Overview

overview

10

Static

static

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

win102

windows10_x64

10

win102

windows10_x64

10

win102

windows10_x64

10

win102

windows10_x64

10

win104

windows10_x64

10

win104

windows10_x64

10

win104

windows10_x64

10

win104

windows10_x64

10

win105

windows10_x64

10

win105

windows10_x64

10

win105

windows10_x64

10

win105

windows10_x64

10

win106

windows10_x64

10

win106

windows10_x64

10

win106

windows10_x64

10

win106

windows10_x64

10

win103

windows10_x64

10

win103

windows10_x64

10

win103

windows10_x64

10

win103

windows10_x64

10

win101

windows10_x64

10

win101

windows10_x64

10

win101

windows10_x64

10

win101

windows10_x64

10

Resubmissions

12-11-2024 01:29

241112-bwgrxs1gnf 10

08-07-2021 12:18

210708-8z6d5h8z2n 10

06-07-2021 17:53

210706-g6we6sa7sa 10

19-06-2021 18:17

210619-vr8bj2dzfn 10

17-06-2021 21:39

210617-a9cvlnmrbx 10

11-06-2021 17:26

210611-wvab1yw2tj 10

08-06-2021 06:47

210608-qrbpch3y46 10

08-06-2021 06:47

210608-64tndgm1ln 10

05-06-2021 18:40

210605-cd6qpr55sx 10

04-06-2021 11:56

210604-5c416rs3ns 10

Analysis

  • max time kernel
    1801s
  • max time network
    1794s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    29-04-2021 06:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Install2.exe

  • Size

    497KB

  • MD5

    41a5f4fd1ea7cac4aa94a87aebccfef0

  • SHA1

    0d0abf079413a4c773754bf4fda338dc5b9a8ddc

  • SHA256

    97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9

  • SHA512

    5ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f

Score
10/10
raccoonredlinesmokeloader9afb493c6f82d08075dbbfa7d93ce97f1dbf4733bbcbroweur1backdoorfacebookdiscoveryevasioninfostealerpersistencephishingspywarestealertrojanupx

Malware Config

Extracted

Family

redline

Botnet

EUR1

C2

younamebit.info:80

Extracted

Family

raccoon

Botnet

9afb493c6f82d08075dbbfa7d93ce97f1dbf4733

Attributes
  • url4cnc

    https://tttttt.me/antitantief3

rc4.plain
rc4.plain

Extracted

Family

smokeloader

Version

2020

C2

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

BBCbrow

C2

qurernenail.xyz:80

Signatures

  • Detected facebook phishing page
    phishingfacebook
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 38 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 13 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 61 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Themes
    1⤵
      PID:1252
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
      1⤵
        PID:1844
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2416
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
        1⤵
          PID:2424
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s WpnService
          1⤵
            PID:2628
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s Browser
            1⤵
              PID:2852
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2620
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s SENS
              1⤵
                PID:1412
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                1⤵
                  PID:1232
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                  1⤵
                    PID:1080
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                    1⤵
                    • Drops file in System32 directory
                    PID:860
                    • C:\Users\Admin\AppData\Roaming\wieijsc
                      C:\Users\Admin\AppData\Roaming\wieijsc
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      PID:5520
                      • C:\Users\Admin\AppData\Roaming\wieijsc
                        C:\Users\Admin\AppData\Roaming\wieijsc
                        3⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Checks SCSI registry key(s)
                        • Suspicious behavior: MapViewOfSection
                        PID:3812
                    • C:\Users\Admin\AppData\Roaming\wieijsc
                      C:\Users\Admin\AppData\Roaming\wieijsc
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      PID:3032
                      • C:\Users\Admin\AppData\Roaming\wieijsc
                        C:\Users\Admin\AppData\Roaming\wieijsc
                        3⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Checks SCSI registry key(s)
                        • Suspicious behavior: MapViewOfSection
                        PID:512
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                    1⤵
                      PID:1000
                    • C:\Users\Admin\AppData\Local\Temp\Install2.exe
                      "C:\Users\Admin\AppData\Local\Temp\Install2.exe"
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3932
                      • C:\Users\Admin\AppData\Local\Temp\is-OAVH1.tmp\Install2.tmp
                        "C:\Users\Admin\AppData\Local\Temp\is-OAVH1.tmp\Install2.tmp" /SL5="$2010E,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install2.exe"
                        2⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious use of WriteProcessMemory
                        PID:3148
                        • C:\Users\Admin\AppData\Local\Temp\is-KNUOF.tmp\Ultra.exe
                          "C:\Users\Admin\AppData\Local\Temp\is-KNUOF.tmp\Ultra.exe" /S /UID=burnerch1
                          3⤵
                          • Drops file in Drivers directory
                          • Executes dropped EXE
                          • Adds Run key to start application
                          • Drops file in Program Files directory
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2288
                          • C:\Users\Admin\AppData\Local\Temp\ILWMXVFJMC\ultramediaburner.exe
                            "C:\Users\Admin\AppData\Local\Temp\ILWMXVFJMC\ultramediaburner.exe" /VERYSILENT
                            4⤵
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:2988
                            • C:\Users\Admin\AppData\Local\Temp\is-1D4VO.tmp\ultramediaburner.tmp
                              "C:\Users\Admin\AppData\Local\Temp\is-1D4VO.tmp\ultramediaburner.tmp" /SL5="$4002E,281924,62464,C:\Users\Admin\AppData\Local\Temp\ILWMXVFJMC\ultramediaburner.exe" /VERYSILENT
                              5⤵
                              • Executes dropped EXE
                              • Drops file in Program Files directory
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of WriteProcessMemory
                              PID:1324
                              • C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
                                "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
                                6⤵
                                • Executes dropped EXE
                                PID:420
                          • C:\Users\Admin\AppData\Local\Temp\d2-eb149-137-eb9bb-474c10540a419\Ligahajusho.exe
                            "C:\Users\Admin\AppData\Local\Temp\d2-eb149-137-eb9bb-474c10540a419\Ligahajusho.exe"
                            4⤵
                            • Executes dropped EXE
                            • Checks computer location settings
                            • Modifies system certificate store
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4032
                          • C:\Users\Admin\AppData\Local\Temp\0d-08dbf-b4f-0b392-8a0ab655a6b40\Loboxalaeju.exe
                            "C:\Users\Admin\AppData\Local\Temp\0d-08dbf-b4f-0b392-8a0ab655a6b40\Loboxalaeju.exe"
                            4⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:3892
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s2i3k1ho.bmo\skipper.exe /s & exit
                              5⤵
                              • Suspicious use of WriteProcessMemory
                              PID:5160
                              • C:\Users\Admin\AppData\Local\Temp\s2i3k1ho.bmo\skipper.exe
                                C:\Users\Admin\AppData\Local\Temp\s2i3k1ho.bmo\skipper.exe /s
                                6⤵
                                • Executes dropped EXE
                                • Suspicious use of WriteProcessMemory
                                PID:5312
                                • C:\Users\Admin\AppData\Local\Temp\546676008.exe
                                  C:\Users\Admin\AppData\Local\Temp\546676008.exe
                                  7⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5896
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                    8⤵
                                      PID:4624
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                      8⤵
                                        PID:5472
                                    • C:\Users\Admin\AppData\Local\Temp\1815935539.exe
                                      C:\Users\Admin\AppData\Local\Temp\1815935539.exe
                                      7⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetThreadContext
                                      PID:5396
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                        8⤵
                                          PID:5416
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\s2i3k1ho.bmo\skipper.exe & exit
                                        7⤵
                                          PID:4368
                                          • C:\Windows\SysWOW64\PING.EXE
                                            ping 0
                                            8⤵
                                            • Runs ping.exe
                                            PID:4800
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\izfhj3g2.lln\001.exe & exit
                                      5⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:5360
                                      • C:\Users\Admin\AppData\Local\Temp\izfhj3g2.lln\001.exe
                                        C:\Users\Admin\AppData\Local\Temp\izfhj3g2.lln\001.exe
                                        6⤵
                                        • Executes dropped EXE
                                        PID:5524
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hxcilp3s.1we\gpooe.exe & exit
                                      5⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:6044
                                      • C:\Users\Admin\AppData\Local\Temp\hxcilp3s.1we\gpooe.exe
                                        C:\Users\Admin\AppData\Local\Temp\hxcilp3s.1we\gpooe.exe
                                        6⤵
                                        • Executes dropped EXE
                                        • Adds Run key to start application
                                        • Suspicious use of WriteProcessMemory
                                        PID:4116
                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                          7⤵
                                          • Executes dropped EXE
                                          PID:4284
                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                          7⤵
                                          • Executes dropped EXE
                                          PID:5944
                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                          7⤵
                                          • Executes dropped EXE
                                          PID:5932
                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                          7⤵
                                          • Executes dropped EXE
                                          PID:3172
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jb4bkttd.453\google-game.exe & exit
                                      5⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:4484
                                      • C:\Users\Admin\AppData\Local\Temp\jb4bkttd.453\google-game.exe
                                        C:\Users\Admin\AppData\Local\Temp\jb4bkttd.453\google-game.exe
                                        6⤵
                                        • Executes dropped EXE
                                        • Drops file in Program Files directory
                                        • Suspicious use of SetWindowsHookEx
                                        • Suspicious use of WriteProcessMemory
                                        PID:4620
                                        • C:\Windows\SysWOW64\rundll32.exe
                                          "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
                                          7⤵
                                          • Loads dropped DLL
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:4876
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4qvdfb2b.15n\md1_1eaf.exe & exit
                                      5⤵
                                        PID:5064
                                        • C:\Users\Admin\AppData\Local\Temp\4qvdfb2b.15n\md1_1eaf.exe
                                          C:\Users\Admin\AppData\Local\Temp\4qvdfb2b.15n\md1_1eaf.exe
                                          6⤵
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          PID:5892
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gklywobp.2jr\HookSetp.exe /silent & exit
                                        5⤵
                                          PID:5592
                                          • C:\Users\Admin\AppData\Local\Temp\gklywobp.2jr\HookSetp.exe
                                            C:\Users\Admin\AppData\Local\Temp\gklywobp.2jr\HookSetp.exe /silent
                                            6⤵
                                              PID:6124
                                              • C:\Users\Admin\AppData\Roaming\7674671.exe
                                                "C:\Users\Admin\AppData\Roaming\7674671.exe"
                                                7⤵
                                                • Executes dropped EXE
                                                PID:5476
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\z431gj1s.zoj\BBCbrowser.exe /VERYSILENT & exit
                                            5⤵
                                              PID:4108
                                              • C:\Users\Admin\AppData\Local\Temp\z431gj1s.zoj\BBCbrowser.exe
                                                C:\Users\Admin\AppData\Local\Temp\z431gj1s.zoj\BBCbrowser.exe /VERYSILENT
                                                6⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetThreadContext
                                                PID:4312
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                  7⤵
                                                    PID:5032
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1i4imlu1.wo4\md2_2efs.exe & exit
                                                5⤵
                                                  PID:4144
                                                  • C:\Users\Admin\AppData\Local\Temp\1i4imlu1.wo4\md2_2efs.exe
                                                    C:\Users\Admin\AppData\Local\Temp\1i4imlu1.wo4\md2_2efs.exe
                                                    6⤵
                                                    • Executes dropped EXE
                                                    • Checks whether UAC is enabled
                                                    PID:4512
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5xt0ed42.tsb\askinstall39.exe & exit
                                                  5⤵
                                                    PID:4872
                                                    • C:\Users\Admin\AppData\Local\Temp\5xt0ed42.tsb\askinstall39.exe
                                                      C:\Users\Admin\AppData\Local\Temp\5xt0ed42.tsb\askinstall39.exe
                                                      6⤵
                                                      • Executes dropped EXE
                                                      PID:5560
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        cmd.exe /c taskkill /f /im chrome.exe
                                                        7⤵
                                                          PID:6136
                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                            taskkill /f /im chrome.exe
                                                            8⤵
                                                            • Kills process with taskkill
                                                            PID:5832
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wamnxtue.5rd\y1.exe & exit
                                                      5⤵
                                                        PID:5548
                                                        • C:\Users\Admin\AppData\Local\Temp\wamnxtue.5rd\y1.exe
                                                          C:\Users\Admin\AppData\Local\Temp\wamnxtue.5rd\y1.exe
                                                          6⤵
                                                            PID:4352
                                                            • C:\Users\Admin\AppData\Local\Temp\Oh14c65Cod.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\Oh14c65Cod.exe"
                                                              7⤵
                                                              • Executes dropped EXE
                                                              • Modifies system certificate store
                                                              PID:4748
                                                              • C:\Users\Admin\AppData\Roaming\1619686831482.exe
                                                                "C:\Users\Admin\AppData\Roaming\1619686831482.exe" /sjson "C:\Users\Admin\AppData\Roaming\1619686831482.txt"
                                                                8⤵
                                                                • Executes dropped EXE
                                                                PID:4432
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\Oh14c65Cod.exe"
                                                                8⤵
                                                                  PID:5440
                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                    ping 127.0.0.1 -n 3
                                                                    9⤵
                                                                    • Runs ping.exe
                                                                    PID:3812
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\wamnxtue.5rd\y1.exe"
                                                                7⤵
                                                                  PID:716
                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                    timeout /T 10 /NOBREAK
                                                                    8⤵
                                                                    • Delays execution with timeout.exe
                                                                    PID:4504
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nh322dcm.sko\jvppp.exe & exit
                                                              5⤵
                                                                PID:4272
                                                                • C:\Users\Admin\AppData\Local\Temp\nh322dcm.sko\jvppp.exe
                                                                  C:\Users\Admin\AppData\Local\Temp\nh322dcm.sko\jvppp.exe
                                                                  6⤵
                                                                  • Executes dropped EXE
                                                                  PID:5724
                                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                    7⤵
                                                                    • Executes dropped EXE
                                                                    PID:4232
                                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                    7⤵
                                                                    • Executes dropped EXE
                                                                    PID:4740
                                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                    7⤵
                                                                    • Executes dropped EXE
                                                                    PID:4444
                                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                    7⤵
                                                                    • Executes dropped EXE
                                                                    PID:3284
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bnsguloj.2fy\GcleanerWW.exe /mixone & exit
                                                                5⤵
                                                                  PID:5692
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0ifvwe5l.j5i\toolspab1.exe & exit
                                                                  5⤵
                                                                    PID:4448
                                                                    • C:\Users\Admin\AppData\Local\Temp\0ifvwe5l.j5i\toolspab1.exe
                                                                      C:\Users\Admin\AppData\Local\Temp\0ifvwe5l.j5i\toolspab1.exe
                                                                      6⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetThreadContext
                                                                      PID:6124
                                                                      • C:\Users\Admin\AppData\Local\Temp\0ifvwe5l.j5i\toolspab1.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\0ifvwe5l.j5i\toolspab1.exe
                                                                        7⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        • Checks SCSI registry key(s)
                                                                        • Suspicious behavior: MapViewOfSection
                                                                        PID:4244
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lxzy4ry3.ceq\005.exe & exit
                                                                    5⤵
                                                                      PID:2800
                                                                      • C:\Users\Admin\AppData\Local\Temp\lxzy4ry3.ceq\005.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\lxzy4ry3.ceq\005.exe
                                                                        6⤵
                                                                        • Executes dropped EXE
                                                                        PID:4908
                                                            • \??\c:\windows\system32\svchost.exe
                                                              c:\windows\system32\svchost.exe -k netsvcs -s BITS
                                                              1⤵
                                                              • Suspicious use of SetThreadContext
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:2996
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                2⤵
                                                                • Checks processor information in registry
                                                                • Modifies data under HKEY_USERS
                                                                PID:4964
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                2⤵
                                                                • Checks processor information in registry
                                                                PID:5444
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                              1⤵
                                                              • Drops file in Windows directory
                                                              • Modifies Internet Explorer settings
                                                              • Modifies registry class
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2172
                                                            • C:\Windows\system32\browser_broker.exe
                                                              C:\Windows\system32\browser_broker.exe -Embedding
                                                              1⤵
                                                              • Modifies Internet Explorer settings
                                                              PID:928
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                              1⤵
                                                              • Suspicious behavior: MapViewOfSection
                                                              • Suspicious use of SetWindowsHookEx
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:5704
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                              1⤵
                                                              • Modifies Internet Explorer settings
                                                              • Modifies registry class
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:5984
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                              1⤵
                                                                PID:4552
                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                1⤵
                                                                • Modifies registry class
                                                                PID:4536
                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                1⤵
                                                                • Modifies registry class
                                                                PID:1768
                                                              • C:\Windows\SysWOW64\explorer.exe
                                                                C:\Windows\SysWOW64\explorer.exe
                                                                1⤵
                                                                  PID:5276
                                                                • C:\Windows\explorer.exe
                                                                  C:\Windows\explorer.exe
                                                                  1⤵
                                                                    PID:3384
                                                                  • C:\Windows\SysWOW64\explorer.exe
                                                                    C:\Windows\SysWOW64\explorer.exe
                                                                    1⤵
                                                                      PID:2152
                                                                    • C:\Windows\explorer.exe
                                                                      C:\Windows\explorer.exe
                                                                      1⤵
                                                                      • Suspicious behavior: MapViewOfSection
                                                                      PID:1424
                                                                    • C:\Windows\SysWOW64\explorer.exe
                                                                      C:\Windows\SysWOW64\explorer.exe
                                                                      1⤵
                                                                        PID:5828
                                                                      • C:\Windows\explorer.exe
                                                                        C:\Windows\explorer.exe
                                                                        1⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        • Suspicious behavior: MapViewOfSection
                                                                        PID:4352
                                                                      • C:\Windows\SysWOW64\explorer.exe
                                                                        C:\Windows\SysWOW64\explorer.exe
                                                                        1⤵
                                                                          PID:4140
                                                                        • C:\Windows\explorer.exe
                                                                          C:\Windows\explorer.exe
                                                                          1⤵
                                                                          • Suspicious behavior: MapViewOfSection
                                                                          PID:5936
                                                                        • C:\Windows\SysWOW64\explorer.exe
                                                                          C:\Windows\SysWOW64\explorer.exe
                                                                          1⤵
                                                                            PID:4692
                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                            1⤵
                                                                            • Checks SCSI registry key(s)
                                                                            • Enumerates system info in registry
                                                                            • Modifies registry class
                                                                            PID:716
                                                                          • C:\Windows\system32\AUDIODG.EXE
                                                                            C:\Windows\system32\AUDIODG.EXE 0x3d8
                                                                            1⤵
                                                                              PID:5056
                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                              1⤵
                                                                              • Modifies registry class
                                                                              PID:4248
                                                                              • C:\Windows\system32\WerFault.exe
                                                                                C:\Windows\system32\WerFault.exe -u -p 4248 -s 2008
                                                                                2⤵
                                                                                • Program crash
                                                                                PID:2464

                                                                            Network

                                                                            MITRE ATT&CK Enterprise v6

                                                                            Replay Monitor

                                                                            Loading Replay Monitor...

                                                                            Downloads

                                                                            • memory/420-149-0x0000000000834000-0x0000000000835000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/420-143-0x0000000000830000-0x0000000000832000-memory.dmp

                                                                              Filesize

                                                                              8KB

                                                                              Download

                                                                            • memory/420-150-0x0000000000835000-0x0000000000837000-memory.dmp

                                                                              Filesize

                                                                              8KB

                                                                              Download

                                                                            • memory/420-148-0x0000000000832000-0x0000000000834000-memory.dmp

                                                                              Filesize

                                                                              8KB

                                                                              Download

                                                                            • memory/860-233-0x000002DE7B830000-0x000002DE7B8A0000-memory.dmp

                                                                              Filesize

                                                                              448KB

                                                                              Download

                                                                            • memory/1000-199-0x0000023AAC940000-0x0000023AAC98B000-memory.dmp

                                                                              Filesize

                                                                              300KB

                                                                              Download

                                                                            • memory/1000-201-0x0000023AACF10000-0x0000023AACF80000-memory.dmp

                                                                              Filesize

                                                                              448KB

                                                                              Download

                                                                            • memory/1080-218-0x0000021265D30000-0x0000021265DA0000-memory.dmp

                                                                              Filesize

                                                                              448KB

                                                                              Download

                                                                            • memory/1232-247-0x000002BDB2210000-0x000002BDB2280000-memory.dmp

                                                                              Filesize

                                                                              448KB

                                                                              Download

                                                                            • memory/1252-244-0x0000019FE3180000-0x0000019FE31F0000-memory.dmp

                                                                              Filesize

                                                                              448KB

                                                                              Download

                                                                            • memory/1324-131-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/1412-235-0x00000234F8B50000-0x00000234F8BC0000-memory.dmp

                                                                              Filesize

                                                                              448KB

                                                                              Download

                                                                            • memory/1844-240-0x000002022E270000-0x000002022E2E0000-memory.dmp

                                                                              Filesize

                                                                              448KB

                                                                              Download

                                                                            • memory/2288-123-0x0000000001730000-0x0000000001732000-memory.dmp

                                                                              Filesize

                                                                              8KB

                                                                              Download

                                                                            • memory/2416-213-0x000002212F190000-0x000002212F200000-memory.dmp

                                                                              Filesize

                                                                              448KB

                                                                              Download

                                                                            • memory/2424-207-0x0000023641140000-0x00000236411B0000-memory.dmp

                                                                              Filesize

                                                                              448KB

                                                                              Download

                                                                            • memory/2620-253-0x000001EA89D80000-0x000001EA89DF0000-memory.dmp

                                                                              Filesize

                                                                              448KB

                                                                              Download

                                                                            • memory/2628-241-0x000001F581810000-0x000001F581880000-memory.dmp

                                                                              Filesize

                                                                              448KB

                                                                              Download

                                                                            • memory/2852-195-0x000002D932400000-0x000002D932470000-memory.dmp

                                                                              Filesize

                                                                              448KB

                                                                              Download

                                                                            • memory/2988-126-0x0000000000400000-0x0000000000416000-memory.dmp

                                                                              Filesize

                                                                              88KB

                                                                              Download

                                                                            • memory/2996-208-0x00000249EA760000-0x00000249EA7D0000-memory.dmp

                                                                              Filesize

                                                                              448KB

                                                                              Download

                                                                            • memory/3000-343-0x0000000000F10000-0x0000000000F27000-memory.dmp

                                                                              Filesize

                                                                              92KB

                                                                              Download

                                                                            • memory/3148-119-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/3892-146-0x0000000002E10000-0x0000000002E12000-memory.dmp

                                                                              Filesize

                                                                              8KB

                                                                              Download

                                                                            • memory/3892-151-0x0000000002E15000-0x0000000002E16000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/3892-147-0x0000000002E12000-0x0000000002E14000-memory.dmp

                                                                              Filesize

                                                                              8KB

                                                                              Download

                                                                            • memory/3932-114-0x0000000000400000-0x000000000042B000-memory.dmp

                                                                              Filesize

                                                                              172KB

                                                                              Download

                                                                            • memory/4032-141-0x00000000027E0000-0x00000000027E2000-memory.dmp

                                                                              Filesize

                                                                              8KB

                                                                              Download

                                                                            • memory/4244-316-0x0000000000400000-0x000000000040C000-memory.dmp

                                                                              Filesize

                                                                              48KB

                                                                              Download

                                                                            • memory/4312-277-0x0000000007910000-0x0000000007E0E000-memory.dmp

                                                                              Filesize

                                                                              5.0MB

                                                                              Download

                                                                            • memory/4312-338-0x0000000008840000-0x0000000008841000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/4312-276-0x0000000007950000-0x0000000007951000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/4312-266-0x0000000007E10000-0x0000000007E11000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/4312-263-0x0000000000B90000-0x0000000000B91000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/4312-270-0x00000000079B0000-0x00000000079B1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/4312-337-0x0000000007C90000-0x0000000007CA8000-memory.dmp

                                                                              Filesize

                                                                              96KB

                                                                              Download

                                                                            • memory/4352-336-0x0000000000400000-0x0000000002BF4000-memory.dmp

                                                                              Filesize

                                                                              40.0MB

                                                                              Download

                                                                            • memory/4352-328-0x00000000047A0000-0x0000000004831000-memory.dmp

                                                                              Filesize

                                                                              580KB

                                                                              Download

                                                                            • memory/4876-193-0x0000000000B67000-0x0000000000C68000-memory.dmp

                                                                              Filesize

                                                                              1.0MB

                                                                              Download

                                                                            • memory/4876-202-0x0000000000D90000-0x0000000000DEC000-memory.dmp

                                                                              Filesize

                                                                              368KB

                                                                              Download

                                                                            • memory/4908-314-0x0000000000580000-0x00000000006CA000-memory.dmp

                                                                              Filesize

                                                                              1.3MB

                                                                              Download

                                                                            • memory/4908-313-0x00000000001F0000-0x0000000000200000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/4964-196-0x0000022C79720000-0x0000022C79790000-memory.dmp

                                                                              Filesize

                                                                              448KB

                                                                              Download

                                                                            • memory/5032-348-0x0000000005010000-0x0000000005616000-memory.dmp

                                                                              Filesize

                                                                              6.0MB

                                                                              Download

                                                                            • memory/5032-345-0x0000000000400000-0x000000000041C000-memory.dmp

                                                                              Filesize

                                                                              112KB

                                                                              Download

                                                                            • memory/5276-363-0x0000000000670000-0x00000000006E4000-memory.dmp

                                                                              Filesize

                                                                              464KB

                                                                              Download

                                                                            • memory/5276-364-0x0000000000600000-0x000000000066B000-memory.dmp

                                                                              Filesize

                                                                              428KB

                                                                              Download

                                                                            • memory/5396-335-0x0000000005290000-0x0000000005291000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/5396-333-0x0000000000FF0000-0x0000000000FF2000-memory.dmp

                                                                              Filesize

                                                                              8KB

                                                                              Download

                                                                            • memory/5396-331-0x00000000008C0000-0x00000000008C1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/5416-350-0x0000000004F70000-0x0000000005576000-memory.dmp

                                                                              Filesize

                                                                              6.0MB

                                                                              Download

                                                                            • memory/5444-360-0x000001EBC8D20000-0x000001EBC8D6B000-memory.dmp

                                                                              Filesize

                                                                              300KB

                                                                              Download

                                                                            • memory/5444-361-0x000001EBC8F20000-0x000001EBC8F91000-memory.dmp

                                                                              Filesize

                                                                              452KB

                                                                              Download

                                                                            • memory/5472-315-0x0000000000400000-0x000000000041C000-memory.dmp

                                                                              Filesize

                                                                              112KB

                                                                              Download

                                                                            • memory/5472-326-0x00000000056F0000-0x00000000056F1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/5472-323-0x0000000005C80000-0x0000000005C81000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/5472-334-0x0000000005750000-0x0000000005751000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/5472-344-0x0000000005670000-0x0000000005C76000-memory.dmp

                                                                              Filesize

                                                                              6.0MB

                                                                              Download

                                                                            • memory/5472-347-0x0000000005790000-0x0000000005791000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/5476-290-0x0000000004B00000-0x0000000004B01000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/5476-291-0x0000000000C20000-0x0000000000C21000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/5476-289-0x0000000004AD0000-0x0000000004AFA000-memory.dmp

                                                                              Filesize

                                                                              168KB

                                                                              Download

                                                                            • memory/5476-287-0x0000000000C10000-0x0000000000C11000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/5476-285-0x0000000000260000-0x0000000000261000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/5476-302-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/5524-161-0x00000000009C0000-0x00000000009D0000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/5524-162-0x00000000009F0000-0x0000000000A02000-memory.dmp

                                                                              Filesize

                                                                              72KB

                                                                              Download

                                                                            • memory/5896-167-0x0000000000280000-0x0000000000281000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/5896-169-0x0000000000AD0000-0x0000000000AD2000-memory.dmp

                                                                              Filesize

                                                                              8KB

                                                                              Download

                                                                            • memory/5896-173-0x0000000004C70000-0x0000000004C71000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/6124-258-0x0000000000570000-0x0000000000571000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/6124-265-0x0000000000C90000-0x0000000000C91000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/6124-267-0x0000000000CA0000-0x0000000000CBB000-memory.dmp

                                                                              Filesize

                                                                              108KB

                                                                              Download

                                                                            • memory/6124-269-0x0000000002670000-0x0000000002671000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/6124-322-0x0000000001F20000-0x0000000001F2C000-memory.dmp

                                                                              Filesize

                                                                              48KB

                                                                              Download

                                                                            • memory/6124-272-0x000000001B050000-0x000000001B052000-memory.dmp

                                                                              Filesize

                                                                              8KB

                                                                              Download