stormkitty | cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6

Analysis

max time kernel
110s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
Size

1.6MB
MD5

3420f30a64bec629d676254a475823f0
SHA1

26722aa62e36e90daee1f1ef2f8b754584aba419
SHA256

cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6
SHA512

4b167f5e5bccbfdf7b708dbd3545c4d52d8b751a0658a0232be114a355ab52e33d426708d9098dd85c1393188ea3e241fd01b6cae71a32e65f8821bb26ce88ef
SSDEEP

49152:KAXCw7uq6e14Y18bVeKTAknS/G/ZT9JlPebr/Imnf4bacz:KAyJqL5ceKpuULlMr/Fn7O

Score

10^/10

stormkitty collection discovery persistence spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 12 IoCs

resource	yara_rule
behavioral2/memory/1896-9-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral2/memory/1896-8-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral2/memory/1896-11-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral2/memory/1896-12-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral2/files/0x0008000000023ccb-19.dat	family_stormkitty
behavioral2/memory/868-95-0x0000000000F70000-0x0000000000FC6000-memory.dmp	family_stormkitty
behavioral2/memory/1896-144-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral2/memory/2768-173-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral2/memory/2768-397-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral2/memory/2768-398-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral2/memory/2768-578-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral2/memory/2768-838-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 4 IoCs

pid	Process
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
4492	Synaptics.exe
2768	Synaptics.exe
2892	._cache_Synaptics.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\GYHASOLS\FileGrabber\Downloads\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\GYHASOLS\FileGrabber\Pictures\desktop.ini	._cache_Synaptics.exe
File created	C:\ProgramData\GYHASOLS\FileGrabber\Desktop\desktop.ini	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
File created	C:\ProgramData\GYHASOLS\FileGrabber\Documents\desktop.ini	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
File created	C:\ProgramData\GYHASOLS\FileGrabber\Downloads\desktop.ini	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
File created	C:\ProgramData\GYHASOLS\FileGrabber\Pictures\desktop.ini	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
File created	C:\Users\Admin\AppData\Local\GYHASOLS\FileGrabber\Desktop\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\GYHASOLS\FileGrabber\Documents\desktop.ini	._cache_Synaptics.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	freegeoip.app
26	freegeoip.app
75	api.ipify.org
76	api.ipify.org
77	api.ipify.org
79	ip-api.com
13	freegeoip.app

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 1896	2308	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	87
PID 4492 set thread context of 2768	4492	Synaptics.exe	90

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3856	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
2892	._cache_Synaptics.exe
2892	._cache_Synaptics.exe
2892	._cache_Synaptics.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
2892	._cache_Synaptics.exe
2892	._cache_Synaptics.exe
2892	._cache_Synaptics.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
2892	._cache_Synaptics.exe
2892	._cache_Synaptics.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
2892	._cache_Synaptics.exe
2892	._cache_Synaptics.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
2892	._cache_Synaptics.exe
2892	._cache_Synaptics.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
2892	._cache_Synaptics.exe
2892	._cache_Synaptics.exe
2892	._cache_Synaptics.exe
2892	._cache_Synaptics.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
2892	._cache_Synaptics.exe
2892	._cache_Synaptics.exe
2892	._cache_Synaptics.exe
2892	._cache_Synaptics.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
2892	._cache_Synaptics.exe
2892	._cache_Synaptics.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
2892	._cache_Synaptics.exe
2892	._cache_Synaptics.exe
2892	._cache_Synaptics.exe
2892	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
Token: SeDebugPrivilege	2892	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3856	EXCEL.EXE
3856	EXCEL.EXE
3856	EXCEL.EXE
3856	EXCEL.EXE
3856	EXCEL.EXE
3856	EXCEL.EXE

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1896	2308	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	87
PID 2308 wrote to memory of 1896	2308	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	87
PID 2308 wrote to memory of 1896	2308	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	87
PID 2308 wrote to memory of 1896	2308	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	87
PID 2308 wrote to memory of 1896	2308	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	87
PID 2308 wrote to memory of 1896	2308	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	87
PID 2308 wrote to memory of 1896	2308	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	87
PID 2308 wrote to memory of 1896	2308	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	87
PID 2308 wrote to memory of 1896	2308	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	87
PID 2308 wrote to memory of 1896	2308	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	87
PID 2308 wrote to memory of 1896	2308	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	87
PID 1896 wrote to memory of 868	1896	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	88
PID 1896 wrote to memory of 868	1896	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	88
PID 1896 wrote to memory of 868	1896	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	88
PID 1896 wrote to memory of 4492	1896	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	89
PID 1896 wrote to memory of 4492	1896	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	89
PID 1896 wrote to memory of 4492	1896	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	89
PID 4492 wrote to memory of 2768	4492	Synaptics.exe	90
PID 4492 wrote to memory of 2768	4492	Synaptics.exe	90
PID 4492 wrote to memory of 2768	4492	Synaptics.exe	90
PID 4492 wrote to memory of 2768	4492	Synaptics.exe	90
PID 4492 wrote to memory of 2768	4492	Synaptics.exe	90
PID 4492 wrote to memory of 2768	4492	Synaptics.exe	90
PID 4492 wrote to memory of 2768	4492	Synaptics.exe	90
PID 4492 wrote to memory of 2768	4492	Synaptics.exe	90
PID 4492 wrote to memory of 2768	4492	Synaptics.exe	90
PID 4492 wrote to memory of 2768	4492	Synaptics.exe	90
PID 4492 wrote to memory of 2768	4492	Synaptics.exe	90
PID 2768 wrote to memory of 2892	2768	Synaptics.exe	91
PID 2768 wrote to memory of 2892	2768	Synaptics.exe	91
PID 2768 wrote to memory of 2892	2768	Synaptics.exe	91

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
"C:\Users\Admin\AppData\Local\Temp\cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
  "C:\Users\Admin\AppData\Local\Temp\cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Users\Admin\AppData\Local\Temp\._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:868
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2892

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GYHASOLS\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\GYHASOLS\FileGrabber\Desktop\MeasureUnblock.sql

Filesize
479KB

MD5
1d29cb2f1723631fe91f4d91f519d9e8

SHA1
57a3f9a830fe3289b75a5e97fc59782717781d41

SHA256
96dcc9ebd7646298aba11c316dadab19596ddf20316f32e93b0b61f021fe49e2

SHA512
fa69e5fdc5a52be1539841d356bbb2c4879e525219e1a6416b97aa5ec147bb0861d7b469b38e06764ebdd2289b511fd0a4c30f142c317dbeb965de2cc7768ef1

Download Submit
C:\ProgramData\GYHASOLS\FileGrabber\Desktop\SuspendConfirm.css

Filesize
231KB

MD5
633b7b3d103f7c6db86dfb5005823578

SHA1
75aa3b1a98d7e9d1eb581cdcba5fbae35e7e187f

SHA256
cbfba9a3ca1fdc248328388ccd27a09c6aea26991574738ff80ce4dccdcf0505

SHA512
006b84cb8557f1b3d19cc25b0e37ba7f9fde1b57369c64dc040062acdb049046d8823dba1722b0a4dbd77f8e194a9df944fd809eabef2f5ba4bd6feb15fe111b

Download Submit
C:\ProgramData\GYHASOLS\FileGrabber\Documents\FindUndo.doc

Filesize
379KB

MD5
17e1fa66a86354e4c72089eea4f43856

SHA1
5d276e257d7edccc8a2474b97b6fd9c1d1931214

SHA256
d06f99cb657391d05541a3df56397eb9aac070d5c7643f9571fd476749bffa42

SHA512
160bf1434fa3682611824c5a44d2cd156cf926c33fc3a3261279b60d2138a5dd8e8df60608f2780ebd5caa88a5e4bb8417e0ca14f7ea4b5916d878af4fd419a3

Download Submit
C:\ProgramData\GYHASOLS\FileGrabber\Documents\GroupWait.xlsx

Filesize
474KB

MD5
31a505a8838e7805119561d0dbf7d8bf

SHA1
a30d3c1c32c02eac96d8866ec1b9dcbb02499405

SHA256
e0506d9dd523583f46500d73689d4e0d255e16504da1e62285e75e0b4ac38865

SHA512
3ed11124cbf0a6f4e6d5be6fb271a90115b5b590ceb1e49a9e7c39b9e3463db2d9e852995e20bc1728b53a96d57e66157e100e55f193cdc348cef876be657b43

Download Submit
C:\ProgramData\GYHASOLS\FileGrabber\Documents\RestoreUpdate.html

Filesize
391KB

MD5
4ae694a824d60f676313e8da47b8f4ff

SHA1
0e23316bfb969443c9f3b404f420846b2920aa4d

SHA256
ed85167de8b76cb4ab033e7f13a5dbc279e47cf76f5b3f4f28128bf828ebc7d2

SHA512
ef0237161f864534d9988683c9ac4367fbbe1b4562489041a3f8734d586be945f2605805563c2cc3e8afe137501881f58a5998d86d2cbeb8cd1db71e2e905621

Download Submit
C:\ProgramData\GYHASOLS\FileGrabber\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\ProgramData\GYHASOLS\FileGrabber\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\ProgramData\GYHASOLS\InstalledSoftware.txt

Filesize
1KB

MD5
bca4ee4b0d73edf2835ac08ab38d1bd9

SHA1
a833d7663f5edecc050b37b7efd1d563268ea0df

SHA256
0face1d1c4bdf8e8f16c7fe99e2a6150cd6f60dc20396214288a585f870f3e5f

SHA512
48fa5f3b545f470146fee34c87b7268eb09ca7944d8bfea9e9fa2a14f4f934ec3b91ae4d302f7248b797bd5e0562b8a567f5ca3bce241ea8c3493bbe3310bce2

Download Submit
C:\ProgramData\GYHASOLS\Process.txt

Filesize
4KB

MD5
20ccd9e6d400911ca7fb0279cd7ff315

SHA1
a219e5d00dad04faa0c627aa572f2fe63ce1b7be

SHA256
52b72d312ef6deacc23694589a250cef861b3ef6017eb2d550b329f41cbd6232

SHA512
d186d166f2a57475f9a9a4a1b289c1bec22efe811cc91dd4d937977c27bcc8f2699fb2c0f7a92351adde2dc7ebe7a8a29ac0cf3a080b9410a48ad195892f7aa8

Download Submit
C:\ProgramData\GYHASOLS\Screen.png

Filesize
429KB

MD5
56714b2be259495fe5e4d65c5d4d63f1

SHA1
7f78fa4337d76ac868353ffba5c1a0dcc5f553f0

SHA256
1bf654c0501c8bd766894401bc7b6909aebe5034a49bf47327e80aa9377e20d6

SHA512
3b8b06dc5077dd6c7df6983362176c25a7fb576a0db6c08cc4fc438b776c9e95e67d65ed1a56e1a189cd8f454571ea8aab239bfb61d5bade099b44d119a446c7

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.6MB

MD5
3420f30a64bec629d676254a475823f0

SHA1
26722aa62e36e90daee1f1ef2f8b754584aba419

SHA256
cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6

SHA512
4b167f5e5bccbfdf7b708dbd3545c4d52d8b751a0658a0232be114a355ab52e33d426708d9098dd85c1393188ea3e241fd01b6cae71a32e65f8821bb26ce88ef

Download Submit
C:\Users\Admin\AppData\Local\GYHASOLS\Browsers\Outlook\Outlook.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\GYHASOLS\FileGrabber\Desktop\CompleteNew.xlsx

Filesize
15KB

MD5
6bf210557f42813d6bcbd7de47ea6c59

SHA1
fd736eede8249e1ddcd79851d689a8b7b23e864c

SHA256
5ce6cc566f036824902c07b3406f04fac87e7892b588058b49d4bd701c4251d1

SHA512
b640a6e9dc1ca1383c513fb5ca72a24a096c9c036844756c3e04e68961eff9c19d067889a92ef59165d7c4803ad2fe93a5ef35cfcd84e320caad05ff61e93bfa

Download Submit
C:\Users\Admin\AppData\Local\GYHASOLS\FileGrabber\Desktop\RenameRead.xlsx

Filesize
11KB

MD5
e479c80dd9a532dff31149a1ff97ee36

SHA1
411bba4c0dc95c30faa332c4f7a20ac9cd3e7d85

SHA256
afa441a26c95306090060ba05d8d0776cf024f630a04000c34a3c512ce855849

SHA512
8fda0c2843d96ec6826dbccb5bff4b0a4fddc5cf8944756c8b20571ab0897ccbab9ff47110bf67efec5501768fc3114d969ad2bffc14e5d8ad4bbea1cc5e6849

Download Submit
C:\Users\Admin\AppData\Local\GYHASOLS\FileGrabber\Desktop\UnblockSuspend.docx

Filesize
13KB

MD5
c35def5316624d4303b97d3d19ea5406

SHA1
2edf0931d33dc257d0d228c695698c7d01abbfd3

SHA256
7ddc6ec03a8fd4a5307859bd1fd6f625cb01101e02eaae7142de51a791111559

SHA512
488514bd1b0546003022c7f241b0028e69f8afc2ce543115fcb13bb851f2f7c557399e72007df111337554da8f52632d61cc3ff18554f997e3a7bc2d8e7c9407

Download Submit
C:\Users\Admin\AppData\Local\GYHASOLS\FileGrabber\Desktop\UnregisterClear.docx

Filesize
16KB

MD5
f4df53b384b8409d1d0274cbb4974a82

SHA1
50fef66ef4191a89d8e19a1e22d83dcd533b6d92

SHA256
7dd3a756eff88e7c67e71fb084d75424d6b5999babfa7b3411036132cb759262

SHA512
9122473e32a0e1fe1c6befc0f353289f6168550586a39b4cd6e2087c64519089f8cadd0d6fe581e6e56288662187540bb7db646603497598c94c86dbe2011b44

Download Submit
C:\Users\Admin\AppData\Local\GYHASOLS\FileGrabber\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\GYHASOLS\FileGrabber\Documents\CheckpointWrite.xlsx

Filesize
12KB

MD5
394ce4672f14de44d5b5d839b7611f03

SHA1
4f69f9e0cd41e485721f5c81d9413c750d34f42f

SHA256
2751e647b34049e2e85adcd90252f62e5bad2a57943376d3215c8c2c87d718d0

SHA512
39c7e267aafaf05d60378637c145937de65d4bbd672d1e7d4f974a4b52d12440531dec318e3542dcb5df31a65400533247463136006fb16f282567aef0d5ef44

Download Submit
C:\Users\Admin\AppData\Local\GYHASOLS\FileGrabber\Documents\DenyEnter.docx

Filesize
19KB

MD5
c899a7ec9676d2ed19507d5d9c458496

SHA1
83b80270bea6a8f390f813261acf33bba90591b0

SHA256
9e73ff8fc34cdfb1ef39362f1484ab6d8ca0b68ebbee339915b071fe2525eea6

SHA512
56620fc87cd1fd14db68d1cebc2fb9c6a2e0e2da054efe1cea07ec8a256b198a73926c907846ac566ed9457cbc0330d64cd3796cee62758aab8530ad0ca50264

Download Submit
C:\Users\Admin\AppData\Local\GYHASOLS\FileGrabber\Documents\RepairSync.xlsx

Filesize
10KB

MD5
518554935eff3876bcc755ec83f9d535

SHA1
eb3886959cfbc3eac0bbe3112d03c8270a4fee8a

SHA256
4caa84f2055369b60d635c4b5de54c9ecba906076f4f3157e732f365e5e784f0

SHA512
8ec8b10d994229aaff7615e091402b3604ae03d56a54086e7a586afdba3d553de55da1c9ad12f1c7d6087905319ce88e388620f47819cc9e2e8f54672bab5993

Download Submit
C:\Users\Admin\AppData\Local\GYHASOLS\FileGrabber\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\GYHASOLS\FileGrabber\Downloads\ConvertToDebug.jpg

Filesize
208KB

MD5
8e7104566f0f48f074115de0e1771dfe

SHA1
ca40e24498511fa430835805c3ce7bccfcee33d6

SHA256
0f3062b6c6bcdd7dfc4e6ead3e48ac4062b66fcc0ada5516db399e7e2507960d

SHA512
b2aafe879703e4d6e593298e0f8e70330178f0d95c8fe03592b6abf0ae07450308f1c0aedee9087cf8b6b5dd452095c3e5c77ffc395795dc83aa773c27d182d2

Download Submit
C:\Users\Admin\AppData\Local\GYHASOLS\FileGrabber\Downloads\SplitGrant.xlsx

Filesize
356KB

MD5
6a909d16ffd25420018fea56dbc2b5cd

SHA1
25b6e761b215d8825508e30b9719f1a25e9d5cd0

SHA256
8cf6eea9c45f0cafd287fc7d9dba3678df36ab7038847cb82e5c7b758abf75d7

SHA512
aa8af00569bc1441fd7f89b47516ed119296a11e679775f721188650bc2c209879183342add6fb71f4358253f0046d2058290e5652804599cb2e0c483229878d

Download Submit
C:\Users\Admin\AppData\Local\GYHASOLS\FileGrabber\Pictures\EnterUninstall.jpg

Filesize
1000KB

MD5
f560eb046d95b32d11c8ab54272c8424

SHA1
44e0630b6b18d4d9dcdb890d3f07ddbed01be7fd

SHA256
983743c7e83677cbf0b21f6622f548eb5d9f6f4be0f04ef575af38ab66bca57a

SHA512
ebf378b7f1a3ad493e5ebc133bb02433084c59a4f20be70fe469f9824d8631fb32aa2fe0e865cac5edc01e1fed8c0055fafbbff54d590effa3f2b1e8b339e8f1

Download Submit
C:\Users\Admin\AppData\Local\GYHASOLS\FileGrabber\Pictures\ExitCompress.jpg

Filesize
395KB

MD5
2502d3b2c7a6e675cb9263c130140a27

SHA1
cfba44eb3499c5c232fc7180c92aad6c43cc5c4b

SHA256
c8d5e64c0c71b59c5b11e4bf914d13c8cebb69ae95c04afe4d90daa1f6b8ed08

SHA512
a652213666f229f2c9ea383b90926ae020f89f8961055561580e575050f8e0e4832cca008d604272b81a2de6c7f39e24f68f2ce671d7c0937c38dfd368efe760

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe

Filesize
321KB

MD5
88e556c4f90811d242975a78d9f230fa

SHA1
fff10abdf2f71f6197d2eeda52822fa549084426

SHA256
d59a62bcbadaea2c0a911e24bb842e592fe5273b15721997034e2e62a0444bc5

SHA512
81b2d9ecd35349dd792094bc46f0b235384ce9bb17ea25478d61d00f552813910149daa774d0a8b4df05fdc43fa27597845387db00460a0f71fba7e37f3407ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\16D75E00

Filesize
23KB

MD5
8010126496396348602b5a6a08299795

SHA1
dbd79d65d885ba6183e71069298f23c513148787

SHA256
7392a2dfb5c798947bc6b443e67621e1a6020412047b9d7c5ca3f436b613502e

SHA512
4344084b2d805eef66fd944202a64bbbe71a7a50db0a2b6c05c74808f8603a652ebf42cbaccbd68385538b14b0a446c35da47999a5af8dc9ae0c277b9cbfbb5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
19d479796748c78743fef23c303cc9c6

SHA1
f28c8d0a906458b49ff8fc04011e42dc73d0fc73

SHA256
897b6e3d9528c26af5bc685e4446b749d9230ed6f3ec0e2e058ca5dde736594b

SHA512
7e3d7bf707601ec6825f061a167102c2fed817a5a879f0a513d8892e9868c3490e1d13909f921afecb294b9e8c181922098a7daeebd9b507ea87921f59bfa7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD2E3.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD40F.tmp.dat

Filesize
114KB

MD5
d0150bee5e917cfd7a7152d6c1988919

SHA1
fbcb54efb2fc75f72eaea9605b1a2cae557a121b

SHA256
ea86bc11680540f71d4740429e19804ad5c375e5ceee098981f6aebe691b71c1

SHA512
a3c542917de3538c0a10445f3fd96395cac0f2c572fccc948ed755864d5800af16957d7deb5973a469cde52582d3e3ee6f4d3e87acd7b1084d64441268b2504d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD865.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqVz9UZx.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/868-274-0x0000000007070000-0x00000000070D6000-memory.dmp

Filesize
408KB

Download
memory/868-759-0x000000007318E000-0x000000007318F000-memory.dmp

Filesize
4KB

Download
memory/868-95-0x0000000000F70000-0x0000000000FC6000-memory.dmp

Filesize
344KB

Download
memory/868-133-0x000000007318E000-0x000000007318F000-memory.dmp

Filesize
4KB

Download
memory/1896-9-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1896-144-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1896-8-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1896-11-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1896-13-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1896-12-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2308-6-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/2308-3-0x0000000004D40000-0x0000000004DD2000-memory.dmp

Filesize
584KB

Download
memory/2308-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/2308-1-0x0000000000130000-0x00000000002D4000-memory.dmp

Filesize
1.6MB

Download
memory/2308-2-0x0000000005250000-0x00000000057F4000-memory.dmp

Filesize
5.6MB

Download
memory/2308-4-0x0000000004DE0000-0x0000000004F1E000-memory.dmp

Filesize
1.2MB

Download
memory/2308-16-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/2308-5-0x0000000004FD0000-0x000000000506C000-memory.dmp

Filesize
624KB

Download
memory/2308-7-0x0000000004C60000-0x0000000004C6A000-memory.dmp

Filesize
40KB

Download
memory/2768-578-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2768-397-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2768-398-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2768-173-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2768-838-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3856-265-0x00007FFB39C30000-0x00007FFB39C40000-memory.dmp

Filesize
64KB

Download
memory/3856-272-0x00007FFB37A90000-0x00007FFB37AA0000-memory.dmp

Filesize
64KB

Download
memory/3856-275-0x00007FFB37A90000-0x00007FFB37AA0000-memory.dmp

Filesize
64KB

Download
memory/3856-269-0x00007FFB39C30000-0x00007FFB39C40000-memory.dmp

Filesize
64KB

Download
memory/3856-267-0x00007FFB39C30000-0x00007FFB39C40000-memory.dmp

Filesize
64KB

Download
memory/3856-264-0x00007FFB39C30000-0x00007FFB39C40000-memory.dmp

Filesize
64KB

Download
memory/3856-266-0x00007FFB39C30000-0x00007FFB39C40000-memory.dmp

Filesize
64KB

Download