agenttesla | hxxps://bazaar[.]abuse[.]ch/sample/405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84/

Analysis

max time kernel
213s
max time network
214s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07/10/2024, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/sample/405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84/

Score

10^/10

agenttesla discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
162.254.34.31
Port:
587
Username:
[email protected]
Password:
ABwuRZS5Mjh5
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 3124 created 3152	3124	405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe	52
PID 7940 created 3152	7940	tmpACE5.tmp.exe	52

Executes dropped EXE 5 IoCs

pid	Process
3124	405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe
7692	docdd.exe
7728	405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe
7940	tmpACE5.tmp.exe
7932	tmpACE5.tmp.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\ioibrzb = "C:\\Users\\Admin\\AppData\\Roaming\\ioibrzb.exe"	405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\ioibrzb = "C:\\Users\\Admin\\AppData\\Roaming\\ioibrzb.exe"	tmpACE5.tmp.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
21	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3124 set thread context of 7728	3124	405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe	99
PID 7940 set thread context of 7932	7940	tmpACE5.tmp.exe	101

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	docdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACE5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACE5.tmp.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.zip:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
7932	tmpACE5.tmp.exe
6872	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3524	chrome.exe
3524	chrome.exe
3124	405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe
7728	405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe
7728	405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe
7940	tmpACE5.tmp.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe
Token: SeShutdownPrivilege	3524	chrome.exe
Token: SeCreatePagefilePrivilege	3524	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
5016	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
6872	EXCEL.EXE
6872	EXCEL.EXE
6872	EXCEL.EXE
6872	EXCEL.EXE
6872	EXCEL.EXE
6872	EXCEL.EXE
6872	EXCEL.EXE
6872	EXCEL.EXE
6872	EXCEL.EXE
6872	EXCEL.EXE
6872	EXCEL.EXE
6872	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 2088	3524	chrome.exe	79
PID 3524 wrote to memory of 2088	3524	chrome.exe	79
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 5032	3524	chrome.exe	80
PID 3524 wrote to memory of 2532	3524	chrome.exe	81
PID 3524 wrote to memory of 2532	3524	chrome.exe	81
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82
PID 3524 wrote to memory of 2688	3524	chrome.exe	82

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bazaar.abuse.ch/sample/405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84/
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83b28cc40,0x7ff83b28cc4c,0x7ff83b28cc58
    3⤵
    PID:2088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1708,i,6544499944011439273,1849587721634162570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1704 /prefetch:2
    3⤵
    PID:5032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2068,i,6544499944011439273,1849587721634162570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2084 /prefetch:3
    3⤵
    PID:2532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2160,i,6544499944011439273,1849587721634162570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2336 /prefetch:8
    3⤵
    PID:2688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,6544499944011439273,1849587721634162570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3112 /prefetch:1
    3⤵
    PID:4892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,6544499944011439273,1849587721634162570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1
    3⤵
    PID:2568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4460,i,6544499944011439273,1849587721634162570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4416 /prefetch:1
    3⤵
    PID:1692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4808,i,6544499944011439273,1849587721634162570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4760 /prefetch:8
    3⤵
    PID:960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4336,i,6544499944011439273,1849587721634162570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3088 /prefetch:8
    3⤵
    - NTFS ADS
    PID:224
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap16818:190:7zEvent13525
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:5016
- C:\Users\Admin\Downloads\405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe
  "C:\Users\Admin\Downloads\405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3124
- - C:\Users\Admin\AppData\Local\Temp\docdd.exe
    "C:\Users\Admin\AppData\Local\Temp\docdd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7692
  - - C:\Users\Admin\AppData\Local\Temp\tmpACE5.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpACE5.tmp.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:7940
- C:\Users\Admin\Downloads\405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe
  "C:\Users\Admin\Downloads\405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:7728
- C:\Users\Admin\AppData\Local\Temp\tmpACE5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpACE5.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  PID:7932
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\RegisterTest.xlsx"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:6872

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1172

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
22KB

MD5
3b5537dce96f57098998e410b0202920

SHA1
7732b57e4e3bbc122d63f67078efa7cf5f975448

SHA256
a1c54426705d6cef00e0ae98f5ad1615735a31a4e200c3a5835b44266a4a3f88

SHA512
c038c334db3a467a710c624704eb5884fd40314cd57bd2fd154806a59c0be954c414727628d50e41cdfd86f5334ceefcf1363d641b2681c1137651cbbb4fd55d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
98KB

MD5
24cb2ec6cfa9fbe60bfbe091b9f560bd

SHA1
82b151d5cde170d1d55c5d5ad12ea36fbe949f62

SHA256
9c028b9742d2382dd5f4cd980a382bbd7cea418df9a252d7b3634b0d58c6055f

SHA512
be3457a3135ee62c71b40796a2e3e23e295145428a6d63b0728d216fc5edcc971912ebb590ca4168a144eac8fc30afb99065e8074255162d61b97d4a738e36e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
213KB

MD5
f942900ff0a10f251d338c612c456948

SHA1
4a283d3c8f3dc491e43c430d97c3489ee7a3d320

SHA256
38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

SHA512
9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
1ebca178ff5aa651d5e655068d05640e

SHA1
84663ef1d1abe70f2f4722cc2a828a5a5bc66f82

SHA256
c45ff1b7800bf2dce6899a9c3cfe4eac7a29fb9b55018cb1f7a3f7a2f7fa43a3

SHA512
2c8373db6bb64d93f376f987916eb4cae61ab3d1748cdec13894d6c1710345d63b90675d642742b3f1b79794f1459eb460f6bfdbd21e3d62e8320d0959775004

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
fcb0d72e71790418c85d1813016d25b3

SHA1
a580321d2f94ee89288b3a45a99d85f1c606c1c8

SHA256
be790e545d507ac2c4b14b1005f7ce44492371fd7bfa74496c6c8523be0d0bc1

SHA512
da1705471465d5a6f7ea755028258a9fd95fff23b64205b747df634956c41d4f589addc566c7198dff4ae111240e6239c73aa7de87c02af081158367747c5df1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
1548da01cbbda1834eedd8ff25b6d977

SHA1
f75516549ace62f78ceed1dcacd5b9fa42e68628

SHA256
931026131bc7b6be53c5ea38a34ea256fab083a7d0378911f29cca3c17c8129d

SHA512
7d616e6e16a9c7f189c0ab106d071f3a94bbb220b8954cfc564d1fc6e030437f4e41d7e69bab4fc54f8d42324796f34d431a966053a92a7c472b6cc805e7d75c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
361ec9b9773e003cc052a29289edf9ec

SHA1
96820eeac101f789605695f69f6a8a3fd312eae1

SHA256
a7bebab1fbb5ce38e49927ae4dd7747069f4cde8a94718db872bbb5f650f8a3a

SHA512
018dca395c2ea4c0c47f1b1ff476e0546e28767d5c952c8121a844d7a122595b87c0ab8194b94447ad8332377db351535b20c5b893c9620455c1b7835785abc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
c451b4e00e95cbf2d0b5305a5683468e

SHA1
9ce89feeadb1821929befabb4b15f55cae54c379

SHA256
64a843894a343ab1e4fb2ee0fb3aba9d3b3fe89bc865eff66928f3cc5814fec6

SHA512
b5ae9a0276970ec504fe197be490a24772967029be0c45d73a1eece6825c24c8ab40dfe5dd4deb2b9ed3e44f3e7d6f00cf09da7dec7cc2782136b45804b48eda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
786e17b18b82054efe71f27b514c79d4

SHA1
9f392e2d5096a87af918a253bccc4c408384dcd6

SHA256
6b73cf1c3911bb4df87cdc2426ba04958dc21a13cd372cb90e4c07db244a6436

SHA512
2da34d108e34f117ed4931554980b042868407eb543ca146074e28710361f74f489ee369ea2a6e8f254080c8ba3da63a6c4ef9a41aafd31105cfe32691393d10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a68143effce350f9ac5a605c615a84a7

SHA1
b96c81ce2e4a45da52fd3ee35fda1ad0d91204f0

SHA256
e14a47b23cb294eb1186251ecf00f43d8875e0f676cf3fc68d22c8e4f44d40f1

SHA512
de069e38d0a20e2e759136136968f6b00f31874c085c8ef0a1b061cc3952996bd710afbb8e01f17d4b87c7b825ca0ca02b6e0f12bf0e4d4949e039c7eec7a911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ac9371e3bade1900b372e1f5cec046db

SHA1
f955e8840f84c867c8fa71ee3aaff2377f9714e5

SHA256
07979eeb713d573829d2e664d7a6e65673ad35f2190f5cb9c0e4e44534870c14

SHA512
e71b3ef7dcece212905e9889c88b208672a46c5c4fe1d0bf772efb0cd112e9fdb9e1659d443a3ee77dd94dea62dcb27323599570f1b99b7f2afbf8ab076e2d89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
550e446528770f71bfa27375e7c871ec

SHA1
60f96ee983d7e9c95979dcc2f0653cebda5dc5fa

SHA256
9d355a30016c254c73c2d49706320c44cc2543f5475b5d7a79cedf05718521db

SHA512
e79716d8ceddc89a89c22dbf6ad5277402dd5a28630e74aa415ea756aa1550ad449c27e3a5dc6aefee30e40788543470770ffc904c03b1a2c2b7b0deb5b96e29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
390eb9e06d452f0bc1f8088111c882e5

SHA1
b706b75d7114d6ee3a0ab9f565824e5942d89b2f

SHA256
5b281af049d096a28f8392db9c404298d286a36a3b17a40e4195937d8a18203a

SHA512
5eb14b0fc47596ce2796e42d9825658fafb45e85e4a42351d07ee2e463a387ec493dc62dfacd35fd7ac0ac95b392da630e03275aca7d783941ca67187beddeeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
f3abe590f7d47b130a0393e90ee1caf7

SHA1
fe94c5dedbda2dd4169c78e7672b3a6ee4df0389

SHA256
6becfc92aa56188c5a42c931cde41e7814ce0adf04076f62c87c53f3107c3afd

SHA512
459498d09e819a3dd2fc5654a7e76c4f765661363b24f57ad59f1f25087eba2394cd39c5677a334d1b8eae6b90d87a15d092cac690a54f12c5a868269c9b3324

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
33486cb84db746010497a55b104ea0b7

SHA1
b78219063213330f56d521dfdda61503d708954e

SHA256
bfc7ecb1cbbb40f42e9325ea629b9ad219ec7540f7ea9cabce61d5510a2131b8

SHA512
a97f6cb24f57f8da7c32fa23b8137cd050c6b43c3dc5f34cc5132fc7ad1811e15b6cba55926cfcb9c3451be4228be4fe58cc3aa6eb6f9cec46e2e01cb9edb5b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
776359edef4d33edcf7d4b03f3c8b462

SHA1
2d4aa0dc40f61be833aaa14de208ea54dd0d569a

SHA256
fbb6650efbae901c88b94493388de4f0e749bd0988f0670b38262db030b00624

SHA512
d1a6df90cc17572d4c168cc4512211c63d190c44a3f83e6bd0b66b37e91a1d5a4cf641dc70abdb1925cf224fba0a98589682c763f9d1b361a6cb645d04a23a65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
39a43d835e9dc208164ff36f4d9a77f7

SHA1
c2f760f1d3f05893ccb2f9e54d2264b24a95ff2f

SHA256
d6640e8fc7036df209e51b89bd2749b4244110b8cf1ffcd8e4b57421087acb95

SHA512
de68264fc3ffdd392877d22b04c9c6279378d213a1e3bae6a5c155f873a0a543dc2fb1d87606a39819c0f98c13ec5bf575457813bf5b411a5db21b42ae323ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\docdd.exe

Filesize
45KB

MD5
dbd0e17845da07384d942b76268cf5b7

SHA1
c1fca3c8ab7e6d60fe3703a4ee52bbac1d61e6ad

SHA256
4a9a9156581680f9b5082c685a656994a2248ff274900710014ca9c3c7868db8

SHA512
f7697d93690f3bd673501401b4286cf4794b39563e5d1707af5bd407e2acb2cba8f3331e0df9091f0cc4895155ac9be9aa89668f92b33a9319ea25551b876f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpACE5.tmp.exe

Filesize
2.4MB

MD5
1590a3efb4a143305e7182fbd284a414

SHA1
4b1910fc583442a94a7a246c5424354991e22f13

SHA256
b11ec3f1e913b4c0caeaf24b194998e7702da6c0b30afc8a147df52b26fd829f

SHA512
6b34bb151902e7c0a9ac349d16be5ebe23c4574fd1b4131d63691ab7b8771beccf2044db85b5714fc90da15fb0c4029313a174497fc85652e1e6a4c084f010f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
260B

MD5
ed15d1050df681bd56dd5768ef558577

SHA1
ebb70fd13f4392bc2a7a717154f22dcf21262d8c

SHA256
ee181ffec2811e66f18e2697a1564b2d5390f8586664cc35da79d41224e117b9

SHA512
d961063cdfe91feade4a563425e3630a9c1173a8ff50ca01418f9e8866abc82a4b17d87473c507f83324be0ff2b710ccd30b673121b2e3e4b0cb6509b33d3c41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
0c0837db088a872500e0b6172cdf996b

SHA1
8fe9e3dde3e656adf39211380f434d550047b807

SHA256
6b494dd2d770ea339fe2cf966b4f22aae9af9e11ab796bae936d81a9ed52de57

SHA512
8c3a7407e4ff9f59d89aec11d58a85d575dcbd661c1bae780a0cb072668a262a7e1b8979cb5610d40364b0d838bc79014d9f996ce077097495f03269379e15dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
e6c7fb4bc6cb9cc16c2f7911a258d78f

SHA1
e3889adc9adbf36bb79cf0f046a1d61ad03fe1a2

SHA256
21e475282b30ee717fcac74505f9374eaa3dc299ac724b86e818d6103760131f

SHA512
eee559c653987c3f29127034182446ee218baf0b80ecfb55dd994c208095f97a6c7289693de9cad003fc198d7f627190a6ff8c8024a1b57848f833d07c359bd0

Download Submit
C:\Users\Admin\Downloads\405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe

Filesize
1.8MB

MD5
3b2e54913c8b29ce886c8b36f8dd0cfc

SHA1
ff514c4f55dc70f5d1914fcf7118f24fd636e8a2

SHA256
405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84

SHA512
c872c307a060c3ec9b026d24f159447d74de06a5e2e73f5729c9360c5f20b0dc1afe17c870793309f4bddd6c1ec52ce68a1dca9c0b102d089ab48a6db7071c81

Download Submit
C:\Users\Admin\Downloads\405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.zip

Filesize
1.4MB

MD5
eaf6dee7b4c85cc6fe02a0164ae9abc8

SHA1
65955d78cb5fbaa4a7054d7b7b8387be6faa8d67

SHA256
8ddb3d269659b497ebd1fd7daa907fcb49f25b8f135dbff6ad6b7d549692f134

SHA512
ceebaf44fbfd31266b02b3016743226e074eb7bf1f86ae3d15ba71aeeb23a7e6d95bfb960d1fb2aae869850daf2cacaf8f3902eb7c2c95ef2676054b2f20d14b

Download Submit
C:\Users\Admin\Downloads\405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.zip:Zone.Identifier

Filesize
202B

MD5
e7c1703fe10e842accecfbf58de98d2d

SHA1
57cfc8214a24114810e644fb88d4c668562bd046

SHA256
3d7bd3cdf522890b26085b9ede08f92785c8412af3dc140b12bd40edf278189f

SHA512
9687fcd81d8ebf224e17bb75c94a238829b305c66591bc5179bb4934edb4a6037f74035f414ef30cdccf6efe8605122255d03518abae78172b52c2b49af725a4

Download Submit
memory/3124-327-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-299-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-1351-0x0000000005F10000-0x0000000005F5C000-memory.dmp

Filesize
304KB

Download
memory/3124-1350-0x0000000005E60000-0x0000000005ED2000-memory.dmp

Filesize
456KB

Download
memory/3124-339-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-272-0x000000007514E000-0x000000007514F000-memory.dmp

Filesize
4KB

Download
memory/3124-273-0x0000000000E50000-0x0000000001024000-memory.dmp

Filesize
1.8MB

Download
memory/3124-1367-0x00000000060D0000-0x0000000006124000-memory.dmp

Filesize
336KB

Download
memory/3124-274-0x00000000059E0000-0x0000000005B0C000-memory.dmp

Filesize
1.2MB

Download
memory/3124-275-0x0000000005D10000-0x0000000005E08000-memory.dmp

Filesize
992KB

Download
memory/3124-1366-0x0000000007110000-0x00000000076B6000-memory.dmp

Filesize
5.6MB

Download
memory/3124-335-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-333-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-289-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-325-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-323-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-321-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-319-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-317-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-315-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-313-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-311-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-309-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-307-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-305-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-303-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-301-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-337-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-287-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-285-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-283-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-281-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-279-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-331-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-330-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-277-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-297-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-295-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-293-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-291-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/3124-276-0x0000000005D10000-0x0000000005E02000-memory.dmp

Filesize
968KB

Download
memory/7692-1369-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/7692-1370-0x0000000005920000-0x0000000005926000-memory.dmp

Filesize
24KB

Download
memory/7728-3327-0x0000000006C30000-0x0000000006C80000-memory.dmp

Filesize
320KB

Download
memory/7728-1373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/7728-3329-0x0000000006C90000-0x0000000006C9A000-memory.dmp

Filesize
40KB

Download
memory/7728-3328-0x0000000006D20000-0x0000000006DB2000-memory.dmp

Filesize
584KB

Download
memory/7728-1374-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/7932-2473-0x0000000004D40000-0x0000000004E06000-memory.dmp

Filesize
792KB

Download
memory/7932-3326-0x0000000004F00000-0x0000000004F56000-memory.dmp

Filesize
344KB

Download
memory/7932-2472-0x00000000007B0000-0x0000000000864000-memory.dmp

Filesize
720KB

Download
memory/7940-2464-0x0000000005680000-0x000000000577C000-memory.dmp

Filesize
1008KB

Download
memory/7940-1389-0x0000000005400000-0x0000000005582000-memory.dmp

Filesize
1.5MB

Download
memory/7940-1388-0x00000000050D0000-0x0000000005286000-memory.dmp

Filesize
1.7MB

Download
memory/7940-1386-0x0000000000560000-0x00000000007C0000-memory.dmp

Filesize
2.4MB

Download