000-0x0000011DB3D40000-memory.dmp
                                                Filesize

                                                128KB

                                                Download
                                              • memory/3836-426-0x000001C62DEC0000-0x000001C62DEE0000-memory.dmp
                                                Filesize

                                                128KB

                                                Download
                                              • memory/3844-754-0x0000000000400000-0x0000000000D1C000-memory.dmp
                                                Filesize

                                                9.1MB

                                                Download
                                              • memory/3844-692-0x0000000000400000-0x0000000000D1C000-memory.dmp
                                                Filesize

                                                9.1MB

                                                Download
                                              • memory/3844-806-0x0000000000400000-0x0000000000D1C000-memory.dmp
                                                Filesize

                                                9.1MB

                                                Download
                                              • memory/4220-605-0x000002A5301C0000-0x000002A5301E0000-memory.dmp
                                                Filesize

                                                128KB

                                                Download
                                              • memory/4408-21-0x00000000023D0000-0x00000000024EB000-memory.dmp
                                                Filesize

                                                1.1MB

                                                Download
                                              • memory/4408-20-0x0000000002330000-0x00000000023C4000-memory.dmp
                                                Filesize

                                                592KB

                                                Download
                                              • memory/4580-42-0x0000000002200000-0x000000000229E000-memory.dmp
                                                Filesize

                                                632KB

                                                Download
                                              • memory/4968-311-0x0000000000400000-0x0000000000536000-memory.dmp
                                                Filesize

                                                1.2MB

                                                Download