agenttesla | 9566d114c21b49a11275b58e47c8d3ca416e31f3146dc06dd674f5537f2d54e2

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe
Size

1.1MB
MD5

a5c9fbb82ba442c54ec490f8e7211195
SHA1

87c51e39b5f066cf8d1cc4dc428a95e0021503eb
SHA256

498f04d4b87ac4306d90f28eb28f250d33b4d8d6c573feb6ddc09dc1cf0b678d
SHA512

a782a15a8a0438cca4e900a59ad8b2f8c17e16aaf410731e6a20d97aae6c8dafcffb229b3c2164f34afc87f2105255cc4999186f7802876804fa1c7570849192
SSDEEP

24576:BqDEvCTbMWu7rQYlBQcBiT6rprG8aWlPTFhyjICNe:BTvC/MTQYxsWR7aWlPwr

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.deeptrans.com.tr
Port:
587
Username:
[email protected]
Password:
59ace821A

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3104-31-0x0000000002F60000-0x0000000002FB6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-36-0x0000000005620000-0x0000000005674000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-37-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-56-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-96-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-94-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-90-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-88-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-86-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-84-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-82-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-80-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-78-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-76-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-74-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-70-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-68-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-66-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-64-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-62-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-60-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-58-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-54-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-52-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-50-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-48-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-46-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-44-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-92-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-42-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-72-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-40-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3104-38-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detect packed .NET executables. Mostly AgentTeslaV4. 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3104-31-0x0000000002F60000-0x0000000002FB6000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-36-0x0000000005620000-0x0000000005674000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-37-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-56-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-96-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-94-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-90-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-88-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-86-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-84-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-82-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-80-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-78-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-76-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-74-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-70-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-68-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-66-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-64-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-62-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-60-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-58-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-54-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-52-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-50-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-48-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-46-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-44-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-92-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-42-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-72-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-40-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/3104-38-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3104-31-0x0000000002F60000-0x0000000002FB6000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-36-0x0000000005620000-0x0000000005674000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-37-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-56-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-96-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-94-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-90-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-88-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-86-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-84-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-82-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-80-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-78-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-76-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-74-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-70-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-68-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-66-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-64-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-62-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-60-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-58-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-54-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-52-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-50-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-48-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-46-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-44-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-92-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-42-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-72-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-40-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3104-38-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables referencing Windows vault credential objects. Observed in infostealers 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3104-31-0x0000000002F60000-0x0000000002FB6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-36-0x0000000005620000-0x0000000005674000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-37-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-56-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-96-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-94-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-90-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-88-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-86-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-84-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-82-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-80-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-78-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-76-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-74-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-70-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-68-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-66-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-64-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-62-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-60-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-58-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-54-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-52-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-50-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-48-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-46-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-44-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-92-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-42-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-72-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-40-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/3104-38-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3104-31-0x0000000002F60000-0x0000000002FB6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-36-0x0000000005620000-0x0000000005674000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-37-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-56-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-96-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-94-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-90-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-88-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-86-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-84-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-82-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-80-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-78-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-76-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-74-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-70-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-68-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-66-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-64-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-62-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-60-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-58-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-54-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-52-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-50-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-48-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-46-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-44-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-92-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-42-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-72-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-40-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3104-38-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3104-31-0x0000000002F60000-0x0000000002FB6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-36-0x0000000005620000-0x0000000005674000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-37-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-56-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-96-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-94-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-90-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-88-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-86-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-84-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-82-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-80-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-78-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-76-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-74-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-70-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-68-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-66-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-64-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-62-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-60-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-58-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-54-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-52-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-50-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-48-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-46-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-44-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-92-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-42-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-72-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-40-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3104-38-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3104-31-0x0000000002F60000-0x0000000002FB6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-36-0x0000000005620000-0x0000000005674000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-37-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-56-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-96-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-94-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-90-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-88-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-86-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-84-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-82-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-80-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-78-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-76-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-74-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-70-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-68-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-66-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-64-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-62-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-60-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-58-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-54-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-52-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-50-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-48-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-46-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-44-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-92-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-42-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-72-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-40-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/3104-38-0x0000000005620000-0x000000000566F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctsdvwT = "C:\\Users\\Admin\\AppData\\Roaming\\ctsdvwT\\ctsdvwT.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe

description pid process target process

PID 3896 set thread context of 3104 3896 YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

3104 RegSvcs.exe
3104 RegSvcs.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exeYILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe

pid process

1428 YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe
3896 YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 3104 RegSvcs.exe

description	pid	process	target process
PID 3896 set thread context of 3104	3896	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe	RegSvcs.exe

pid	process
3104	RegSvcs.exe
3104	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3104	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exeYILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe

pid	process
1428	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe
1428	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe
3896	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe
3896	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exeYILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe

pid	process
1428	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe
1428	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe
3896	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe
3896	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

3104 RegSvcs.exe

pid	process
3104	RegSvcs.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exeYILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe

description	pid	process	target process
PID 1428 wrote to memory of 4860	1428	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe	RegSvcs.exe
PID 1428 wrote to memory of 4860	1428	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe	RegSvcs.exe
PID 1428 wrote to memory of 4860	1428	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe	RegSvcs.exe
PID 1428 wrote to memory of 3896	1428	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe
PID 1428 wrote to memory of 3896	1428	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe
PID 1428 wrote to memory of 3896	1428	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe
PID 3896 wrote to memory of 3104	3896	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe	RegSvcs.exe
PID 3896 wrote to memory of 3104	3896	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe	RegSvcs.exe
PID 3896 wrote to memory of 3104	3896	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe	RegSvcs.exe
PID 3896 wrote to memory of 3104	3896	YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe"
2⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\YILMAZ - Turkey_0058118592 - VANTUZ.pdf.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3104

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut39DC.tmp
Filesize
265KB

MD5
1980eab2bb1afdbc606ed05b2fc65ed4

SHA1
b2cef9aa804a252826646989dd9fcf04d3f3b2a2

SHA256
2bb9019ccc85c485234cbe5a3dd74a55140bfe5b526b818d4a03a13a2ff13f47

SHA512
6f3bf1c7f2c511b80af05b80bcd4b6282f394aa7f66e1bb54f08e683182fe9acf170e29d387836a00f2689c236b8f4d547b931511614798ea055b58390ab8b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\poufs
Filesize
29KB

MD5
0e2c1919e02586d925cbc54de0a0bc86

SHA1
e30c1605f4e09da6a7a488a5f445751d40adf18f

SHA256
2cbcf8686c01209643c754ecda94d852340ae86f025258b8da223b8b05ec4b97

SHA512
7a4f29d1a029430b6afd69eff69e11c08400ab01f1ea252ab3e3d4e4e4584d2f57c84e96287d53b7c2a8da49e23488319ef56e5b28e02f930e15db54841e7ccf

Download Submit
memory/1428-12-0x0000000002380000-0x0000000002384000-memory.dmp

Filesize
16KB

Download
memory/3104-27-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3104-29-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3104-30-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3104-28-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3104-31-0x0000000002F60000-0x0000000002FB6000-memory.dmp

Filesize
344KB

Download
memory/3104-33-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/3104-32-0x00000000741C0000-0x0000000074970000-memory.dmp

Filesize
7.7MB

Download
memory/3104-34-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/3104-35-0x0000000005D80000-0x0000000006324000-memory.dmp

Filesize
5.6MB

Download
memory/3104-36-0x0000000005620000-0x0000000005674000-memory.dmp

Filesize
336KB

Download
memory/3104-37-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-56-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-96-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-94-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-90-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-88-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-86-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-84-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-82-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-80-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-78-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-76-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-74-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-70-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-68-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-66-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-64-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-62-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-60-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-58-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-54-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-52-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-50-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-48-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-46-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-44-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-92-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-42-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-72-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-40-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-38-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3104-1133-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/3104-1134-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/3104-1136-0x0000000006650000-0x00000000066A0000-memory.dmp

Filesize
320KB

Download
memory/3104-1137-0x0000000006740000-0x00000000067DC000-memory.dmp

Filesize
624KB

Download
memory/3104-1138-0x0000000006AC0000-0x0000000006B52000-memory.dmp

Filesize
584KB

Download
memory/3104-1139-0x0000000006A80000-0x0000000006A8A000-memory.dmp

Filesize
40KB

Download
memory/3104-1140-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3104-1141-0x00000000741C0000-0x0000000074970000-memory.dmp

Filesize
7.7MB

Download
memory/3104-1142-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/3104-1143-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/3104-1144-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download