Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2024 13:16

General

  • Target

    JaffaCakes118_514fd87549442e5b9a87b3a37efcdd34887f3a7ae8a9b2c5ec696bdd8a5e2619.exe

  • Size

    4.2MB

  • MD5

    30c43d251a19febaa7f63377ff5c8c1d

  • SHA1

    d820319efef69e198cc09264624ce11b3efa2fe5

  • SHA256

    514fd87549442e5b9a87b3a37efcdd34887f3a7ae8a9b2c5ec696bdd8a5e2619

  • SHA512

    608473fc70de1346fc838282c7cc0154a8bf7e6cb554fce639683611bacd22f5d8d83fd1d689e39f711732dad16815620367633743603494c5eabc9f67d0fbb6

  • SSDEEP

    98304:PQuBF4mgTFlkyL3JPahm8UHRH9cgUW+DqYMyBXu3HZBe/A:PQucmObLJz8st9/iBXu+/A

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba family
  • Glupteba payload 22 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Metasploit family
  • Windows security bypass 2 TTPs 10 IoCs
  • Modifies boot configuration data using bcdedit 14 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 13 IoCs
  • Windows security modification 2 TTPs 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Manipulates WinMon driver. 1 IoCs

    Roottkits write to WinMon to hide PIDs from being detected.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 3 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_514fd87549442e5b9a87b3a37efcdd34887f3a7ae8a9b2c5ec696bdd8a5e2619.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_514fd87549442e5b9a87b3a37efcdd34887f3a7ae8a9b2c5ec696bdd8a5e2619.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1312
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_514fd87549442e5b9a87b3a37efcdd34887f3a7ae8a9b2c5ec696bdd8a5e2619.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_514fd87549442e5b9a87b3a37efcdd34887f3a7ae8a9b2c5ec696bdd8a5e2619.exe"
      2⤵
      • Windows security bypass
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:532
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2296
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • Modifies data under HKEY_USERS
          PID:2816
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe /301-301
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Manipulates WinMon driver.
        • Manipulates WinMonFS driver.
        • System Location Discovery: System Language Discovery
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1512
        • C:\Windows\system32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:1988
          • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
            "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies system certificate store
            • Suspicious use of WriteProcessMemory
            PID:2512
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:824
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1308
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1316
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1492
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1324
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1748
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2580
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2180
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1688
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1760
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1320
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -timeout 0
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2268
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1724
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\Sysnative\bcdedit.exe /v
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1996
          • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
            4⤵
            • Executes dropped EXE
            PID:1480
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3068
    • C:\Windows\system32\makecab.exe
      "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241225131702.log C:\Windows\Logs\CBS\CbsPersist_20241225131702.cab
      1⤵
      • Drops file in Windows directory
      PID:2936

    Network

    • flag-us
      DNS
      trumops.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      trumops.com
      IN TXT
      Response
      trumops.com
      IN TXT
      .v=spf1 include:_incspfcheck.mailspike.net ?all
    • flag-us
      DNS
      retoti.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      retoti.com
      IN TXT
      Response
      retoti.com
      IN TXT
      .v=spf1 include:_incspfcheck.mailspike.net ?all
    • flag-us
      DNS
      logs.trumops.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      logs.trumops.com
      IN TXT
      Response
    • flag-us
      DNS
      logs.retoti.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      logs.retoti.com
      IN TXT
      Response
    • flag-us
      DNS
      fef5c616-61cb-4c6c-b31a-b32dba497940.uuid.trumops.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      fef5c616-61cb-4c6c-b31a-b32dba497940.uuid.trumops.com
      IN TXT
      Response
    • flag-us
      DNS
      server6.trumops.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      server6.trumops.com
      IN A
      Response
      server6.trumops.com
      IN A
      44.221.84.105
    • flag-us
      DNS
      msdl.microsoft.com
      patch.exe
      Remote address:
      8.8.8.8:53
      Request
      msdl.microsoft.com
      IN A
      Response
      msdl.microsoft.com
      IN CNAME
      msdl.microsoft.akadns.net
      msdl.microsoft.akadns.net
      IN CNAME
      msdl-microsoft-com.a-0016.a-msedge.net
      msdl-microsoft-com.a-0016.a-msedge.net
      IN CNAME
      a-0016.a-msedge.net
      a-0016.a-msedge.net
      IN A
      204.79.197.219
    • flag-us
      GET
      https://msdl.microsoft.com/download/symbols/index2.txt
      patch.exe
      Remote address:
      204.79.197.219:443
      Request
      GET /download/symbols/index2.txt HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Host: msdl.microsoft.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 404 Not Found
      X-Cache: TCP_HIT
      Strict-Transport-Security: includeSubDomains
      X-MSEdge-Ref: Ref A: 80A4FE42F0674441A160D72509740A78 Ref B: LON04EDGE0921 Ref C: 2024-12-25T13:17:12Z
      Date: Wed, 25 Dec 2024 13:17:11 GMT
      Content-Length: 0
    • flag-us
      GET
      https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb
      patch.exe
      Remote address:
      204.79.197.219:443
      Request
      GET /download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Host: msdl.microsoft.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 302 Found
      Location: https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=PRpKGTMsRgumVg6XpuWDS7DOz2qa9WK547nBLYxrvRk%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T10%3A05%3A22Z&ske=2024-12-27T11%3A05%3A22Z&sks=b&skv=2019-07-07&se=2024-12-26T13%3A19%3A29Z&sp=r&rscl=x-e2eid-81d90537-18ba4f38-a7b634d9-01368c02-session-32536ea8-55e148ee-9caa49ca-b9d99f2f
      X-Cache: TCP_HIT
      Strict-Transport-Security: includeSubDomains
      X-MSEdge-Ref: Ref A: 16BDF47D2497410EAC50C33FE7B18E06 Ref B: LON04EDGE0921 Ref C: 2024-12-25T13:17:12Z
      Date: Wed, 25 Dec 2024 13:17:11 GMT
      Content-Length: 0
    • flag-us
      GET
      https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb
      patch.exe
      Remote address:
      204.79.197.219:443
      Request
      GET /download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Host: msdl.microsoft.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 302 Found
      Location: https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=PRpKGTMsRgumVg6XpuWDS7DOz2qa9WK547nBLYxrvRk%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T10%3A05%3A22Z&ske=2024-12-27T11%3A05%3A22Z&sks=b&skv=2019-07-07&se=2024-12-26T13%3A19%3A29Z&sp=r&rscl=x-e2eid-81d90537-18ba4f38-a7b634d9-01368c02-session-32536ea8-55e148ee-9caa49ca-b9d99f2f
      X-Cache: TCP_HIT
      Strict-Transport-Security: includeSubDomains
      X-MSEdge-Ref: Ref A: 4548BE58A4A04B91809BF8E7027FC529 Ref B: LON04EDGE0921 Ref C: 2024-12-25T13:17:22Z
      Date: Wed, 25 Dec 2024 13:17:21 GMT
      Content-Length: 0
    • flag-us
      GET
      https://msdl.microsoft.com/download/symbols/index2.txt
      patch.exe
      Remote address:
      204.79.197.219:443
      Request
      GET /download/symbols/index2.txt HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Host: msdl.microsoft.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 404 Not Found
      X-Cache: TCP_HIT
      Strict-Transport-Security: includeSubDomains
      X-MSEdge-Ref: Ref A: 00EF9B29BB554B07AED611FC494CF1CE Ref B: LON04EDGE0921 Ref C: 2024-12-25T13:17:32Z
      Date: Wed, 25 Dec 2024 13:17:32 GMT
      Content-Length: 0
    • flag-us
      GET
      https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
      patch.exe
      Remote address:
      204.79.197.219:443
      Request
      GET /download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Host: msdl.microsoft.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 302 Found
      Location: https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=lMV0CPHB1SgiUY33tb0m9UrYxgdPnfzXWauCvQ4FBUg%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T09%3A23%3A39Z&ske=2024-12-27T10%3A23%3A39Z&sks=b&skv=2019-07-07&se=2024-12-26T14%3A04%3A41Z&sp=r&rscl=x-e2eid-cd565b88-2fc7429f-883da7e3-b3adc541-session-64e4f263-3327490a-be498c32-8683bc9d
      X-Cache: TCP_HIT
      Strict-Transport-Security: includeSubDomains
      X-MSEdge-Ref: Ref A: 96F6BCA1C2AF402E8203F2BA5E147042 Ref B: LON04EDGE0921 Ref C: 2024-12-25T13:17:33Z
      Date: Wed, 25 Dec 2024 13:17:32 GMT
      Content-Length: 0
    • flag-us
      GET
      https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
      patch.exe
      Remote address:
      204.79.197.219:443
      Request
      GET /download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Host: msdl.microsoft.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 302 Found
      Location: https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=lMV0CPHB1SgiUY33tb0m9UrYxgdPnfzXWauCvQ4FBUg%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T09%3A23%3A39Z&ske=2024-12-27T10%3A23%3A39Z&sks=b&skv=2019-07-07&se=2024-12-26T14%3A04%3A41Z&sp=r&rscl=x-e2eid-cd565b88-2fc7429f-883da7e3-b3adc541-session-64e4f263-3327490a-be498c32-8683bc9d
      X-Cache: TCP_HIT
      Strict-Transport-Security: includeSubDomains
      X-MSEdge-Ref: Ref A: B8B846E2D52546C9A66275C70DE96EF0 Ref B: LON04EDGE0921 Ref C: 2024-12-25T13:17:34Z
      Date: Wed, 25 Dec 2024 13:17:34 GMT
      Content-Length: 0
    • flag-us
      DNS
      vsblobprodscussu5shard30.blob.core.windows.net
      patch.exe
      Remote address:
      8.8.8.8:53
      Request
      vsblobprodscussu5shard30.blob.core.windows.net
      IN A
      Response
      vsblobprodscussu5shard30.blob.core.windows.net
      IN CNAME
      blob.sat09prdstrz08a.store.core.windows.net
      blob.sat09prdstrz08a.store.core.windows.net
      IN CNAME
      blob.sat09prdstrz08a.trafficmanager.net
      blob.sat09prdstrz08a.trafficmanager.net
      IN A
      20.150.38.228
      blob.sat09prdstrz08a.trafficmanager.net
      IN A
      20.150.79.68
      blob.sat09prdstrz08a.trafficmanager.net
      IN A
      20.150.70.36
    • flag-us
      DNS
      vsblobprodscussu5shard20.blob.core.windows.net
      patch.exe
      Remote address:
      8.8.8.8:53
      Request
      vsblobprodscussu5shard20.blob.core.windows.net
      IN A
      Response
      vsblobprodscussu5shard20.blob.core.windows.net
      IN CNAME
      blob.sat09prdstrz08a.store.core.windows.net
      blob.sat09prdstrz08a.store.core.windows.net
      IN CNAME
      blob.sat09prdstrz08a.trafficmanager.net
      blob.sat09prdstrz08a.trafficmanager.net
      IN A
      20.150.79.68
      blob.sat09prdstrz08a.trafficmanager.net
      IN A
      20.150.70.36
      blob.sat09prdstrz08a.trafficmanager.net
      IN A
      20.150.38.228
    • flag-us
      GET
      https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=lMV0CPHB1SgiUY33tb0m9UrYxgdPnfzXWauCvQ4FBUg%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T09%3A23%3A39Z&ske=2024-12-27T10%3A23%3A39Z&sks=b&skv=2019-07-07&se=2024-12-26T14%3A04%3A41Z&sp=r&rscl=x-e2eid-cd565b88-2fc7429f-883da7e3-b3adc541-session-64e4f263-3327490a-be498c32-8683bc9d
      patch.exe
      Remote address:
      20.150.79.68:443
      Request
      GET /b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=lMV0CPHB1SgiUY33tb0m9UrYxgdPnfzXWauCvQ4FBUg%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T09%3A23%3A39Z&ske=2024-12-27T10%3A23%3A39Z&sks=b&skv=2019-07-07&se=2024-12-26T14%3A04%3A41Z&sp=r&rscl=x-e2eid-cd565b88-2fc7429f-883da7e3-b3adc541-session-64e4f263-3327490a-be498c32-8683bc9d HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Connection: Keep-Alive
      Cache-Control: no-cache
      Host: vsblobprodscussu5shard20.blob.core.windows.net
      Response
      HTTP/1.1 200 OK
      Content-Length: 503808
      Content-Type: application/octet-stream
      Content-Language: x-e2eid-cd565b88-2fc7429f-883da7e3-b3adc541-session-64e4f263-3327490a-be498c32-8683bc9d
      Last-Modified: Fri, 02 Feb 2024 04:23:06 GMT
      Accept-Ranges: bytes
      ETag: "0x8DC23A6A7A80D5E"
      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
      x-ms-request-id: 0b5b7039-b01e-0014-4ccf-564bc6000000
      x-ms-version: 2019-07-07
      x-ms-creation-time: Fri, 02 Feb 2024 04:23:06 GMT
      x-ms-lease-status: unlocked
      x-ms-lease-state: available
      x-ms-blob-type: BlockBlob
      x-ms-server-encrypted: true
      Access-Control-Expose-Headers: Content-Length
      Access-Control-Allow-Origin: *
      Date: Wed, 25 Dec 2024 13:17:33 GMT
    • flag-us
      GET
      https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=lMV0CPHB1SgiUY33tb0m9UrYxgdPnfzXWauCvQ4FBUg%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T09%3A23%3A39Z&ske=2024-12-27T10%3A23%3A39Z&sks=b&skv=2019-07-07&se=2024-12-26T14%3A04%3A41Z&sp=r&rscl=x-e2eid-cd565b88-2fc7429f-883da7e3-b3adc541-session-64e4f263-3327490a-be498c32-8683bc9d
      patch.exe
      Remote address:
      20.150.79.68:443
      Request
      GET /b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=lMV0CPHB1SgiUY33tb0m9UrYxgdPnfzXWauCvQ4FBUg%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T09%3A23%3A39Z&ske=2024-12-27T10%3A23%3A39Z&sks=b&skv=2019-07-07&se=2024-12-26T14%3A04%3A41Z&sp=r&rscl=x-e2eid-cd565b88-2fc7429f-883da7e3-b3adc541-session-64e4f263-3327490a-be498c32-8683bc9d HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Connection: Keep-Alive
      Cache-Control: no-cache
      Host: vsblobprodscussu5shard20.blob.core.windows.net
      Response
      HTTP/1.1 200 OK
      Content-Length: 503808
      Content-Type: application/octet-stream
      Content-Language: x-e2eid-cd565b88-2fc7429f-883da7e3-b3adc541-session-64e4f263-3327490a-be498c32-8683bc9d
      Last-Modified: Fri, 02 Feb 2024 04:23:06 GMT
      Accept-Ranges: bytes
      ETag: "0x8DC23A6A7A80D5E"
      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
      x-ms-request-id: 0b5b71c8-b01e-0014-3dcf-564bc6000000
      x-ms-version: 2019-07-07
      x-ms-creation-time: Fri, 02 Feb 2024 04:23:06 GMT
      x-ms-lease-status: unlocked
      x-ms-lease-state: available
      x-ms-blob-type: BlockBlob
      x-ms-server-encrypted: true
      Access-Control-Expose-Headers: Content-Length
      Access-Control-Allow-Origin: *
      Date: Wed, 25 Dec 2024 13:17:34 GMT
    • flag-us
      DNS
      crl.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      crl.microsoft.com
      IN A
      Response
      crl.microsoft.com
      IN CNAME
      crl.www.ms.akadns.net
      crl.www.ms.akadns.net
      IN CNAME
      a1363.dscg.akamai.net
      a1363.dscg.akamai.net
      IN A
      104.86.110.66
      a1363.dscg.akamai.net
      IN A
      104.86.110.81
    • flag-us
      DNS
      crl.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      crl.microsoft.com
      IN A
    • flag-us
      DNS
      crl.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      crl.microsoft.com
      IN A
    • flag-gb
      GET
      http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
      Remote address:
      104.86.110.66:80
      Request
      GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: crl.microsoft.com
      Response
      HTTP/1.1 200 OK
      Content-Length: 1036
      Content-Type: application/octet-stream
      Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
      Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
      ETag: 0x8DD1A40E476D877
      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
      x-ms-request-id: bb02ef99-901e-0028-6135-4c3642000000
      x-ms-version: 2009-09-19
      x-ms-lease-status: unlocked
      x-ms-blob-type: BlockBlob
      Date: Wed, 25 Dec 2024 13:17:46 GMT
      Connection: keep-alive
    • flag-us
      DNS
      www.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      www.microsoft.com
      IN A
      Response
      www.microsoft.com
      IN CNAME
      www.microsoft.com-c-3.edgekey.net
      www.microsoft.com-c-3.edgekey.net
      IN CNAME
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      IN CNAME
      e13678.dscb.akamaiedge.net
      e13678.dscb.akamaiedge.net
      IN A
      2.22.5.218
    • flag-gb
      GET
      http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
      Remote address:
      2.22.5.218:80
      Request
      GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      If-Modified-Since: Mon, 03 Jun 2024 21:25:24 GMT
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: www.microsoft.com
      Response
      HTTP/1.1 200 OK
      Content-Length: 1078
      Content-Type: application/octet-stream
      Content-MD5: PjrtHAukbJio72s77Ag5mA==
      Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
      ETag: 0x8DCFA0366D6C4CA
      x-ms-request-id: 4dd73a92-f01e-0011-0df1-2bcd5e000000
      x-ms-version: 2009-09-19
      x-ms-lease-status: unlocked
      x-ms-blob-type: BlockBlob
      Date: Wed, 25 Dec 2024 13:17:46 GMT
      Connection: keep-alive
      TLS_version: UNKNOWN
      ms-cv: CASMicrosoftCV2c1384b4.0
      ms-cv-esi: CASMicrosoftCV2c1384b4.0
      X-RTag: RT
    • 44.221.84.105:443
      server6.trumops.com
      tls
      csrss.exe
      15.3kB
      9.5kB
      30
      22
    • 204.79.197.219:443
      https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
      tls, http
      patch.exe
      2.8kB
      10.8kB
      17
      21

      HTTP Request

      GET https://msdl.microsoft.com/download/symbols/index2.txt

      HTTP Response

      404

      HTTP Request

      GET https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb

      HTTP Response

      302

      HTTP Request

      GET https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb

      HTTP Response

      302

      HTTP Request

      GET https://msdl.microsoft.com/download/symbols/index2.txt

      HTTP Response

      404

      HTTP Request

      GET https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb

      HTTP Response

      302

      HTTP Request

      GET https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb

      HTTP Response

      302
    • 20.150.38.228:443
      vsblobprodscussu5shard30.blob.core.windows.net
      tls
      patch.exe
      372.4kB
      18.1MB
      7450
      13012
    • 20.150.79.68:443
      https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=lMV0CPHB1SgiUY33tb0m9UrYxgdPnfzXWauCvQ4FBUg%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T09%3A23%3A39Z&ske=2024-12-27T10%3A23%3A39Z&sks=b&skv=2019-07-07&se=2024-12-26T14%3A04%3A41Z&sp=r&rscl=x-e2eid-cd565b88-2fc7429f-883da7e3-b3adc541-session-64e4f263-3327490a-be498c32-8683bc9d
      tls, http
      patch.exe
      26.5kB
      1.1MB
      508
      757

      HTTP Request

      GET https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=lMV0CPHB1SgiUY33tb0m9UrYxgdPnfzXWauCvQ4FBUg%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T09%3A23%3A39Z&ske=2024-12-27T10%3A23%3A39Z&sks=b&skv=2019-07-07&se=2024-12-26T14%3A04%3A41Z&sp=r&rscl=x-e2eid-cd565b88-2fc7429f-883da7e3-b3adc541-session-64e4f263-3327490a-be498c32-8683bc9d

      HTTP Response

      200

      HTTP Request

      GET https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=lMV0CPHB1SgiUY33tb0m9UrYxgdPnfzXWauCvQ4FBUg%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T09%3A23%3A39Z&ske=2024-12-27T10%3A23%3A39Z&sks=b&skv=2019-07-07&se=2024-12-26T14%3A04%3A41Z&sp=r&rscl=x-e2eid-cd565b88-2fc7429f-883da7e3-b3adc541-session-64e4f263-3327490a-be498c32-8683bc9d

      HTTP Response

      200
    • 104.86.110.66:80
      http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
      http
      399 B
      1.7kB
      4
      4

      HTTP Request

      GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

      HTTP Response

      200
    • 2.22.5.218:80
      http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
      http
      393 B
      1.7kB
      4
      4

      HTTP Request

      GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

      HTTP Response

      200
    • 44.221.84.105:443
      server6.trumops.com
      tls
      csrss.exe
      1.7kB
      5.4kB
      9
      9
    • 8.8.8.8:53
      trumops.com
      dns
      csrss.exe
      57 B
      116 B
      1
      1

      DNS Request

      trumops.com

    • 8.8.8.8:53
      retoti.com
      dns
      csrss.exe
      56 B
      115 B
      1
      1

      DNS Request

      retoti.com

    • 8.8.8.8:53
      logs.trumops.com
      dns
      csrss.exe
      62 B
      121 B
      1
      1

      DNS Request

      logs.trumops.com

    • 8.8.8.8:53
      logs.retoti.com
      dns
      csrss.exe
      61 B
      120 B
      1
      1

      DNS Request

      logs.retoti.com

    • 8.8.8.8:53
      fef5c616-61cb-4c6c-b31a-b32dba497940.uuid.trumops.com
      dns
      csrss.exe
      99 B
      158 B
      1
      1

      DNS Request

      fef5c616-61cb-4c6c-b31a-b32dba497940.uuid.trumops.com

    • 8.8.8.8:53
      server6.trumops.com
      dns
      csrss.exe
      65 B
      81 B
      1
      1

      DNS Request

      server6.trumops.com

      DNS Response

      44.221.84.105

    • 8.8.8.8:53
      msdl.microsoft.com
      dns
      patch.exe
      64 B
      182 B
      1
      1

      DNS Request

      msdl.microsoft.com

      DNS Response

      204.79.197.219

    • 8.8.8.8:53
      vsblobprodscussu5shard30.blob.core.windows.net
      dns
      patch.exe
      92 B
      231 B
      1
      1

      DNS Request

      vsblobprodscussu5shard30.blob.core.windows.net

      DNS Response

      20.150.38.228
      20.150.79.68
      20.150.70.36

    • 8.8.8.8:53
      vsblobprodscussu5shard20.blob.core.windows.net
      dns
      patch.exe
      92 B
      231 B
      1
      1

      DNS Request

      vsblobprodscussu5shard20.blob.core.windows.net

      DNS Response

      20.150.79.68
      20.150.70.36
      20.150.38.228

    • 8.8.8.8:53
      crl.microsoft.com
      dns
      189 B
      162 B
      3
      1

      DNS Request

      crl.microsoft.com

      DNS Request

      crl.microsoft.com

      DNS Request

      crl.microsoft.com

      DNS Response

      104.86.110.66
      104.86.110.81

    • 8.8.8.8:53
      www.microsoft.com
      dns
      63 B
      230 B
      1
      1

      DNS Request

      www.microsoft.com

      DNS Response

      2.22.5.218

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

      Filesize

      8.3MB

      MD5

      fd2727132edd0b59fa33733daa11d9ef

      SHA1

      63e36198d90c4c2b9b09dd6786b82aba5f03d29a

      SHA256

      3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

      SHA512

      3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

    • C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

      Filesize

      492KB

      MD5

      fafbf2197151d5ce947872a4b0bcbe16

      SHA1

      a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

      SHA256

      feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

      SHA512

      acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

    • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

      Filesize

      5.3MB

      MD5

      1afff8d5352aecef2ecd47ffa02d7f7d

      SHA1

      8b115b84efdb3a1b87f750d35822b2609e665bef

      SHA256

      c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

      SHA512

      e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

    • C:\Users\Admin\AppData\Local\Temp\osloader.exe

      Filesize

      591KB

      MD5

      e2f68dc7fbd6e0bf031ca3809a739346

      SHA1

      9c35494898e65c8a62887f28e04c0359ab6f63f5

      SHA256

      b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

      SHA512

      26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

    • \Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

      Filesize

      94KB

      MD5

      d98e78fd57db58a11f880b45bb659767

      SHA1

      ab70c0d3bd9103c07632eeecee9f51d198ed0e76

      SHA256

      414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

      SHA512

      aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

    • \Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

    • \Users\Admin\AppData\Local\Temp\csrss\patch.exe

      Filesize

      1.7MB

      MD5

      13aaafe14eb60d6a718230e82c671d57

      SHA1

      e039dd924d12f264521b8e689426fb7ca95a0a7b

      SHA256

      f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

      SHA512

      ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

    • \Users\Admin\AppData\Local\Temp\dbghelp.dll

      Filesize

      1.5MB

      MD5

      f0616fa8bc54ece07e3107057f74e4db

      SHA1

      b33995c4f9a004b7d806c4bb36040ee844781fca

      SHA256

      6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

      SHA512

      15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

    • \Users\Admin\AppData\Local\Temp\symsrv.dll

      Filesize

      163KB

      MD5

      5c399d34d8dc01741269ff1f1aca7554

      SHA1

      e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

      SHA256

      e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

      SHA512

      8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

    • \Windows\rss\csrss.exe

      Filesize

      4.2MB

      MD5

      30c43d251a19febaa7f63377ff5c8c1d

      SHA1

      d820319efef69e198cc09264624ce11b3efa2fe5

      SHA256

      514fd87549442e5b9a87b3a37efcdd34887f3a7ae8a9b2c5ec696bdd8a5e2619

      SHA512

      608473fc70de1346fc838282c7cc0154a8bf7e6cb554fce639683611bacd22f5d8d83fd1d689e39f711732dad16815620367633743603494c5eabc9f67d0fbb6

    • memory/532-19-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/532-8-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/532-9-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/532-7-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/1312-4-0x0000000002B80000-0x0000000002F8F000-memory.dmp

      Filesize

      4.1MB

    • memory/1312-5-0x0000000002F90000-0x0000000003832000-memory.dmp

      Filesize

      8.6MB

    • memory/1312-0-0x0000000002B80000-0x0000000002F8F000-memory.dmp

      Filesize

      4.1MB

    • memory/1312-6-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/1312-2-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/1312-1-0x0000000002F90000-0x0000000003832000-memory.dmp

      Filesize

      8.6MB

    • memory/2512-26-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

    • memory/2512-40-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

    • memory/2668-66-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/2668-96-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/2668-51-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/2668-102-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/2668-103-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/2668-104-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/2668-105-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/2668-106-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/2668-107-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/2668-108-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/2668-109-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/2668-110-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/2668-111-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/2668-112-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.