agenttesla | 0087284a322cf91ec5a05fa7ba7fca06076c72ab6f0f090c4d88b056558804e1

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
Size

965KB
MD5

6ef956ed9f5e1ff71a1e484902a6d1a5
SHA1

f361053480e94e0142a0b8fc81b96c399da81861
SHA256

0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28
SHA512

e7f40cb828e522f22ef412bdca59a2663da81660f26efce5ff73a35b00071039a2b7f7b18a885710b9b9658b4a25af6f8f064415c3397ad6e6b540dda7db5f37
SSDEEP

24576:Jj3+BMwzZcbT/JYjPtfjhEJgL7Fy5wR0D2QAN:EOwzZAT2jPtJj0DHAN

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Downloads MZ/PE file

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

calc.execalc.execalc.execalc.exePO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.execalc.execalc.execalc.execalc.execalc.exePO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.execalc.execalc.execalc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe

Executes dropped EXE 14 IoCs

Processes:

calc.execalc.execalc.execalc.execalc.execalc.execalc.execalc.execalc.execalc.execalc.execalc.execalc.execalc.exe

pid	process
1624	calc.exe
4108	calc.exe
4748	calc.exe
1908	calc.exe
2328	calc.exe
452	calc.exe
4580	calc.exe
2636	calc.exe
2336	calc.exe
4228	calc.exe
2332	calc.exe
4920	calc.exe
4848	calc.exe
1288	calc.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.execalc.execalc.execalc.execalc.execalc.execalc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe.exe"	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe.exe"	calc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe.exe"	calc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe.exe"	calc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe.exe"	calc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe.exe"	calc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe.exe"	calc.exe

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
89	ip-api.com
100	api.ipify.org
113	api.ipify.org
118	api.ipify.org
42	ip-api.com
66	api.ipify.org
73	api.ipify.org
88	api.ipify.org
119	ip-api.com
40	api.ipify.org
41	api.ipify.org

Suspicious use of SetThreadContext 7 IoCs

Processes:

PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.execalc.execalc.execalc.execalc.execalc.execalc.exe

description	pid	process	target process
PID 2652 set thread context of 2596	2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
PID 1624 set thread context of 4108	1624	calc.exe	calc.exe
PID 4748 set thread context of 1908	4748	calc.exe	calc.exe
PID 2328 set thread context of 452	2328	calc.exe	calc.exe
PID 4580 set thread context of 2636	4580	calc.exe	calc.exe
PID 2336 set thread context of 4228	2336	calc.exe	calc.exe
PID 2332 set thread context of 4848	2332	calc.exe	calc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3420 schtasks.exe
1980 schtasks.exe
4888 schtasks.exe
4528 schtasks.exe
868 schtasks.exe
1676 schtasks.exe
932 schtasks.exe

pid	process
3420	schtasks.exe
1980	schtasks.exe
4888	schtasks.exe
4528	schtasks.exe
868	schtasks.exe
1676	schtasks.exe
932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exepowershell.exepowershell.exePO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exepowershell.exepowershell.execalc.exepowershell.exepowershell.execalc.exepowershell.exepowershell.execalc.exepowershell.exepowershell.execalc.exepowershell.exepowershell.execalc.exepowershell.exepowershell.execalc.execalc.exe

pid	process
2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
2956	powershell.exe
2956	powershell.exe
3416	powershell.exe
3416	powershell.exe
2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
2596	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
2596	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
2596	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
2956	powershell.exe
3416	powershell.exe
2712	powershell.exe
2712	powershell.exe
2712	powershell.exe
4608	powershell.exe
4608	powershell.exe
4108	calc.exe
4108	calc.exe
4108	calc.exe
4608	powershell.exe
4108	calc.exe
5052	powershell.exe
5052	powershell.exe
5052	powershell.exe
1836	powershell.exe
1836	powershell.exe
1908	calc.exe
1908	calc.exe
1908	calc.exe
1836	powershell.exe
1908	calc.exe
532	powershell.exe
532	powershell.exe
1196	powershell.exe
1196	powershell.exe
452	calc.exe
452	calc.exe
452	calc.exe
1196	powershell.exe
452	calc.exe
720	powershell.exe
720	powershell.exe
1684	powershell.exe
2636	calc.exe
2636	calc.exe
1684	powershell.exe
2636	calc.exe
4392	powershell.exe
4392	powershell.exe
2148	powershell.exe
4228	calc.exe
4228	calc.exe
2148	powershell.exe
4228	calc.exe
3636	powershell.exe
3636	powershell.exe
1896	powershell.exe
2332	calc.exe
2332	calc.exe
4848	calc.exe
4848	calc.exe
1896	powershell.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

calc.exe

pid process

4108 calc.exe

pid	process
4108	calc.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exepowershell.exepowershell.exePO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.execalc.exepowershell.exepowershell.execalc.execalc.exepowershell.exepowershell.execalc.execalc.exepowershell.exepowershell.execalc.execalc.exepowershell.exepowershell.execalc.execalc.exepowershell.exepowershell.execalc.execalc.exepowershell.exepowershell.execalc.exe

description	pid	process
Token: SeDebugPrivilege	2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2596	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
Token: SeDebugPrivilege	1624	calc.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	4108	calc.exe
Token: SeDebugPrivilege	4748	calc.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	1908	calc.exe
Token: SeDebugPrivilege	2328	calc.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	452	calc.exe
Token: SeDebugPrivilege	4580	calc.exe
Token: SeDebugPrivilege	720	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2636	calc.exe
Token: SeDebugPrivilege	2336	calc.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	4228	calc.exe
Token: SeDebugPrivilege	2332	calc.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	4848	calc.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.execalc.execalc.execalc.execalc.execalc.execalc.exe

pid process

2596 PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
4108 calc.exe
1908 calc.exe
452 calc.exe
2636 calc.exe
4228 calc.exe
4848 calc.exe

pid	process
2596	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
4108	calc.exe
1908	calc.exe
452	calc.exe
2636	calc.exe
4228	calc.exe
4848	calc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exePO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.execalc.execalc.execalc.execalc.execalc.exe

description	pid	process	target process
PID 2652 wrote to memory of 3416	2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	powershell.exe
PID 2652 wrote to memory of 3416	2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	powershell.exe
PID 2652 wrote to memory of 3416	2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	powershell.exe
PID 2652 wrote to memory of 2956	2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	powershell.exe
PID 2652 wrote to memory of 2956	2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	powershell.exe
PID 2652 wrote to memory of 2956	2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	powershell.exe
PID 2652 wrote to memory of 4888	2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	schtasks.exe
PID 2652 wrote to memory of 4888	2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	schtasks.exe
PID 2652 wrote to memory of 4888	2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	schtasks.exe
PID 2652 wrote to memory of 2596	2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
PID 2652 wrote to memory of 2596	2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
PID 2652 wrote to memory of 2596	2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
PID 2652 wrote to memory of 2596	2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
PID 2652 wrote to memory of 2596	2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
PID 2652 wrote to memory of 2596	2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
PID 2652 wrote to memory of 2596	2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
PID 2652 wrote to memory of 2596	2652	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
PID 2596 wrote to memory of 1624	2596	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	calc.exe
PID 2596 wrote to memory of 1624	2596	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	calc.exe
PID 2596 wrote to memory of 1624	2596	PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe	calc.exe
PID 1624 wrote to memory of 2712	1624	calc.exe	powershell.exe
PID 1624 wrote to memory of 2712	1624	calc.exe	powershell.exe
PID 1624 wrote to memory of 2712	1624	calc.exe	powershell.exe
PID 1624 wrote to memory of 4608	1624	calc.exe	powershell.exe
PID 1624 wrote to memory of 4608	1624	calc.exe	powershell.exe
PID 1624 wrote to memory of 4608	1624	calc.exe	powershell.exe
PID 1624 wrote to memory of 4528	1624	calc.exe	schtasks.exe
PID 1624 wrote to memory of 4528	1624	calc.exe	schtasks.exe
PID 1624 wrote to memory of 4528	1624	calc.exe	schtasks.exe
PID 1624 wrote to memory of 4108	1624	calc.exe	calc.exe
PID 1624 wrote to memory of 4108	1624	calc.exe	calc.exe
PID 1624 wrote to memory of 4108	1624	calc.exe	calc.exe
PID 1624 wrote to memory of 4108	1624	calc.exe	calc.exe
PID 1624 wrote to memory of 4108	1624	calc.exe	calc.exe
PID 1624 wrote to memory of 4108	1624	calc.exe	calc.exe
PID 1624 wrote to memory of 4108	1624	calc.exe	calc.exe
PID 1624 wrote to memory of 4108	1624	calc.exe	calc.exe
PID 4108 wrote to memory of 4748	4108	calc.exe	calc.exe
PID 4108 wrote to memory of 4748	4108	calc.exe	calc.exe
PID 4108 wrote to memory of 4748	4108	calc.exe	calc.exe
PID 4748 wrote to memory of 5052	4748	calc.exe	powershell.exe
PID 4748 wrote to memory of 5052	4748	calc.exe	powershell.exe
PID 4748 wrote to memory of 5052	4748	calc.exe	powershell.exe
PID 4748 wrote to memory of 1836	4748	calc.exe	powershell.exe
PID 4748 wrote to memory of 1836	4748	calc.exe	powershell.exe
PID 4748 wrote to memory of 1836	4748	calc.exe	powershell.exe
PID 4748 wrote to memory of 868	4748	calc.exe	schtasks.exe
PID 4748 wrote to memory of 868	4748	calc.exe	schtasks.exe
PID 4748 wrote to memory of 868	4748	calc.exe	schtasks.exe
PID 4748 wrote to memory of 1908	4748	calc.exe	calc.exe
PID 4748 wrote to memory of 1908	4748	calc.exe	calc.exe
PID 4748 wrote to memory of 1908	4748	calc.exe	calc.exe
PID 4748 wrote to memory of 1908	4748	calc.exe	calc.exe
PID 4748 wrote to memory of 1908	4748	calc.exe	calc.exe
PID 4748 wrote to memory of 1908	4748	calc.exe	calc.exe
PID 4748 wrote to memory of 1908	4748	calc.exe	calc.exe
PID 4748 wrote to memory of 1908	4748	calc.exe	calc.exe
PID 1908 wrote to memory of 2328	1908	calc.exe	calc.exe
PID 1908 wrote to memory of 2328	1908	calc.exe	calc.exe
PID 1908 wrote to memory of 2328	1908	calc.exe	calc.exe
PID 2328 wrote to memory of 532	2328	calc.exe	powershell.exe
PID 2328 wrote to memory of 532	2328	calc.exe	powershell.exe
PID 2328 wrote to memory of 532	2328	calc.exe	powershell.exe
PID 2328 wrote to memory of 1196	2328	calc.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
"C:\Users\Admin\AppData\Local\Temp\PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eXuEPbliNOyIp.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eXuEPbliNOyIp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp780E.tmp"
2⤵
- Creates scheduled task(s)
PID:4888

C:\Users\Admin\AppData\Local\Temp\PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe
"C:\Users\Admin\AppData\Local\Temp\PO 22367812_PDF Radiant Chemicals Ltd iGST_eH2mYaM.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\calc.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aJQICzbY.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aJQICzbY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD755.tmp"
4⤵
- Creates scheduled task(s)
PID:4528

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4108

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\calc.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aJQICzbY.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aJQICzbY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp22A6.tmp"
6⤵
- Creates scheduled task(s)
PID:868

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\calc.exe"
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aJQICzbY.exe"
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aJQICzbY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp72CA.tmp"
8⤵
- Creates scheduled task(s)
PID:1676

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:452

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\calc.exe"
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aJQICzbY.exe"
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aJQICzbY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBFB1.tmp"
10⤵
- Creates scheduled task(s)
PID:932

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2636

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\calc.exe"
12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aJQICzbY.exe"
12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aJQICzbY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF4.tmp"
12⤵
- Creates scheduled task(s)
PID:3420

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4228

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\calc.exe"
14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aJQICzbY.exe"
14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aJQICzbY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5EEF.tmp"
14⤵
- Creates scheduled task(s)
PID:1980

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
14⤵
- Executes dropped EXE
PID:4920

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4848

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
15⤵
- Executes dropped EXE
PID:1288

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\calc.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d2a5a82bdb45b96e4ad4025ceb9ffec7

SHA1
86f6895987a7a59ab35af50095016af7893c2b93

SHA256
b3faaaf0f61cec6aecc4e5bb6a1694ae8368d97b3055be59ed5a3fd8e9939826

SHA512
f604307ddfd4febf540153999fbcd5bd9cd91a16d99e82c10979be65298955453ca7af1b7dcf2a7929c6112159aac9687a3912d8039466a55c8b9250d326a0bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
e8e4e55fd03a7bfcff918ccbc06eeb34

SHA1
95649529f3ecb6462685789190c95ded870e43b1

SHA256
4110aff67eba43dd5cc30f98d40f371c868b7640a999317e8dff6ac03fdbe91d

SHA512
fc405500ac60bcea1376a8a042741b7ae3308e77cdb39948c5c8be66a7f22c58bc39fea29a6c7524eb1bf48f2930040bd4b0780c0c3b4cb1db533f4940fbce6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
2683cbe63baaa8e52a198e1073850473

SHA1
616d6945ab8c0db305f42674f932db0217bc1364

SHA256
ce2a5dbeebd17b95c9e982befbb13e2b2f53ed2a6aba0e8c42034945b81accd2

SHA512
937a863c0c4d16517f5dd93e6e847abf84d583d089ba17711d67d1ecf70e327798fe8ce463000fe27cfdb75456dc29659d55e5b618bed6029376e3a877c926c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
64eeb9ca4feb9f06204c96d57c591fc7

SHA1
5702aafcb686636b40b5cda02b350403cc92ff4f

SHA256
12a662f0e2342be0c759157011b1af705dad891df3bec45f32bb09b4bd034740

SHA512
5ddfccc57042dd73982a3d4134c332d5f9ce292fb266666eb3f6f1a83be95ad68903cc7e32b931ac1941f567fbee2edc4108300c47a2cd7ed439117a2b0cfc12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
85ace8f853c8f4eaa6ee4f794ed248a6

SHA1
011a3a292dd93a6f5d4ee3f71564a81972625073

SHA256
f9d7805584828162c041481112db63e46efc5345257cea635087367bacef89db

SHA512
fdc866f92482551433bfec8c70095cef9e12ef60490403aeb729e36289dffc35921e33c466d7c9ac9743965962ad8264c343f6275c66463e4079700231dbf5a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
296B

MD5
40f8b6f3448f529bc9a3b332b46695cc

SHA1
7d39bf70a21ddf01d5973f0689362c16b62c33cc

SHA256
c399e7481cfec3a323848a6ef7d1a3ba7376dc177216ffdd44fe960cbdc8777e

SHA512
73853d00028b2ea276f5e2a157d9065f1d144fdd6ddf194cafd4a6fc224cf1fcd0c1b103b2e8f004cc17e0b65e8e10383aaf400c67cb004f6805e1834287aa46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d9164fd6c7cc1d77ca66a37b09e78db3

SHA1
45668e7d5fbdd5821fb6051b651d5178a866e4f9

SHA256
de65c2cc23124d275b6675c216efa15334736fd7a924547ed5e18b4b3e70d7a5

SHA512
272e04757da886df15955dc2922edcbfef1394787cd60e9335e5c1b6f1148d88e8b568df59ff309a832378094dfbeac27ffeda333ca87e4edbc8906028ce1e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n1zr2vt5.em3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\calc.exe
Filesize
914KB

MD5
7ef2acb1bc18a7f27832aed85092c0b5

SHA1
19c7673544d9e235de38627cbfad87a3610a7266

SHA256
0523f9945cbb148b9989609647ff6fbe21e3705a9f43432cbf89d2d0f749a262

SHA512
dfa9629e074c9d52239390cd149d308299e18aabaa2d002622ff435c76dcb882e7c1c98fb661bc974aa7d5bb2464c467260f0d0ff2ede239143a9b6df1a1a461

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe
Filesize
7KB

MD5
bf86c1f521eeef6f24ecf2d9b6e39a4c

SHA1
5e2afc8830134a9cf1358eb379921d2d9f6b712d

SHA256
504f35d215294377137afd0f82bdc6a66fc7cfcf8afd64284c69e818ae2ca23c

SHA512
e30d8c3f86b14f423e64fad880c3579dbd923bb4ff6c31024c098d042669d25d05278e97f8540ea89168ac00f22207eab706e857bb80a782b77cfe0e3c5cb43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp780E.tmp
Filesize
1KB

MD5
e1555e637346f8c6326c7e1dd54543fa

SHA1
b5955cfc057d5326e0ddf4d26025343d9a78e03f

SHA256
8719ba273db873e6aa9a0268fcb56b9dfd4a9ba39b86f9a2abfd4e21772d73ef

SHA512
82f93b148c0f8ec93f0e9898f05d2968b4e19805f1919eee5ca62ab89d9b5573c1248e8a70359f552ca018f82bb54bb83b79646e2b52ae36205bd96a772adb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD755.tmp
Filesize
1KB

MD5
1a5f37fd05b0907c603c77eefcf1eb17

SHA1
42b4bdc5191a96690d13ee1e0065de08c9f91160

SHA256
86ad34104a23e4ef87df5a1bc243f44791b864256eb0afb21aca2a4d96402c63

SHA512
b3196083f4bf8103d382c5f5f8e2964ec4574192f305e30f80356a41a77aedabc2cc3f68ac2f5a8ca3d4f4ae208c331ef532cebcc77359f1a0af417338541b74

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Adobe.exe
Filesize
965KB

MD5
6ef956ed9f5e1ff71a1e484902a6d1a5

SHA1
f361053480e94e0142a0b8fc81b96c399da81861

SHA256
0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28

SHA512
e7f40cb828e522f22ef412bdca59a2663da81660f26efce5ff73a35b00071039a2b7f7b18a885710b9b9658b4a25af6f8f064415c3397ad6e6b540dda7db5f37

Download Submit
memory/532-250-0x000000006F960000-0x000000006F9AC000-memory.dmp

Filesize
304KB

Download
memory/532-248-0x00000000056E0000-0x0000000005A34000-memory.dmp

Filesize
3.3MB

Download
memory/720-323-0x000000006F960000-0x000000006F9AC000-memory.dmp

Filesize
304KB

Download
memory/1196-293-0x0000000007650000-0x00000000076F3000-memory.dmp

Filesize
652KB

Download
memory/1196-295-0x0000000007930000-0x0000000007944000-memory.dmp

Filesize
80KB

Download
memory/1196-294-0x00000000078F0000-0x0000000007901000-memory.dmp

Filesize
68KB

Download
memory/1196-283-0x000000006F960000-0x000000006F9AC000-memory.dmp

Filesize
304KB

Download
memory/1624-103-0x00000000016E0000-0x0000000001700000-memory.dmp

Filesize
128KB

Download
memory/1624-106-0x0000000005AA0000-0x0000000005B24000-memory.dmp

Filesize
528KB

Download
memory/1624-105-0x0000000001710000-0x0000000001724000-memory.dmp

Filesize
80KB

Download
memory/1624-102-0x0000000000DF0000-0x0000000000ED6000-memory.dmp

Filesize
920KB

Download
memory/1684-345-0x000000006F960000-0x000000006F9AC000-memory.dmp

Filesize
304KB

Download
memory/1836-222-0x000000006F960000-0x000000006F9AC000-memory.dmp

Filesize
304KB

Download
memory/1896-466-0x000000006F960000-0x000000006F9AC000-memory.dmp

Filesize
304KB

Download
memory/2148-404-0x000000006F960000-0x000000006F9AC000-memory.dmp

Filesize
304KB

Download
memory/2596-104-0x0000000006F90000-0x0000000006FE0000-memory.dmp

Filesize
320KB

Download
memory/2596-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2652-5-0x0000000007620000-0x000000000762A000-memory.dmp

Filesize
40KB

Download
memory/2652-3-0x0000000007650000-0x00000000076E2000-memory.dmp

Filesize
584KB

Download
memory/2652-6-0x0000000004B80000-0x0000000004B98000-memory.dmp

Filesize
96KB

Download
memory/2652-8-0x0000000004BC0000-0x0000000004BD6000-memory.dmp

Filesize
88KB

Download
memory/2652-24-0x0000000007880000-0x0000000007890000-memory.dmp

Filesize
64KB

Download
memory/2652-4-0x0000000007880000-0x0000000007890000-memory.dmp

Filesize
64KB

Download
memory/2652-20-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2652-1-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2652-49-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2652-7-0x0000000004BB0000-0x0000000004BBE000-memory.dmp

Filesize
56KB

Download
memory/2652-10-0x0000000006410000-0x00000000064AC000-memory.dmp

Filesize
624KB

Download
memory/2652-2-0x0000000007B60000-0x0000000008104000-memory.dmp

Filesize
5.6MB

Download
memory/2652-0-0x00000000007D0000-0x00000000008C4000-memory.dmp

Filesize
976KB

Download
memory/2652-9-0x0000000008990000-0x0000000008A14000-memory.dmp

Filesize
528KB

Download
memory/2712-120-0x000000006F960000-0x000000006F9AC000-memory.dmp

Filesize
304KB

Download
memory/2712-116-0x0000000005700000-0x0000000005A54000-memory.dmp

Filesize
3.3MB

Download
memory/2712-119-0x0000000005E10000-0x0000000005E5C000-memory.dmp

Filesize
304KB

Download
memory/2712-130-0x0000000006F80000-0x0000000007023000-memory.dmp

Filesize
652KB

Download
memory/2712-144-0x00000000072F0000-0x0000000007301000-memory.dmp

Filesize
68KB

Download
memory/2712-158-0x0000000007330000-0x0000000007344000-memory.dmp

Filesize
80KB

Download
memory/2956-89-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2956-77-0x0000000006E50000-0x0000000006E5A000-memory.dmp

Filesize
40KB

Download
memory/2956-23-0x00000000045F0000-0x0000000004600000-memory.dmp

Filesize
64KB

Download
memory/2956-22-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2956-51-0x0000000005B40000-0x0000000005B8C000-memory.dmp

Filesize
304KB

Download
memory/2956-50-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

Filesize
120KB

Download
memory/2956-64-0x0000000071850000-0x000000007189C000-memory.dmp

Filesize
304KB

Download
memory/2956-75-0x0000000007420000-0x0000000007A9A000-memory.dmp

Filesize
6.5MB

Download
memory/2956-76-0x0000000006DE0000-0x0000000006DFA000-memory.dmp

Filesize
104KB

Download
memory/3416-25-0x0000000005190000-0x00000000051B2000-memory.dmp

Filesize
136KB

Download
memory/3416-52-0x00000000070E0000-0x0000000007112000-memory.dmp

Filesize
200KB

Download
memory/3416-18-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/3416-15-0x0000000000FA0000-0x0000000000FD6000-memory.dmp

Filesize
216KB

Download
memory/3416-83-0x00000000077A0000-0x00000000077A8000-memory.dmp

Filesize
32KB

Download
memory/3416-78-0x0000000007700000-0x0000000007796000-memory.dmp

Filesize
600KB

Download
memory/3416-74-0x0000000007350000-0x00000000073F3000-memory.dmp

Filesize
652KB

Download
memory/3416-63-0x0000000007320000-0x000000000733E000-memory.dmp

Filesize
120KB

Download
memory/3416-82-0x00000000077C0000-0x00000000077DA000-memory.dmp

Filesize
104KB

Download
memory/3416-17-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/3416-79-0x0000000007680000-0x0000000007691000-memory.dmp

Filesize
68KB

Download
memory/3416-16-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3416-53-0x0000000071850000-0x000000007189C000-memory.dmp

Filesize
304KB

Download
memory/3416-80-0x00000000076B0000-0x00000000076BE000-memory.dmp

Filesize
56KB

Download
memory/3416-81-0x00000000076C0000-0x00000000076D4000-memory.dmp

Filesize
80KB

Download
memory/3416-39-0x0000000005D90000-0x00000000060E4000-memory.dmp

Filesize
3.3MB

Download
memory/3416-19-0x0000000005760000-0x0000000005D88000-memory.dmp

Filesize
6.2MB

Download
memory/3416-27-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/3416-26-0x0000000005230000-0x0000000005296000-memory.dmp

Filesize
408KB

Download
memory/3416-88-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3636-431-0x000000006F960000-0x000000006F9AC000-memory.dmp

Filesize
304KB

Download
memory/3636-452-0x00000000078D0000-0x00000000078E1000-memory.dmp

Filesize
68KB

Download
memory/4108-146-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4392-374-0x000000006F960000-0x000000006F9AC000-memory.dmp

Filesize
304KB

Download
memory/4580-301-0x0000000007380000-0x0000000007394000-memory.dmp

Filesize
80KB

Download
memory/4608-171-0x00000000071C0000-0x00000000071D4000-memory.dmp

Filesize
80KB

Download
memory/4608-170-0x0000000007170000-0x0000000007181000-memory.dmp

Filesize
68KB

Download
memory/4608-159-0x000000006F960000-0x000000006F9AC000-memory.dmp

Filesize
304KB

Download
memory/5052-210-0x000000006F960000-0x000000006F9AC000-memory.dmp

Filesize
304KB

Download
memory/5052-188-0x0000000006280000-0x00000000065D4000-memory.dmp

Filesize
3.3MB

Download