glupteba | 15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126

Analysis

max time kernel
4s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-05-2024 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe
Size

410KB
MD5

b76b8463d2167fa7f1feb1d562fe18ac
SHA1

9870f08014840f890ef57200a87775d5d199cb5f
SHA256

15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126
SHA512

c137dcebc7ea2da5a90898c73ddbf54370d168d7655acffa4cae62586b53e7064871d10b39af363b664529bb39fb60ae895ad61f2ed766f7390a874dbcf01361
SSDEEP

12288:IpUaCbA1fQy08IAKsVU5kTc9E4rQQm+7fLiEivqUa:I1CbAP0zAr1TEE4r0+6pCUa

Score

10^/10

glupteba stealc zgrat dropper evasion execution loader rat stealer themida trojan upx

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/memory/892-180-0x0000022D4FAC0000-0x0000022D532F4000-memory.dmp	family_zgrat_v1
behavioral2/memory/892-181-0x0000022D6DD30000-0x0000022D6DE3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/892-185-0x0000022D550E0000-0x0000022D55104000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 11 IoCs

resource	yara_rule
behavioral2/memory/428-1052-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/2808-1057-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/656-1059-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/656-1195-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/4456-1343-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/5644-2625-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/5680-2626-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/5680-2866-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/5316-4297-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/5956-4395-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/5956-5013-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba

Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2004	powershell.exe
5828	powershell.exe
1736	powershell.exe
5768	powershell.exe
5664	powershell.exe
4960	powershell.exe
4412	powershell.exe
2488	powershell.exe
1252	powershell.exe
240	powershell.exe
5904	powershell.exe
1324	powershell.exe
4932	powershell.exe
5300	powershell.exe
408	powershell.exe
4440	powershell.exe
5296	powershell.exe
2756	powershell.exe
3560	powershell.exe
196	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4988	netsh.exe
220	netsh.exe
2948	netsh.exe
3552	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A2k0zXvM0TyzJcSpQ6Nlgb8J.bat	regsvcs.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000700000001ac2f-115.dat	themida
behavioral2/memory/4516-117-0x0000000140000000-0x000000014097B000-memory.dmp	themida
behavioral2/memory/4516-127-0x0000000140000000-0x000000014097B000-memory.dmp	themida

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0002000000015451-5019.dat	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
4	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	api.myip.com
36	api.myip.com
39	ipinfo.io
40	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5044 set thread context of 2112	5044	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	78

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3544	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5732	3268	WerFault.exe	86

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4388	schtasks.exe
2952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2004	powershell.exe
2004	powershell.exe
2004	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	5044	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2112	regsvcs.exe
Token: SeIncreaseQuotaPrivilege	2004	powershell.exe
Token: SeSecurityPrivilege	2004	powershell.exe
Token: SeTakeOwnershipPrivilege	2004	powershell.exe
Token: SeLoadDriverPrivilege	2004	powershell.exe
Token: SeSystemProfilePrivilege	2004	powershell.exe
Token: SeSystemtimePrivilege	2004	powershell.exe
Token: SeProfSingleProcessPrivilege	2004	powershell.exe
Token: SeIncBasePriorityPrivilege	2004	powershell.exe
Token: SeCreatePagefilePrivilege	2004	powershell.exe
Token: SeBackupPrivilege	2004	powershell.exe
Token: SeRestorePrivilege	2004	powershell.exe
Token: SeShutdownPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeSystemEnvironmentPrivilege	2004	powershell.exe
Token: SeRemoteShutdownPrivilege	2004	powershell.exe
Token: SeUndockPrivilege	2004	powershell.exe
Token: SeManageVolumePrivilege	2004	powershell.exe
Token: 33	2004	powershell.exe
Token: 34	2004	powershell.exe
Token: 35	2004	powershell.exe
Token: 36	2004	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 2004	5044	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	76
PID 5044 wrote to memory of 2004	5044	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	76
PID 5044 wrote to memory of 2112	5044	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	78
PID 5044 wrote to memory of 2112	5044	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	78
PID 5044 wrote to memory of 2112	5044	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	78
PID 5044 wrote to memory of 2112	5044	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	78
PID 5044 wrote to memory of 2112	5044	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	78
PID 5044 wrote to memory of 2112	5044	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	78
PID 5044 wrote to memory of 2112	5044	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	78
PID 5044 wrote to memory of 2112	5044	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	78

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe

C:\Users\Admin\AppData\Local\Temp\15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe
"C:\Users\Admin\AppData\Local\Temp\15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- - C:\Users\Admin\Pictures\7Wi5htZnIZoMlPeRgBD0QTZp.exe
    "C:\Users\Admin\Pictures\7Wi5htZnIZoMlPeRgBD0QTZp.exe"
    3⤵
    PID:808
  - - C:\Users\Admin\AppData\Local\Temp\umg.0.exe
      "C:\Users\Admin\AppData\Local\Temp\umg.0.exe"
      4⤵
      PID:4508
  - - C:\Users\Admin\AppData\Local\Temp\umg.1.exe
      "C:\Users\Admin\AppData\Local\Temp\umg.1.exe"
      4⤵
      PID:3556
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        
        PID:892
- - C:\Users\Admin\Pictures\QGlpaNLn72RiHnz3qntJ6O2o.exe
    "C:\Users\Admin\Pictures\QGlpaNLn72RiHnz3qntJ6O2o.exe"
    3⤵
    PID:2808
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4932
  - - C:\Users\Admin\Pictures\QGlpaNLn72RiHnz3qntJ6O2o.exe
      "C:\Users\Admin\Pictures\QGlpaNLn72RiHnz3qntJ6O2o.exe"
      4⤵
      PID:5680
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2488
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:200
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:3552
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1736
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:240
- - C:\Users\Admin\Pictures\bg1FFqCtle2NgMm4ZHCzUUAA.exe
    "C:\Users\Admin\Pictures\bg1FFqCtle2NgMm4ZHCzUUAA.exe"
    3⤵
    PID:428
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4412
  - - C:\Users\Admin\Pictures\bg1FFqCtle2NgMm4ZHCzUUAA.exe
      "C:\Users\Admin\Pictures\bg1FFqCtle2NgMm4ZHCzUUAA.exe"
      4⤵
      PID:5644
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5300
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:3296
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:4988
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1252
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:408
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:5956
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4960
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:4388
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:5256
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5296
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2756
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:4632
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2952
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:3544
- - C:\Users\Admin\Pictures\vpHuuQOD333DnFVilziTkCEm.exe
    "C:\Users\Admin\Pictures\vpHuuQOD333DnFVilziTkCEm.exe"
    3⤵
    PID:656
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3560
  - - C:\Users\Admin\Pictures\vpHuuQOD333DnFVilziTkCEm.exe
      "C:\Users\Admin\Pictures\vpHuuQOD333DnFVilziTkCEm.exe"
      4⤵
      PID:5176
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5768
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:668
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:220
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5904
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5664
- - C:\Users\Admin\Pictures\atET57RemHSenmnrbdXQWbt0.exe
    "C:\Users\Admin\Pictures\atET57RemHSenmnrbdXQWbt0.exe"
    3⤵
    PID:3268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 492
      4⤵
      Program crash
      PID:5732
- - C:\Users\Admin\Pictures\SypxxQOrGxDNZQtfzC0rdLNX.exe
    "C:\Users\Admin\Pictures\SypxxQOrGxDNZQtfzC0rdLNX.exe"
    3⤵
    PID:4456
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5828
  - - C:\Users\Admin\Pictures\SypxxQOrGxDNZQtfzC0rdLNX.exe
      "C:\Users\Admin\Pictures\SypxxQOrGxDNZQtfzC0rdLNX.exe"
      4⤵
      PID:5316
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1324
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1996
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:2948
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:196
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4440
- - C:\Users\Admin\Pictures\0HqeRqO39Q7fYqQ7Ir8iJ8LM.exe
    "C:\Users\Admin\Pictures\0HqeRqO39Q7fYqQ7Ir8iJ8LM.exe"
    3⤵
    PID:4516

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1076

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
3bbf232faaffcf0094778122559a1228

SHA1
db3aaa900d7f7a5e50074768ca2eba63783966e7

SHA256
42ae66c9a2fa12e1c0aa23009b83c0a0543faebc0b48f3d2939df2e45fc0a1d0

SHA512
f42e293c22f0bac9b2fb5df0761f6fda2696cae42223a3d1abb1de026663434cacf06886fe2d985782c88a4ed46dad6a85da543a861abba12cf250b55c3692ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
1b005412a2475a5b7d95e6b31f75200b

SHA1
24e6924f8c6e906fe407d7ad475885ed2ad13130

SHA256
8cf72bf1865d97faf139826bec126e202063f906a364aa0ade5358a5801b17ef

SHA512
f662eca845a102d543ff2042b058bbf8bda6a6e649d53fb556d4132510c4dba32e4b4b71c5731a410a837100c1a435a6c6b54b6d2ca7447ff62eab7df9e46b04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b4c6e6c1153a932bed6d3c27b49cb69a

SHA1
8e4e0d516c7c07c5e039f606133639527fe21b2b

SHA256
18480e5201d7f0ede5770260e56f84fda0c1aea6603443b9a9775b3a2c94a212

SHA512
5dabead19623a7d970367b764887eea676786f62dcada45fcd7a6b0de71bfc74b247701b3a491704d2d20688b40061fca81f84a4754762928d78a8c601719368

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_isxdlvcs.dpc.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\umg.0.exe

Filesize
206KB

MD5
0917be53327ea132956255dcab650a82

SHA1
b60818917f645a8a9af3b530e3ae37c1f002be2f

SHA256
211c34660898480e0777c6ef6f61bf2111f6550e00b40cab859543d567dc455a

SHA512
a72acc24ba813d983bbf2ecab7929d0aab4e25637ae43e85b973a5105429bd15c061415fd855737620caaf81b456b2d6ba57f85566245efbe5f8b5db5560932a

Download Submit
C:\Users\Admin\AppData\Local\Temp\umg.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\Pictures\0HqeRqO39Q7fYqQ7Ir8iJ8LM.exe

Filesize
2.8MB

MD5
d41fd1ea6e0ca0032be2174317f60fd8

SHA1
60f001b9d201259aa333e9b202e4ab5648d16bf3

SHA256
3c56d175e67df7e1664bbedd95abee57cf93a7aceaf80374ede4ce1fc4a30990

SHA512
a4ce799f1ce9157d053dcb1694dcb127d98e994eb55cecb484ace1c192cf80a1fbfb7b8de94851a49e915cafebc568f70ce07b912e5901387ed90639c692c16e

Download Submit
C:\Users\Admin\Pictures\7Wi5htZnIZoMlPeRgBD0QTZp.exe

Filesize
384KB

MD5
f969256486cae8c6c357924481ec86ee

SHA1
95f91c8a6539700b4dd6077ba3a778c13bc72d4d

SHA256
d719fb243a6d2ad33a76aa78ee66f4763a36c78a2373a01de223fb5c27b722da

SHA512
106959ab072744ae5ce79cbc627040dbd32bb416407ca7d1f848ae49dbb609f900c0f34696fc5e30c5418d889b5c07b35d5a0f9b4f1be1e662621ba2c4491e16

Download Submit
C:\Users\Admin\Pictures\atET57RemHSenmnrbdXQWbt0.exe

Filesize
213KB

MD5
718455b384af2a8caa79eca4c64b7d78

SHA1
84993e856abe4c3c90a61f95f02252dfbe94b356

SHA256
1e418b3dae341f3196b5c3c23cb11eb071dbb82c77ebef9badfd74e3ddea1aac

SHA512
46f51aa5f2fa32f597bbc6e6d375d8d0b9baa2fae2ec68a76fdba63e0d831a514658aa26c137657b8ad1ec653b1f4f5c728b3a61a40f0ba3e0b67a381d02537f

Download Submit
C:\Users\Admin\Pictures\bg1FFqCtle2NgMm4ZHCzUUAA.exe

Filesize
4.1MB

MD5
0ed8d071deae90ff638cb070d0b9559d

SHA1
9b39b4703ccd78d9ca56bbf2f4c168d71a7bcfda

SHA256
691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99

SHA512
960a5a4e2b4f82bb7273cbab8bf622933c6e603cdc44b59b409c285b62c3a2c741bca7692ed77864520aa95c85a2f3fc31ddc9383caada588828d953346c2729

Download Submit
C:\Users\Admin\Pictures\gF3P10geIel59aNXuSWWOOYQ.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\vpHuuQOD333DnFVilziTkCEm.exe

Filesize
4.1MB

MD5
f6156b63d313f7247432a693de39daef

SHA1
bff890bf23551db49d04af57779630bea35356a9

SHA256
f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620

SHA512
54c61e755d5661da14ebfef93b9fa61d02f59fb43edc1310cf21c0780479bc54be973836286f0d5104a946e9d511e94162d38e2a5471f0f386b7b7e396e7f759

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
6aef8ffc13d602608743c86063255d3d

SHA1
c2677edeb87c494a46f365e331df96813e92abdf

SHA256
11257924a1ec24660d0a6841514a4b8cec317e537a2f3dd00957f496d30e8631

SHA512
6e4378f34aa2b3fc9d138d5a99544790c788fcd64c88be1ef39ad117ef830ffd8f424efbce5e8339ef326f63a5cfff493818ba54698cd700f411c54bd5730ff5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
351879b45757273dc4c04a22d6e000cf

SHA1
0ccad60a05590389aac22124e1cfd72e721ae530

SHA256
8feea6d23e87c31376a63af7eacc0bba4ccb0d3e5ca8fc36be1e6cf8eca7c4f8

SHA512
47a2a34a7978b26f79522760020a389888f73efda2654a87cb87d24091ab268798c29e86374d2befcaf7a1f8a157fd98e43f2f0907c59cbe66cd6de2b008d3ad

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
4fac48dcb8bc0c93dd47f7ac2d17a030

SHA1
7eee50246471a4beca559fd5b1f85794069a30b1

SHA256
5a6083cdec39276238affde82951b8cba8c2e6215763a0776f2941da89b769ac

SHA512
51eeaafc8b783d98ead2700ab0cfd56271ab0dba092004eca396a65abed057af5b33d1c503353b5acd410217eb3504ab2e8a354635fae6e745a09946e51aca22

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
9121514140b9a827ad5fef3cd786dd3b

SHA1
2bcc1a46b9686b379da517e8b2aa4c898a6c6670

SHA256
c14975245a7312246f512fbeb32d214f97f3b3f19b3ff2543faa35b3aaa6db72

SHA512
91609072f8b16bf80b7a3385eb8dccacb0403ff53588cacf3b92c696426af2fafce0aa9cf3e25d39a74384a3754500a4fbf408ff07ca16b75325dd75149dc212

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
5e0952bee444d516f177f789cc2fdffe

SHA1
9922b75119a17f7bc51a4e74ed7ee5ddecf28da2

SHA256
b671b78a824e356340bab51a6538d0b3a5161436c0e5b1700ec6f66d307bb937

SHA512
1e6e95b727f609424a727066f1d0ce08d19e206cad37f4cf5b137b51cc7dec8f29488f8a027b2ec5df8d1f805d4e3ec10496a7f759125f7f4998856d09131134

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
58ace2cbca4aabf105d150e00db6b742

SHA1
08aae5f6f9594eb55b9799896a159ef1c39c7ac5

SHA256
88f052d8dbf43e3836fce106990bb4a33b4ce5114d6544db0e81291900d69fca

SHA512
8eed90e1dfdb05570ac27721748714d8c9f6d26e01b0cfdb4f58ce10c5eb80e350f264e8f6af36456bf47408ca284506a76442ba968859747d935e96ab7489c1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
f1d071d644747fe48db276bd8a5b436d

SHA1
faae09068fba571efce0fba3f0211f2c81082181

SHA256
5f2caddb2e76b528fe5afe9c94788d35b19da6e5c47eb0200fd367183f7a889a

SHA512
27aab51e281afb33625d1eb901dba01d56d4021268d3dce00ae87b83f2969c026903ca062043f9521ac60c7592f9d2894c6fb0cf81e295a2a1158a6bfce66e1b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
10835f907128dad8b3d6adc2c3cfdfbc

SHA1
6433df48ab7b2e7935c60d2a0c33fc94ed7a5693

SHA256
7f255b13ff643db0d2fff03804788cc2bd657b45a2bb28f1989c710e30cf41c7

SHA512
bd1ccdcae54df71f02187564eef0717df5ba1e31cb0131ecad5d86e52717ee67f134fd9df615d07f6d030e0da24984e3bba62deda3a9c2d29fb8586b1c4efef0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
95fee03846396c4093274952faca7470

SHA1
8edbb59c1545bed21536473095e7b514177c10a3

SHA256
3381477ba5941a1a8f25672c029c24dcd642cb76e0790d329839e0d2a633497a

SHA512
186249f446e525fda4fbcedb8b3e2d9ae1dc751dd3e28af9ce3b0a2cdbc96868140effd5d6184f86c7466728932aa967805db1c9f8585f01a2eb8fcb04760585

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/196-3830-0x000000006EE80000-0x000000006F1D0000-memory.dmp

Filesize
3.3MB

Download
memory/196-3807-0x000000006EE30000-0x000000006EE7B000-memory.dmp

Filesize
300KB

Download
memory/240-2427-0x000000006EE00000-0x000000006F150000-memory.dmp

Filesize
3.3MB

Download
memory/240-2426-0x000000006FBB0000-0x000000006FBFB000-memory.dmp

Filesize
300KB

Download
memory/408-2416-0x000000006FBB0000-0x000000006FBFB000-memory.dmp

Filesize
300KB

Download
memory/408-2417-0x000000006EE00000-0x000000006F150000-memory.dmp

Filesize
3.3MB

Download
memory/428-1052-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/656-1195-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/656-1059-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/808-141-0x0000000000400000-0x0000000002B1E000-memory.dmp

Filesize
39.1MB

Download
memory/892-188-0x0000022D6D9B0000-0x0000022D6D9DA000-memory.dmp

Filesize
168KB

Download
memory/892-180-0x0000022D4FAC0000-0x0000022D532F4000-memory.dmp

Filesize
56.2MB

Download
memory/892-190-0x0000022D6DF70000-0x0000022D6DFC0000-memory.dmp

Filesize
320KB

Download
memory/892-191-0x0000022D53910000-0x0000022D5391A000-memory.dmp

Filesize
40KB

Download
memory/892-195-0x0000022D6E300000-0x0000022D6E600000-memory.dmp

Filesize
3.0MB

Download
memory/892-197-0x0000022D72440000-0x0000022D72448000-memory.dmp

Filesize
32KB

Download
memory/892-198-0x0000022D732D0000-0x0000022D73308000-memory.dmp

Filesize
224KB

Download
memory/892-199-0x0000022D724A0000-0x0000022D724A8000-memory.dmp

Filesize
32KB

Download
memory/892-201-0x0000022D735F0000-0x0000022D73652000-memory.dmp

Filesize
392KB

Download
memory/892-202-0x0000022D73650000-0x0000022D73672000-memory.dmp

Filesize
136KB

Download
memory/892-200-0x0000022D735D0000-0x0000022D735DA000-memory.dmp

Filesize
40KB

Download
memory/892-203-0x0000022D73BA0000-0x0000022D740C6000-memory.dmp

Filesize
5.1MB

Download
memory/892-206-0x0000022D735E0000-0x0000022D735EC000-memory.dmp

Filesize
48KB

Download
memory/892-207-0x0000022D73690000-0x0000022D736AE000-memory.dmp

Filesize
120KB

Download
memory/892-182-0x0000022D55050000-0x0000022D55060000-memory.dmp

Filesize
64KB

Download
memory/892-183-0x0000022D55070000-0x0000022D5507C000-memory.dmp

Filesize
48KB

Download
memory/892-184-0x0000022D55060000-0x0000022D55074000-memory.dmp

Filesize
80KB

Download
memory/892-185-0x0000022D550E0000-0x0000022D55104000-memory.dmp

Filesize
144KB

Download
memory/892-189-0x0000022D6DA70000-0x0000022D6DB22000-memory.dmp

Filesize
712KB

Download
memory/892-181-0x0000022D6DD30000-0x0000022D6DE3A000-memory.dmp

Filesize
1.0MB

Download
memory/892-187-0x0000022D53900000-0x0000022D5390A000-memory.dmp

Filesize
40KB

Download
memory/1252-1938-0x000000006FBB0000-0x000000006FBFB000-memory.dmp

Filesize
300KB

Download
memory/1252-1939-0x000000006EE00000-0x000000006F150000-memory.dmp

Filesize
3.3MB

Download
memory/1324-3151-0x000000006EE80000-0x000000006F1D0000-memory.dmp

Filesize
3.3MB

Download
memory/1324-3148-0x000000006EE30000-0x000000006EE7B000-memory.dmp

Filesize
300KB

Download
memory/1736-2015-0x000000006EE00000-0x000000006F150000-memory.dmp

Filesize
3.3MB

Download
memory/1736-2014-0x000000006FBB0000-0x000000006FBFB000-memory.dmp

Filesize
300KB

Download
memory/2004-16-0x00007FFCAE010000-0x00007FFCAE9FC000-memory.dmp

Filesize
9.9MB

Download
memory/2004-15-0x000002A8669C0000-0x000002A866A36000-memory.dmp

Filesize
472KB

Download
memory/2004-13-0x00007FFCAE010000-0x00007FFCAE9FC000-memory.dmp

Filesize
9.9MB

Download
memory/2004-10-0x00007FFCAE010000-0x00007FFCAE9FC000-memory.dmp

Filesize
9.9MB

Download
memory/2004-11-0x000002A8667F0000-0x000002A866812000-memory.dmp

Filesize
136KB

Download
memory/2004-58-0x00007FFCAE010000-0x00007FFCAE9FC000-memory.dmp

Filesize
9.9MB

Download
memory/2112-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-17-0x0000000073EFE000-0x0000000073EFF000-memory.dmp

Filesize
4KB

Download
memory/2112-126-0x0000000073EFE000-0x0000000073EFF000-memory.dmp

Filesize
4KB

Download
memory/2488-1474-0x000000006EE00000-0x000000006F150000-memory.dmp

Filesize
3.3MB

Download
memory/2488-1473-0x000000006FBB0000-0x000000006FBFB000-memory.dmp

Filesize
300KB

Download
memory/2808-1057-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/3268-1340-0x0000000000400000-0x0000000002AF2000-memory.dmp

Filesize
38.9MB

Download
memory/3556-179-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/3556-166-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/3560-223-0x00000000086E0000-0x000000000872B000-memory.dmp

Filesize
300KB

Download
memory/3560-221-0x0000000007FC0000-0x0000000008310000-memory.dmp

Filesize
3.3MB

Download
memory/3560-222-0x0000000008580000-0x000000000859C000-memory.dmp

Filesize
112KB

Download
memory/3560-388-0x000000006F730000-0x000000006F77B000-memory.dmp

Filesize
300KB

Download
memory/3560-391-0x000000006F780000-0x000000006FAD0000-memory.dmp

Filesize
3.3MB

Download
memory/3560-262-0x0000000008AF0000-0x0000000008B2C000-memory.dmp

Filesize
240KB

Download
memory/4412-220-0x00000000071A0000-0x0000000007206000-memory.dmp

Filesize
408KB

Download
memory/4412-218-0x0000000006A00000-0x0000000006A22000-memory.dmp

Filesize
136KB

Download
memory/4412-212-0x0000000006420000-0x0000000006456000-memory.dmp

Filesize
216KB

Download
memory/4412-999-0x00000000099B0000-0x00000000099B8000-memory.dmp

Filesize
32KB

Download
memory/4412-978-0x00000000099E0000-0x00000000099FA000-memory.dmp

Filesize
104KB

Download
memory/4412-409-0x0000000009A80000-0x0000000009B14000-memory.dmp

Filesize
592KB

Download
memory/4412-386-0x0000000009820000-0x0000000009853000-memory.dmp

Filesize
204KB

Download
memory/4412-387-0x000000006F730000-0x000000006F77B000-memory.dmp

Filesize
300KB

Download
memory/4412-392-0x000000006F780000-0x000000006FAD0000-memory.dmp

Filesize
3.3MB

Download
memory/4412-213-0x0000000006A90000-0x00000000070B8000-memory.dmp

Filesize
6.2MB

Download
memory/4412-402-0x0000000009860000-0x0000000009905000-memory.dmp

Filesize
660KB

Download
memory/4412-393-0x0000000009800000-0x000000000981E000-memory.dmp

Filesize
120KB

Download
memory/4412-343-0x0000000008A10000-0x0000000008A86000-memory.dmp

Filesize
472KB

Download
memory/4412-219-0x0000000007130000-0x0000000007196000-memory.dmp

Filesize
408KB

Download
memory/4440-4083-0x000000006EE30000-0x000000006EE7B000-memory.dmp

Filesize
300KB

Download
memory/4440-4084-0x000000006EE80000-0x000000006F1D0000-memory.dmp

Filesize
3.3MB

Download
memory/4456-1343-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/4508-1387-0x0000000000400000-0x0000000002AF1000-memory.dmp

Filesize
38.9MB

Download
memory/4508-1353-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4508-1421-0x0000000000400000-0x0000000002AF1000-memory.dmp

Filesize
38.9MB

Download
memory/4516-127-0x0000000140000000-0x000000014097B000-memory.dmp

Filesize
9.5MB

Download
memory/4516-117-0x0000000140000000-0x000000014097B000-memory.dmp

Filesize
9.5MB

Download
memory/4932-403-0x000000006F730000-0x000000006F77B000-memory.dmp

Filesize
300KB

Download
memory/4932-404-0x000000006F780000-0x000000006FAD0000-memory.dmp

Filesize
3.3MB

Download
memory/4960-4322-0x000000006EE80000-0x000000006F1D0000-memory.dmp

Filesize
3.3MB

Download
memory/4960-4321-0x000000006EE30000-0x000000006EE7B000-memory.dmp

Filesize
300KB

Download
memory/5044-2-0x000001F117590000-0x000001F1175A0000-memory.dmp

Filesize
64KB

Download
memory/5044-116-0x00007FFCAE013000-0x00007FFCAE014000-memory.dmp

Filesize
4KB

Download
memory/5044-1-0x00007FFCAE013000-0x00007FFCAE014000-memory.dmp

Filesize
4KB

Download
memory/5044-125-0x00007FFCAE010000-0x00007FFCAE9FC000-memory.dmp

Filesize
9.9MB

Download
memory/5044-0-0x000001F1158C0000-0x000001F1158D0000-memory.dmp

Filesize
64KB

Download
memory/5044-3-0x000001F117600000-0x000001F11765E000-memory.dmp

Filesize
376KB

Download
memory/5044-4-0x00007FFCAE010000-0x00007FFCAE9FC000-memory.dmp

Filesize
9.9MB

Download
memory/5176-2897-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5176-3919-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5300-1472-0x0000000009520000-0x00000000095C5000-memory.dmp

Filesize
660KB

Download
memory/5300-1467-0x000000006EE00000-0x000000006F150000-memory.dmp

Filesize
3.3MB

Download
memory/5300-1429-0x0000000008530000-0x000000000857B000-memory.dmp

Filesize
300KB

Download
memory/5300-1464-0x000000006FBB0000-0x000000006FBFB000-memory.dmp

Filesize
300KB

Download
memory/5300-1428-0x0000000007A40000-0x0000000007D90000-memory.dmp

Filesize
3.3MB

Download
memory/5316-4297-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5316-3587-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5644-2855-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5644-2625-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5664-3612-0x000000006EE80000-0x000000006F1D0000-memory.dmp

Filesize
3.3MB

Download
memory/5664-3609-0x000000006EE30000-0x000000006EE7B000-memory.dmp

Filesize
300KB

Download
memory/5680-2626-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5680-2866-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5768-2869-0x0000000007680000-0x00000000079D0000-memory.dmp

Filesize
3.3MB

Download
memory/5768-2871-0x0000000007FE0000-0x000000000802B000-memory.dmp

Filesize
300KB

Download
memory/5768-2896-0x0000000009180000-0x0000000009225000-memory.dmp

Filesize
660KB

Download
memory/5768-2890-0x000000006EE30000-0x000000006EE7B000-memory.dmp

Filesize
300KB

Download
memory/5768-2891-0x000000006EE80000-0x000000006F1D0000-memory.dmp

Filesize
3.3MB

Download
memory/5828-1125-0x000000000A780000-0x000000000A825000-memory.dmp

Filesize
660KB

Download
memory/5828-1120-0x000000006EE50000-0x000000006F1A0000-memory.dmp

Filesize
3.3MB

Download
memory/5828-1119-0x000000006EE00000-0x000000006EE4B000-memory.dmp

Filesize
300KB

Download
memory/5828-1062-0x0000000008160000-0x00000000084B0000-memory.dmp

Filesize
3.3MB

Download
memory/5828-1064-0x0000000008D20000-0x0000000008D6B000-memory.dmp

Filesize
300KB

Download
memory/5904-3158-0x000000006EE30000-0x000000006EE7B000-memory.dmp

Filesize
300KB

Download
memory/5904-3159-0x000000006EE80000-0x000000006F1D0000-memory.dmp

Filesize
3.3MB

Download
memory/5956-4395-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5956-5013-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5956-5025-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download