agenttesla | 0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
Size

965KB
MD5

6ef956ed9f5e1ff71a1e484902a6d1a5
SHA1

f361053480e94e0142a0b8fc81b96c399da81861
SHA256

0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28
SHA512

e7f40cb828e522f22ef412bdca59a2663da81660f26efce5ff73a35b00071039a2b7f7b18a885710b9b9658b4a25af6f8f064415c3397ad6e6b540dda7db5f37
SSDEEP

24576:Jj3+BMwzZcbT/JYjPtfjhEJgL7Fy5wR0D2QAN:EOwzZAT2jPtJj0DHAN

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Downloads MZ/PE file

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

calc.execalc.execalc.execalc.exe0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.execalc.execalc.exe0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.execalc.execalc.execalc.execalc.execalc.execalc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	calc.exe

Executes dropped EXE 13 IoCs

Processes:

calc.execalc.execalc.execalc.execalc.execalc.execalc.execalc.execalc.execalc.execalc.execalc.execalc.exe

pid	process
4664	calc.exe
5008	calc.exe
1924	calc.exe
1004	calc.exe
4384	calc.exe
3088	calc.exe
1620	calc.exe
4880	calc.exe
3320	calc.exe
116	calc.exe
3392	calc.exe
2436	calc.exe
3020	calc.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.execalc.execalc.execalc.execalc.execalc.execalc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe.exe"	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe.exe"	calc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe.exe"	calc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe.exe"	calc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe.exe"	calc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe.exe"	calc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe.exe"	calc.exe

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
57	api.ipify.org
62	api.ipify.org
79	api.ipify.org
110	api.ipify.org
111	api.ipify.org
31	api.ipify.org
32	api.ipify.org
33	ip-api.com
80	ip-api.com
89	api.ipify.org
105	api.ipify.org

Suspicious use of SetThreadContext 7 IoCs

Processes:

0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.execalc.execalc.execalc.execalc.execalc.execalc.exe

description	pid	process	target process
PID 3744 set thread context of 2952	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
PID 4664 set thread context of 5008	4664	calc.exe	calc.exe
PID 1924 set thread context of 1004	1924	calc.exe	calc.exe
PID 4384 set thread context of 3088	4384	calc.exe	calc.exe
PID 1620 set thread context of 4880	1620	calc.exe	calc.exe
PID 3320 set thread context of 116	3320	calc.exe	calc.exe
PID 3392 set thread context of 2436	3392	calc.exe	calc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3284 schtasks.exe
1560 schtasks.exe
4884 schtasks.exe
4732 schtasks.exe
2784 schtasks.exe
2096 schtasks.exe
2080 schtasks.exe

pid	process
3284	schtasks.exe
1560	schtasks.exe
4884	schtasks.exe
4732	schtasks.exe
2784	schtasks.exe
2096	schtasks.exe
2080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exepowershell.exepowershell.exe0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exepowershell.exepowershell.execalc.exepowershell.exepowershell.execalc.exepowershell.exepowershell.execalc.exepowershell.exepowershell.execalc.exepowershell.exepowershell.execalc.exepowershell.exepowershell.execalc.exe

pid	process
3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
4092	powershell.exe
4092	powershell.exe
1816	powershell.exe
1816	powershell.exe
3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
2952	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
2952	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
2952	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
4092	powershell.exe
1816	powershell.exe
3100	powershell.exe
3100	powershell.exe
1380	powershell.exe
1380	powershell.exe
5008	calc.exe
5008	calc.exe
1380	powershell.exe
5008	calc.exe
3056	powershell.exe
3056	powershell.exe
1112	powershell.exe
1112	powershell.exe
1004	calc.exe
1004	calc.exe
1004	calc.exe
1112	powershell.exe
1004	calc.exe
2920	powershell.exe
2920	powershell.exe
2316	powershell.exe
2316	powershell.exe
3088	calc.exe
3088	calc.exe
2316	powershell.exe
3088	calc.exe
4428	powershell.exe
4428	powershell.exe
3064	powershell.exe
4880	calc.exe
4880	calc.exe
3064	powershell.exe
4880	calc.exe
4196	powershell.exe
4196	powershell.exe
2784	powershell.exe
116	calc.exe
116	calc.exe
2784	powershell.exe
116	calc.exe
2248	powershell.exe
2248	powershell.exe
4176	powershell.exe
2436	calc.exe
2436	calc.exe
4176	powershell.exe
2436	calc.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

Processes:

calc.execalc.exe

pid process

5008 calc.exe
1004 calc.exe

pid	process
5008	calc.exe
1004	calc.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exepowershell.exepowershell.exe0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.execalc.exepowershell.exepowershell.execalc.execalc.exepowershell.exepowershell.execalc.execalc.exepowershell.exepowershell.execalc.execalc.exepowershell.exepowershell.execalc.execalc.exepowershell.exepowershell.execalc.execalc.exepowershell.exepowershell.execalc.exe

description	pid	process
Token: SeDebugPrivilege	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	2952	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
Token: SeDebugPrivilege	4664	calc.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	5008	calc.exe
Token: SeDebugPrivilege	1924	calc.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	1004	calc.exe
Token: SeDebugPrivilege	4384	calc.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	3088	calc.exe
Token: SeDebugPrivilege	1620	calc.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	4880	calc.exe
Token: SeDebugPrivilege	3320	calc.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	116	calc.exe
Token: SeDebugPrivilege	3392	calc.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeDebugPrivilege	2436	calc.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.execalc.execalc.execalc.execalc.execalc.execalc.exe

pid	process
2952	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
5008	calc.exe
1004	calc.exe
3088	calc.exe
4880	calc.exe
116	calc.exe
2436	calc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.execalc.execalc.execalc.execalc.execalc.exe

description	pid	process	target process
PID 3744 wrote to memory of 4092	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	powershell.exe
PID 3744 wrote to memory of 4092	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	powershell.exe
PID 3744 wrote to memory of 4092	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	powershell.exe
PID 3744 wrote to memory of 1816	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	powershell.exe
PID 3744 wrote to memory of 1816	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	powershell.exe
PID 3744 wrote to memory of 1816	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	powershell.exe
PID 3744 wrote to memory of 3284	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	schtasks.exe
PID 3744 wrote to memory of 3284	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	schtasks.exe
PID 3744 wrote to memory of 3284	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	schtasks.exe
PID 3744 wrote to memory of 2224	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
PID 3744 wrote to memory of 2224	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
PID 3744 wrote to memory of 2224	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
PID 3744 wrote to memory of 2952	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
PID 3744 wrote to memory of 2952	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
PID 3744 wrote to memory of 2952	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
PID 3744 wrote to memory of 2952	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
PID 3744 wrote to memory of 2952	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
PID 3744 wrote to memory of 2952	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
PID 3744 wrote to memory of 2952	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
PID 3744 wrote to memory of 2952	3744	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
PID 2952 wrote to memory of 4664	2952	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	calc.exe
PID 2952 wrote to memory of 4664	2952	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	calc.exe
PID 2952 wrote to memory of 4664	2952	0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe	calc.exe
PID 4664 wrote to memory of 3100	4664	calc.exe	powershell.exe
PID 4664 wrote to memory of 3100	4664	calc.exe	powershell.exe
PID 4664 wrote to memory of 3100	4664	calc.exe	powershell.exe
PID 4664 wrote to memory of 1380	4664	calc.exe	powershell.exe
PID 4664 wrote to memory of 1380	4664	calc.exe	powershell.exe
PID 4664 wrote to memory of 1380	4664	calc.exe	powershell.exe
PID 4664 wrote to memory of 1560	4664	calc.exe	schtasks.exe
PID 4664 wrote to memory of 1560	4664	calc.exe	schtasks.exe
PID 4664 wrote to memory of 1560	4664	calc.exe	schtasks.exe
PID 4664 wrote to memory of 5008	4664	calc.exe	calc.exe
PID 4664 wrote to memory of 5008	4664	calc.exe	calc.exe
PID 4664 wrote to memory of 5008	4664	calc.exe	calc.exe
PID 4664 wrote to memory of 5008	4664	calc.exe	calc.exe
PID 4664 wrote to memory of 5008	4664	calc.exe	calc.exe
PID 4664 wrote to memory of 5008	4664	calc.exe	calc.exe
PID 4664 wrote to memory of 5008	4664	calc.exe	calc.exe
PID 4664 wrote to memory of 5008	4664	calc.exe	calc.exe
PID 5008 wrote to memory of 1924	5008	calc.exe	calc.exe
PID 5008 wrote to memory of 1924	5008	calc.exe	calc.exe
PID 5008 wrote to memory of 1924	5008	calc.exe	calc.exe
PID 1924 wrote to memory of 3056	1924	calc.exe	powershell.exe
PID 1924 wrote to memory of 3056	1924	calc.exe	powershell.exe
PID 1924 wrote to memory of 3056	1924	calc.exe	powershell.exe
PID 1924 wrote to memory of 1112	1924	calc.exe	powershell.exe
PID 1924 wrote to memory of 1112	1924	calc.exe	powershell.exe
PID 1924 wrote to memory of 1112	1924	calc.exe	powershell.exe
PID 1924 wrote to memory of 4884	1924	calc.exe	schtasks.exe
PID 1924 wrote to memory of 4884	1924	calc.exe	schtasks.exe
PID 1924 wrote to memory of 4884	1924	calc.exe	schtasks.exe
PID 1924 wrote to memory of 1004	1924	calc.exe	calc.exe
PID 1924 wrote to memory of 1004	1924	calc.exe	calc.exe
PID 1924 wrote to memory of 1004	1924	calc.exe	calc.exe
PID 1924 wrote to memory of 1004	1924	calc.exe	calc.exe
PID 1924 wrote to memory of 1004	1924	calc.exe	calc.exe
PID 1924 wrote to memory of 1004	1924	calc.exe	calc.exe
PID 1924 wrote to memory of 1004	1924	calc.exe	calc.exe
PID 1924 wrote to memory of 1004	1924	calc.exe	calc.exe
PID 1004 wrote to memory of 4384	1004	calc.exe	calc.exe
PID 1004 wrote to memory of 4384	1004	calc.exe	calc.exe
PID 1004 wrote to memory of 4384	1004	calc.exe	calc.exe
PID 4384 wrote to memory of 2920	4384	calc.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
"C:\Users\Admin\AppData\Local\Temp\0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eXuEPbliNOyIp.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eXuEPbliNOyIp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6E2B.tmp"
2⤵
- Creates scheduled task(s)
PID:3284

C:\Users\Admin\AppData\Local\Temp\0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
"C:\Users\Admin\AppData\Local\Temp\0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe"
2⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe
"C:\Users\Admin\AppData\Local\Temp\0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\calc.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aJQICzbY.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aJQICzbY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC94B.tmp"
4⤵
- Creates scheduled task(s)
PID:1560

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5008

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\calc.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aJQICzbY.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aJQICzbY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp179A.tmp"
6⤵
- Creates scheduled task(s)
PID:4884

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\calc.exe"
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aJQICzbY.exe"
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aJQICzbY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6433.tmp"
8⤵
- Creates scheduled task(s)
PID:4732

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3088

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\calc.exe"
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aJQICzbY.exe"
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aJQICzbY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB224.tmp"
10⤵
- Creates scheduled task(s)
PID:2784

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4880

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\calc.exe"
12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aJQICzbY.exe"
12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aJQICzbY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFDD3.tmp"
12⤵
- Creates scheduled task(s)
PID:2096

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:116

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\calc.exe"
14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aJQICzbY.exe"
14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aJQICzbY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp48C7.tmp"
14⤵
- Creates scheduled task(s)
PID:2080

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2436

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
15⤵
- Executes dropped EXE
PID:3020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\calc.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
eb53ea048d143f68a026d439de324b37

SHA1
e5eb46f596dbd1cc8565899d6e08b7f1e8bac1b1

SHA256
5bc00791ccf76976f50b34f0cbd54e3c411cd12641c210be9a28d647a859888d

SHA512
7f840a369d8403235bc1c032db92f48471cc3db9bf483340bfe0219ad441119f2962fbd537597ce8ee35deb5c603cd59a641d26f4e33ff51bc136219380258a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
244B

MD5
1a3c914da15747e6985981e2f89fc1af

SHA1
ad6679e18c08276fa8c2b01a11ee371f89c3822f

SHA256
747c2d1f3ad02b375a8e93056b0c0a3aff3cf95d848f7ea3a6d7dcead5f98768

SHA512
7f0938663aaee96bbb4fd41661420829903073e12dda7a0fa079bd6fbd5c799285afead2278115c18783ad7e3e8e7e17dd0461ede410660b2001ccbed4666789

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
3a7f478cde0b8289adb58f11593bd067

SHA1
85af8e1f8e55b9d82f805415f08d11d0ee12fb76

SHA256
4c06b4e7c983cff809e1fe86f07f5f69ddca8bf454605eb7ca64a436317a6286

SHA512
4c82afd5ff88e0c1b501d5aa7a1442f66dafa6c8b956ebfe0296876c0432dccef9158cd20ff9f5bdb58c3968cbb44a592d185e01c9aa481f4011cc01c2dd9aaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
711d5594ec4dd0117717900880af7143

SHA1
fb917a894a37095a6e883eb6143f1f5864bf5ff7

SHA256
ccc628bc314dad568ce2e38fce2cba3bf6cf824528a6a27b36d61e7628118f58

SHA512
fbf337a0d538e13cc7153fb5c5da12b6482b548f49e9a8fa2d3b953cfee59b264dce8fd69fd9cfc101c4390ac8e56dfc501866fdbdd5dc5699db7077de5ce8d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
6de508f7492562cd38bc9cf4e05c5058

SHA1
38d2db6f91aa3f41e5822a2ec1985aa1f698675c

SHA256
7dbcca918a92262e9bc84bb4ac18758a45eb59a83066848942b1b92275fdc4d8

SHA512
00b0687489928253d1523cd48f67b118bb9004862c199cc5c8232a9cc030bd95c34d5ae59d16a4500402c85a201fcd914745e4c19dc9e46e310e59f148e64bbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
56d7b0adcd5e7f8c77b63e9e749dd121

SHA1
f82b3594beca82fb7dfb076ae9c6e65dc771760f

SHA256
3d15a601cad41383f3cbe776c8ed2e3eff3b563f6e54c121224d67d30470d63b

SHA512
26b3f06087974ec3d00d584000e3ceac5e3dbad7857d2f2237d0b928c4677280bead0313d7f20d27ef8825c51e70a1798059ae2c5432f88f335277efff3b25c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
3a548358c376b3077a8eb567ca274a91

SHA1
0e4b6d6c42af35648da6839fb93f45c8099e6f36

SHA256
a23e95f63a7fbca51166041796d9520d43b080fbde1ec6cfe67c862bdc71d460

SHA512
f45653fcaca09cdc87dd4f1f5b97980f318552b1b5e2c340adc32083efe3d6f15fbf60213a0e3d4e7614efd3551e5a01356c31a99a8c551e454a9f3087f83a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
e512a1e236fc0740bf07267e357443bc

SHA1
8c8fcf02d49f06af05f2ce24b2d1e12352a896ef

SHA256
290f220902a55168836386c0a03a566a78e941e647c907a46e13873cdb76190d

SHA512
9d1c475c591d89dd63d9d490cb43471c96507ff8acb4ad529ebf80fe2d3c7c52c25febd864230ff4e954f2c17e876dd86b458cc3dff37a0b00377949f06da759

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lasdmccc.ncy.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\calc.exe
Filesize
914KB

MD5
7ef2acb1bc18a7f27832aed85092c0b5

SHA1
19c7673544d9e235de38627cbfad87a3610a7266

SHA256
0523f9945cbb148b9989609647ff6fbe21e3705a9f43432cbf89d2d0f749a262

SHA512
dfa9629e074c9d52239390cd149d308299e18aabaa2d002622ff435c76dcb882e7c1c98fb661bc974aa7d5bb2464c467260f0d0ff2ede239143a9b6df1a1a461

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe
Filesize
7KB

MD5
bf86c1f521eeef6f24ecf2d9b6e39a4c

SHA1
5e2afc8830134a9cf1358eb379921d2d9f6b712d

SHA256
504f35d215294377137afd0f82bdc6a66fc7cfcf8afd64284c69e818ae2ca23c

SHA512
e30d8c3f86b14f423e64fad880c3579dbd923bb4ff6c31024c098d042669d25d05278e97f8540ea89168ac00f22207eab706e857bb80a782b77cfe0e3c5cb43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6E2B.tmp
Filesize
1KB

MD5
e1555e637346f8c6326c7e1dd54543fa

SHA1
b5955cfc057d5326e0ddf4d26025343d9a78e03f

SHA256
8719ba273db873e6aa9a0268fcb56b9dfd4a9ba39b86f9a2abfd4e21772d73ef

SHA512
82f93b148c0f8ec93f0e9898f05d2968b4e19805f1919eee5ca62ab89d9b5573c1248e8a70359f552ca018f82bb54bb83b79646e2b52ae36205bd96a772adb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC94B.tmp
Filesize
1KB

MD5
1a5f37fd05b0907c603c77eefcf1eb17

SHA1
42b4bdc5191a96690d13ee1e0065de08c9f91160

SHA256
86ad34104a23e4ef87df5a1bc243f44791b864256eb0afb21aca2a4d96402c63

SHA512
b3196083f4bf8103d382c5f5f8e2964ec4574192f305e30f80356a41a77aedabc2cc3f68ac2f5a8ca3d4f4ae208c331ef532cebcc77359f1a0af417338541b74

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Adobe.exe
Filesize
965KB

MD5
6ef956ed9f5e1ff71a1e484902a6d1a5

SHA1
f361053480e94e0142a0b8fc81b96c399da81861

SHA256
0b801481f7062a60c4167729e03d45d605b766d368a5f13efc6906558ad60f28

SHA512
e7f40cb828e522f22ef412bdca59a2663da81660f26efce5ff73a35b00071039a2b7f7b18a885710b9b9658b4a25af6f8f064415c3397ad6e6b540dda7db5f37

Download Submit
memory/1112-222-0x000000006F5F0000-0x000000006F63C000-memory.dmp

Filesize
304KB

Download
memory/1380-160-0x000000006F5F0000-0x000000006F63C000-memory.dmp

Filesize
304KB

Download
memory/1380-170-0x0000000006EB0000-0x0000000006F53000-memory.dmp

Filesize
652KB

Download
memory/1380-171-0x00000000071B0000-0x00000000071C4000-memory.dmp

Filesize
80KB

Download
memory/1816-82-0x0000000007B50000-0x0000000007B6A000-memory.dmp

Filesize
104KB

Download
memory/1816-24-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/1816-23-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/1816-22-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/1816-90-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/1816-64-0x0000000071500000-0x000000007154C000-memory.dmp

Filesize
304KB

Download
memory/1816-81-0x0000000007A50000-0x0000000007A64000-memory.dmp

Filesize
80KB

Download
memory/1816-79-0x0000000007A10000-0x0000000007A21000-memory.dmp

Filesize
68KB

Download
memory/1816-75-0x0000000007E50000-0x00000000084CA000-memory.dmp

Filesize
6.5MB

Download
memory/1816-76-0x0000000007810000-0x000000000782A000-memory.dmp

Filesize
104KB

Download
memory/2248-443-0x000000006F5F0000-0x000000006F63C000-memory.dmp

Filesize
304KB

Download
memory/2316-285-0x000000006F610000-0x000000006F65C000-memory.dmp

Filesize
304KB

Download
memory/2784-406-0x000000006F610000-0x000000006F65C000-memory.dmp

Filesize
304KB

Download
memory/2920-249-0x0000000006260000-0x00000000062AC000-memory.dmp

Filesize
304KB

Download
memory/2920-284-0x0000000007780000-0x0000000007794000-memory.dmp

Filesize
80KB

Download
memory/2920-238-0x0000000005B10000-0x0000000005E64000-memory.dmp

Filesize
3.3MB

Download
memory/2920-260-0x000000006F610000-0x000000006F65C000-memory.dmp

Filesize
304KB

Download
memory/2920-270-0x0000000007460000-0x0000000007503000-memory.dmp

Filesize
652KB

Download
memory/2920-283-0x0000000007730000-0x0000000007741000-memory.dmp

Filesize
68KB

Download
memory/2952-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2952-104-0x00000000069D0000-0x0000000006A20000-memory.dmp

Filesize
320KB

Download
memory/3056-199-0x000000006F5F0000-0x000000006F63C000-memory.dmp

Filesize
304KB

Download
memory/3064-346-0x000000006F610000-0x000000006F65C000-memory.dmp

Filesize
304KB

Download
memory/3064-356-0x0000000007EE0000-0x0000000007EF1000-memory.dmp

Filesize
68KB

Download
memory/3064-357-0x0000000007F10000-0x0000000007F24000-memory.dmp

Filesize
80KB

Download
memory/3100-117-0x0000000005DB0000-0x0000000006104000-memory.dmp

Filesize
3.3MB

Download
memory/3100-158-0x0000000007790000-0x00000000077A4000-memory.dmp

Filesize
80KB

Download
memory/3100-144-0x0000000007740000-0x0000000007751000-memory.dmp

Filesize
68KB

Download
memory/3100-137-0x0000000007470000-0x0000000007513000-memory.dmp

Filesize
652KB

Download
memory/3100-123-0x000000006F5F0000-0x000000006F63C000-memory.dmp

Filesize
304KB

Download
memory/3100-119-0x0000000006250000-0x000000000629C000-memory.dmp

Filesize
304KB

Download
memory/3744-10-0x00000000068C0000-0x000000000695C000-memory.dmp

Filesize
624KB

Download
memory/3744-8-0x0000000002E70000-0x0000000002E86000-memory.dmp

Filesize
88KB

Download
memory/3744-1-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/3744-2-0x0000000008010000-0x00000000085B4000-memory.dmp

Filesize
5.6MB

Download
memory/3744-9-0x0000000008D90000-0x0000000008E14000-memory.dmp

Filesize
528KB

Download
memory/3744-3-0x0000000007B00000-0x0000000007B92000-memory.dmp

Filesize
584KB

Download
memory/3744-4-0x0000000007C70000-0x0000000007C80000-memory.dmp

Filesize
64KB

Download
memory/3744-5-0x0000000007AC0000-0x0000000007ACA000-memory.dmp

Filesize
40KB

Download
memory/3744-46-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/3744-6-0x0000000002E30000-0x0000000002E48000-memory.dmp

Filesize
96KB

Download
memory/3744-0-0x0000000000AE0000-0x0000000000BD4000-memory.dmp

Filesize
976KB

Download
memory/3744-20-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/3744-7-0x0000000002E60000-0x0000000002E6E000-memory.dmp

Filesize
56KB

Download
memory/4092-86-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/4092-83-0x0000000007F90000-0x0000000007F98000-memory.dmp

Filesize
32KB

Download
memory/4092-18-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/4092-25-0x0000000005980000-0x00000000059A2000-memory.dmp

Filesize
136KB

Download
memory/4092-15-0x0000000003030000-0x0000000003066000-memory.dmp

Filesize
216KB

Download
memory/4092-16-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/4092-27-0x0000000006310000-0x0000000006376000-memory.dmp

Filesize
408KB

Download
memory/4092-19-0x0000000005AD0000-0x00000000060F8000-memory.dmp

Filesize
6.2MB

Download
memory/4092-45-0x0000000006380000-0x00000000066D4000-memory.dmp

Filesize
3.3MB

Download
memory/4092-50-0x0000000006950000-0x000000000696E000-memory.dmp

Filesize
120KB

Download
memory/4092-17-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/4092-26-0x0000000006170000-0x00000000061D6000-memory.dmp

Filesize
408KB

Download
memory/4092-51-0x00000000069E0000-0x0000000006A2C000-memory.dmp

Filesize
304KB

Download
memory/4092-53-0x0000000071500000-0x000000007154C000-memory.dmp

Filesize
304KB

Download
memory/4092-80-0x0000000007EA0000-0x0000000007EAE000-memory.dmp

Filesize
56KB

Download
memory/4092-52-0x0000000006F20000-0x0000000006F52000-memory.dmp

Filesize
200KB

Download
memory/4092-65-0x0000000007B40000-0x0000000007BE3000-memory.dmp

Filesize
652KB

Download
memory/4092-63-0x0000000007910000-0x000000000792E000-memory.dmp

Filesize
120KB

Download
memory/4092-77-0x0000000007CE0000-0x0000000007CEA000-memory.dmp

Filesize
40KB

Download
memory/4092-78-0x0000000007EF0000-0x0000000007F86000-memory.dmp

Filesize
600KB

Download
memory/4176-465-0x000000006F5F0000-0x000000006F63C000-memory.dmp

Filesize
304KB

Download
memory/4196-374-0x000000006F610000-0x000000006F65C000-memory.dmp

Filesize
304KB

Download
memory/4428-344-0x0000000007F10000-0x0000000007F21000-memory.dmp

Filesize
68KB

Download
memory/4428-312-0x000000006F610000-0x000000006F65C000-memory.dmp

Filesize
304KB

Download
memory/4664-107-0x0000000005020000-0x00000000050A4000-memory.dmp

Filesize
528KB

Download
memory/4664-105-0x00000000024A0000-0x00000000024C0000-memory.dmp

Filesize
128KB

Download
memory/4664-103-0x0000000000380000-0x0000000000466000-memory.dmp

Filesize
920KB

Download
memory/4664-106-0x00000000024D0000-0x00000000024E4000-memory.dmp

Filesize
80KB

Download
memory/5008-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download