Overview

overview

10

Static

static

8 (1).exe

windows7_x64

10

8 (1).exe

windows10_x64

10

8 (10).exe

windows7_x64

10

8 (10).exe

windows10_x64

10

8 (11).exe

windows7_x64

10

8 (11).exe

windows10_x64

10

8 (12).exe

windows7_x64

10

8 (12).exe

windows10_x64

10

8 (13).exe

windows7_x64

10

8 (13).exe

windows10_x64

10

8 (14).exe

windows7_x64

10

8 (14).exe

windows10_x64

10

8 (15).exe

windows7_x64

10

8 (15).exe

windows10_x64

8

8 (16).exe

windows7_x64

10

8 (16).exe

windows10_x64

10

8 (17).exe

windows7_x64

10

8 (17).exe

windows10_x64

10

8 (18).exe

windows7_x64

10

8 (18).exe

windows10_x64

10

8 (19).exe

windows7_x64

10

8 (19).exe

windows10_x64

10

8 (2).exe

windows7_x64

10

8 (2).exe

windows10_x64

10

8 (20).exe

windows7_x64

10

8 (20).exe

windows10_x64

10

8 (21).exe

windows7_x64

10

8 (21).exe

windows10_x64

10

8 (22).exe

windows7_x64

10

8 (22).exe

windows10_x64

10

8 (23).exe

windows7_x64

10

8 (23).exe

windows10_x64

10

Resubmissions

13/08/2021, 10:16

210813-wpta271jdx 10

08/08/2021, 23:00

210808-fgs5g9pxfs 10

07/08/2021, 23:12

210807-g2jw1lmd4a 10

07/08/2021, 16:10

210807-51nhct4kfx 10

06/08/2021, 23:43

210806-gc2271nxwj 10

06/08/2021, 06:00

210806-f443x39x8a 10

05/08/2021, 17:08

210805-97y6banvvx 10

04/08/2021, 17:25

210804-hkxx2ntr8x 10

04/08/2021, 12:12

210804-rjbg4b4y7n 10

03/08/2021, 17:12

210803-r2h7ytjwqj 10

Analysis

  • max time kernel
    26s
  • max time network
    1855s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    06/08/2021, 23:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8 (18).exe

  • Size

    3.0MB

  • MD5

    bb072cad921aa5ce8b97706ce01bc570

  • SHA1

    18bf034906c1341b7817e7361ad27a4425d820bd

  • SHA256

    817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

  • SHA512

    d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Score
10/10
gluptebametasploitraccoonredlinesmokeloadervidar83fbe81dd43f775dd8af3cd619f88f428fbd9a96933installsaspackv2backdoordropperevasioninfostealerloaderpersistencestealersuricatathemidatrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    files.000webhost.com
  • Port:
    21
  • Username:
    hhh6786
  • Password:
    Sutana666

Extracted

Family

vidar

Version

39.6

Botnet

933

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    933

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

installs

C2

178.32.202.118:43127

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

raccoon

Botnet

83fbe81dd43f775dd8af3cd619f88f428fbd9a96

Attributes
  • url4cnc

    https://telete.in/opa4kiprivatem

rc4.plain
rc4.plain

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba Payload 3 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Raccoon Stealer Payload 2 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • suricata: ET MALWARE GCleaner Downloader Activity M1

    suricata: ET MALWARE GCleaner Downloader Activity M1

    suricata
  • suricata: ET MALWARE Possible Dridex Download URI Struct with no referer

    suricata: ET MALWARE Possible Dridex Download URI Struct with no referer

    suricata
  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata
  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    suricata
  • Vidar Stealer 4 IoCs
    stealer
  • ASPack v2.12-2.42 17 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Downloads MZ/PE file
  • Executes dropped EXE 19 IoCs
  • Loads dropped DLL 64 IoCs
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Kills process with taskkill 4 IoCs
    evasion
  • Modifies data under HKEY_USERS 6 IoCs
  • Modifies registry class 8 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:468
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:876
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {0C1AE298-C1DD-4589-8AF9-FCA22BD03C29} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
          3⤵
            PID:316
            • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
              C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
              4⤵
                PID:1636
              • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                4⤵
                  PID:368
                • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                  C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                  4⤵
                    PID:2104
                  • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                    C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                    4⤵
                      PID:1228
                    • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                      C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                      4⤵
                        PID:2628
                      • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                        C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                        4⤵
                          PID:1696
                        • C:\Users\Admin\AppData\Roaming\etiscet
                          C:\Users\Admin\AppData\Roaming\etiscet
                          4⤵
                            PID:2656
                          • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                            C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                            4⤵
                              PID:1596
                            • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                              C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                              4⤵
                                PID:2056
                              • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                4⤵
                                  PID:2180
                                • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                  C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                  4⤵
                                    PID:1804
                                  • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                    C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                    4⤵
                                      PID:948
                                    • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                      C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                      4⤵
                                        PID:2816
                                      • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                        C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                        4⤵
                                          PID:2216
                                        • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                          C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                          4⤵
                                            PID:3056
                                          • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                            C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                            4⤵
                                              PID:3040
                                            • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                              C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                              4⤵
                                                PID:2140
                                              • C:\Users\Admin\AppData\Roaming\etiscet
                                                C:\Users\Admin\AppData\Roaming\etiscet
                                                4⤵
                                                  PID:2940
                                                • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                  C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                  4⤵
                                                    PID:2056
                                                  • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                    C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                    4⤵
                                                      PID:2936
                                                    • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                      C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                      4⤵
                                                        PID:3020
                                                      • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                        C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                        4⤵
                                                          PID:1728
                                                        • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                          C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                          4⤵
                                                            PID:188
                                                          • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                            C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                            4⤵
                                                              PID:2188
                                                            • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                              C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                              4⤵
                                                                PID:1640
                                                              • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                                C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                                4⤵
                                                                  PID:748
                                                                • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                                  C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                                  4⤵
                                                                    PID:1764
                                                                  • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                                    C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                                    4⤵
                                                                      PID:1704
                                                                    • C:\Users\Admin\AppData\Roaming\etiscet
                                                                      C:\Users\Admin\AppData\Roaming\etiscet
                                                                      4⤵
                                                                        PID:1376
                                                                      • C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                                        C:\Users\Admin\AppData\Roaming\x86_wpf-presentationhostdll_31bf3856ad364e35_6.1.7601.23403_none_72a612359757f848\urlmon.exe
                                                                        4⤵
                                                                          PID:2740
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                      2⤵
                                                                      • Checks processor information in registry
                                                                      • Modifies data under HKEY_USERS
                                                                      • Modifies registry class
                                                                      PID:1732
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                      2⤵
                                                                        PID:2904
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                        2⤵
                                                                          PID:2960
                                                                      • C:\Users\Admin\AppData\Local\Temp\8 (18).exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\8 (18).exe"
                                                                        1⤵
                                                                        • Loads dropped DLL
                                                                        • Suspicious use of WriteProcessMemory
                                                                        PID:652
                                                                        • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                                          2⤵
                                                                          • Executes dropped EXE
                                                                          • Loads dropped DLL
                                                                          • Suspicious use of WriteProcessMemory
                                                                          PID:1244
                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSCD4EA395\setup_install.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\7zSCD4EA395\setup_install.exe"
                                                                            3⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            • Suspicious use of WriteProcessMemory
                                                                            PID:1540
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c sonia_1.exe
                                                                              4⤵
                                                                              • Loads dropped DLL
                                                                              • Suspicious use of WriteProcessMemory
                                                                              PID:1684
                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSCD4EA395\sonia_1.exe
                                                                                sonia_1.exe
                                                                                5⤵
                                                                                • Executes dropped EXE
                                                                                • Loads dropped DLL
                                                                                PID:1628
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c sonia_2.exe
                                                                              4⤵
                                                                              • Loads dropped DLL
                                                                              PID:2012
                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSCD4EA395\sonia_2.exe
                                                                                sonia_2.exe
                                                                                5⤵
                                                                                • Executes dropped EXE
                                                                                • Loads dropped DLL
                                                                                • Checks SCSI registry key(s)
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious behavior: MapViewOfSection
                                                                                PID:2016
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c sonia_3.exe
                                                                              4⤵
                                                                              • Loads dropped DLL
                                                                              • Suspicious use of WriteProcessMemory
                                                                              PID:2020
                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSCD4EA395\sonia_3.exe
                                                                                sonia_3.exe
                                                                                5⤵
                                                                                • Executes dropped EXE
                                                                                • Loads dropped DLL
                                                                                • Modifies system certificate store
                                                                                PID:1872
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 936
                                                                                  6⤵
                                                                                  • Loads dropped DLL
                                                                                  • Program crash
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1996
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c sonia_4.exe
                                                                              4⤵
                                                                              • Loads dropped DLL
                                                                              PID:1692
                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSCD4EA395\sonia_4.exe
                                                                                sonia_4.exe
                                                                                5⤵
                                                                                • Executes dropped EXE
                                                                                • Modifies system certificate store
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2008
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c sonia_5.exe
                                                                              4⤵
                                                                              • Loads dropped DLL
                                                                              PID:1264
                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSCD4EA395\sonia_5.exe
                                                                                sonia_5.exe
                                                                                5⤵
                                                                                • Executes dropped EXE
                                                                                • Loads dropped DLL
                                                                                • Modifies system certificate store
                                                                                PID:1980
                                                                                • C:\Users\Admin\Documents\_u8IdHvI599zhZ_8DNpD5ap4.exe
                                                                                  "C:\Users\Admin\Documents\_u8IdHvI599zhZ_8DNpD5ap4.exe"
                                                                                  6⤵
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  PID:2156
                                                                                  • C:\Users\Admin\Documents\_u8IdHvI599zhZ_8DNpD5ap4.exe
                                                                                    C:\Users\Admin\Documents\_u8IdHvI599zhZ_8DNpD5ap4.exe
                                                                                    7⤵
                                                                                      PID:2760
                                                                                  • C:\Users\Admin\Documents\YzXYbfB_rk985mWY0navNc2B.exe
                                                                                    "C:\Users\Admin\Documents\YzXYbfB_rk985mWY0navNc2B.exe"
                                                                                    6⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:2140
                                                                                    • C:\Users\Admin\Documents\YzXYbfB_rk985mWY0navNc2B.exe
                                                                                      C:\Users\Admin\Documents\YzXYbfB_rk985mWY0navNc2B.exe
                                                                                      7⤵
                                                                                        PID:2112
                                                                                    • C:\Users\Admin\Documents\mzLVlKdFcqG5t8NaMI8zll1r.exe
                                                                                      "C:\Users\Admin\Documents\mzLVlKdFcqG5t8NaMI8zll1r.exe"
                                                                                      6⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2124
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1428
                                                                                        7⤵
                                                                                        • Program crash
                                                                                        PID:2804
                                                                                    • C:\Users\Admin\Documents\21RmZJ00qR3NvBhXfslL9Ya0.exe
                                                                                      "C:\Users\Admin\Documents\21RmZJ00qR3NvBhXfslL9Ya0.exe"
                                                                                      6⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:2204
                                                                                    • C:\Users\Admin\Documents\ZV9gQjkr7nQuQLLVN00ScBa7.exe
                                                                                      "C:\Users\Admin\Documents\ZV9gQjkr7nQuQLLVN00ScBa7.exe"
                                                                                      6⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:2212
                                                                                    • C:\Users\Admin\Documents\dZHyfEdW08YLMrzqRu11BdZk.exe
                                                                                      "C:\Users\Admin\Documents\dZHyfEdW08YLMrzqRu11BdZk.exe"
                                                                                      6⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:2228
                                                                                    • C:\Users\Admin\Documents\Hz9zHju4i4KS0Jhdf4piLP3V.exe
                                                                                      "C:\Users\Admin\Documents\Hz9zHju4i4KS0Jhdf4piLP3V.exe"
                                                                                      6⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:2240
                                                                                    • C:\Users\Admin\Documents\VTF8IIHvNcQ0oq2C2afhteEb.exe
                                                                                      "C:\Users\Admin\Documents\VTF8IIHvNcQ0oq2C2afhteEb.exe"
                                                                                      6⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2252
                                                                                    • C:\Users\Admin\Documents\PhBRrXT_iJ0TVT3d8rJo0S3X.exe
                                                                                      "C:\Users\Admin\Documents\PhBRrXT_iJ0TVT3d8rJo0S3X.exe"
                                                                                      6⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:2260
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im "PhBRrXT_iJ0TVT3d8rJo0S3X.exe" /f & erase "C:\Users\Admin\Documents\PhBRrXT_iJ0TVT3d8rJo0S3X.exe" & exit
                                                                                        7⤵
                                                                                          PID:1584
                                                                                      • C:\Users\Admin\Documents\_9J0WygztWST3oE0Q4BNtNV1.exe
                                                                                        "C:\Users\Admin\Documents\_9J0WygztWST3oE0Q4BNtNV1.exe"
                                                                                        6⤵
                                                                                          PID:2544
                                                                                          • C:\Users\Admin\Documents\_9J0WygztWST3oE0Q4BNtNV1.exe
                                                                                            "{path}"
                                                                                            7⤵
                                                                                              PID:2188
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im _9J0WygztWST3oE0Q4BNtNV1.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\_9J0WygztWST3oE0Q4BNtNV1.exe" & del C:\ProgramData\*.dll & exit
                                                                                                8⤵
                                                                                                  PID:900
                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                    taskkill /im _9J0WygztWST3oE0Q4BNtNV1.exe /f
                                                                                                    9⤵
                                                                                                    • Kills process with taskkill
                                                                                                    PID:3004
                                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                                    timeout /t 6
                                                                                                    9⤵
                                                                                                    • Delays execution with timeout.exe
                                                                                                    PID:2696
                                                                                            • C:\Users\Admin\Documents\cw3946SpdbirPVy6fnxnEuVW.exe
                                                                                              "C:\Users\Admin\Documents\cw3946SpdbirPVy6fnxnEuVW.exe"
                                                                                              6⤵
                                                                                                PID:2536
                                                                                              • C:\Users\Admin\Documents\JZH7ShNKMN9AtwJdMSnM0Mfe.exe
                                                                                                "C:\Users\Admin\Documents\JZH7ShNKMN9AtwJdMSnM0Mfe.exe"
                                                                                                6⤵
                                                                                                  PID:2524
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /c taskkill /im JZH7ShNKMN9AtwJdMSnM0Mfe.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\JZH7ShNKMN9AtwJdMSnM0Mfe.exe" & del C:\ProgramData\*.dll & exit
                                                                                                    7⤵
                                                                                                      PID:2152
                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                        taskkill /im JZH7ShNKMN9AtwJdMSnM0Mfe.exe /f
                                                                                                        8⤵
                                                                                                        • Kills process with taskkill
                                                                                                        PID:2188
                                                                                                      • C:\Windows\SysWOW64\timeout.exe
                                                                                                        timeout /t 6
                                                                                                        8⤵
                                                                                                        • Delays execution with timeout.exe
                                                                                                        PID:720
                                                                                                  • C:\Users\Admin\Documents\mK1pD3K6d9m692bVbPMqqTnO.exe
                                                                                                    "C:\Users\Admin\Documents\mK1pD3K6d9m692bVbPMqqTnO.exe"
                                                                                                    6⤵
                                                                                                      PID:2512
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im "mK1pD3K6d9m692bVbPMqqTnO.exe" /f & erase "C:\Users\Admin\Documents\mK1pD3K6d9m692bVbPMqqTnO.exe" & exit
                                                                                                        7⤵
                                                                                                          PID:2272
                                                                                                      • C:\Users\Admin\Documents\RmovI25g3xgMSDEG3gZWdTP6.exe
                                                                                                        "C:\Users\Admin\Documents\RmovI25g3xgMSDEG3gZWdTP6.exe"
                                                                                                        6⤵
                                                                                                          PID:2500
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im "RmovI25g3xgMSDEG3gZWdTP6.exe" /f & erase "C:\Users\Admin\Documents\RmovI25g3xgMSDEG3gZWdTP6.exe" & exit
                                                                                                            7⤵
                                                                                                              PID:3064
                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                taskkill /im "RmovI25g3xgMSDEG3gZWdTP6.exe" /f
                                                                                                                8⤵
                                                                                                                • Kills process with taskkill
                                                                                                                PID:240
                                                                                                          • C:\Users\Admin\Documents\aFZxLpkmfCEv4E1Veks4wQem.exe
                                                                                                            "C:\Users\Admin\Documents\aFZxLpkmfCEv4E1Veks4wQem.exe"
                                                                                                            6⤵
                                                                                                              PID:2564
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                7⤵
                                                                                                                  PID:2816
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                  7⤵
                                                                                                                    PID:2036
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                    7⤵
                                                                                                                      PID:2716
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                      7⤵
                                                                                                                        PID:1740
                                                                                                                    • C:\Users\Admin\Documents\WPEnLv3Xt4WtSgeZW_Z2_9gB.exe
                                                                                                                      "C:\Users\Admin\Documents\WPEnLv3Xt4WtSgeZW_Z2_9gB.exe"
                                                                                                                      6⤵
                                                                                                                        PID:2672
                                                                                                                        • C:\Users\Admin\Documents\WPEnLv3Xt4WtSgeZW_Z2_9gB.exe
                                                                                                                          "C:\Users\Admin\Documents\WPEnLv3Xt4WtSgeZW_Z2_9gB.exe" -q
                                                                                                                          7⤵
                                                                                                                            PID:2448
                                                                                                                        • C:\Users\Admin\Documents\pB1lPGa9_nOf5wxCYURC7EnB.exe
                                                                                                                          "C:\Users\Admin\Documents\pB1lPGa9_nOf5wxCYURC7EnB.exe"
                                                                                                                          6⤵
                                                                                                                            PID:2648
                                                                                                                          • C:\Users\Admin\Documents\hyQt52cy0nJzdLMDzyhHShD3.exe
                                                                                                                            "C:\Users\Admin\Documents\hyQt52cy0nJzdLMDzyhHShD3.exe"
                                                                                                                            6⤵
                                                                                                                              PID:2636
                                                                                                                            • C:\Users\Admin\Documents\vWWKi5OBZEz5Z32SIHQHoQhd.exe
                                                                                                                              "C:\Users\Admin\Documents\vWWKi5OBZEz5Z32SIHQHoQhd.exe"
                                                                                                                              6⤵
                                                                                                                                PID:2624
                                                                                                                                • C:\Users\Admin\Documents\vWWKi5OBZEz5Z32SIHQHoQhd.exe
                                                                                                                                  "C:\Users\Admin\Documents\vWWKi5OBZEz5Z32SIHQHoQhd.exe"
                                                                                                                                  7⤵
                                                                                                                                    PID:432
                                                                                                                                • C:\Users\Admin\Documents\zd5M9TG5pehb60SPsH308ZE9.exe
                                                                                                                                  "C:\Users\Admin\Documents\zd5M9TG5pehb60SPsH308ZE9.exe"
                                                                                                                                  6⤵
                                                                                                                                    PID:2608
                                                                                                                                    • C:\Users\Admin\AppData\Roaming\7699970.exe
                                                                                                                                      "C:\Users\Admin\AppData\Roaming\7699970.exe"
                                                                                                                                      7⤵
                                                                                                                                        PID:2692
                                                                                                                                        • C:\Windows\system32\WerFault.exe
                                                                                                                                          C:\Windows\system32\WerFault.exe -u -p 2692 -s 1084
                                                                                                                                          8⤵
                                                                                                                                          • Program crash
                                                                                                                                          PID:664
                                                                                                                                    • C:\Users\Admin\Documents\ibJ6MFOkbx3LN6Kfw4qZ31KD.exe
                                                                                                                                      "C:\Users\Admin\Documents\ibJ6MFOkbx3LN6Kfw4qZ31KD.exe"
                                                                                                                                      6⤵
                                                                                                                                        PID:2600
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-54SQQ.tmp\ibJ6MFOkbx3LN6Kfw4qZ31KD.tmp
                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\is-54SQQ.tmp\ibJ6MFOkbx3LN6Kfw4qZ31KD.tmp" /SL5="$3019C,138429,56832,C:\Users\Admin\Documents\ibJ6MFOkbx3LN6Kfw4qZ31KD.exe"
                                                                                                                                          7⤵
                                                                                                                                            PID:2992
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c sonia_6.exe
                                                                                                                                      4⤵
                                                                                                                                      • Loads dropped DLL
                                                                                                                                      PID:1056
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSCD4EA395\sonia_6.exe
                                                                                                                                        sonia_6.exe
                                                                                                                                        5⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Loads dropped DLL
                                                                                                                                        • Adds Run key to start application
                                                                                                                                        PID:576
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                          6⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Loads dropped DLL
                                                                                                                                          PID:796
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                          6⤵
                                                                                                                                            PID:2880
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                            6⤵
                                                                                                                                              PID:2856
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                              6⤵
                                                                                                                                                PID:2164
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c sonia_7.exe
                                                                                                                                            4⤵
                                                                                                                                              PID:556
                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 412
                                                                                                                                              4⤵
                                                                                                                                              • Loads dropped DLL
                                                                                                                                              • Program crash
                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:1616
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSCD4EA395\sonia_1.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zSCD4EA395\sonia_1.exe" -a
                                                                                                                                        1⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Loads dropped DLL
                                                                                                                                        PID:1948
                                                                                                                                      • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                        rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                        1⤵
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        PID:2036
                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                          2⤵
                                                                                                                                          • Loads dropped DLL
                                                                                                                                          • Modifies registry class
                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                          PID:900
                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                        taskkill /im "mK1pD3K6d9m692bVbPMqqTnO.exe" /f
                                                                                                                                        1⤵
                                                                                                                                        • Kills process with taskkill
                                                                                                                                        PID:2540
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\C9C5.exe
                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\C9C5.exe
                                                                                                                                        1⤵
                                                                                                                                          PID:2852
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\6AB6.exe
                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\6AB6.exe
                                                                                                                                          1⤵
                                                                                                                                            PID:1200
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\CBAB.exe
                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\CBAB.exe
                                                                                                                                            1⤵
                                                                                                                                              PID:1752
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\CBAB.exe
                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\CBAB.exe
                                                                                                                                                2⤵
                                                                                                                                                  PID:2548

                                                                                                                                              Network

                                                                                                                                              MITRE ATT&CK Enterprise v6

                                                                                                                                              Replay Monitor

                                                                                                                                              Loading Replay Monitor...

                                                                                                                                              Downloads

                                                                                                                                              • memory/432-430-0x0000000000400000-0x0000000003096000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                44.6MB

                                                                                                                                                Download

                                                                                                                                              • memory/432-429-0x0000000004E70000-0x0000000005796000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                9.1MB

                                                                                                                                                Download

                                                                                                                                              • memory/652-59-0x0000000075C31000-0x0000000075C33000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                8KB

                                                                                                                                                Download

                                                                                                                                              • memory/664-431-0x0000000000220000-0x0000000000221000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                                Download

                                                                                                                                              • memory/876-181-0x0000000001AD0000-0x0000000001B41000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                452KB

                                                                                                                                                Download

                                                                                                                                              • memory/876-179-0x0000000000490000-0x00000000004DC000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                304KB

                                                                                                                                                Download

                                                                                                                                              • memory/900-177-0x0000000000A90000-0x0000000000B91000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                1.0MB

                                                                                                                                                Download

                                                                                                                                              • memory/900-178-0x0000000000820000-0x000000000087D000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                372KB

                                                                                                                                                Download

                                                                                                                                              • memory/1200-437-0x00000000002E0000-0x0000000000373000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                588KB

                                                                                                                                                Download

                                                                                                                                              • memory/1200-438-0x0000000000400000-0x0000000002CAF000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                40.7MB

                                                                                                                                                Download

                                                                                                                                              • memory/1204-187-0x0000000002B50000-0x0000000002B65000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                84KB

                                                                                                                                                Download

                                                                                                                                              • memory/1204-314-0x0000000002D00000-0x0000000002D15000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                84KB

                                                                                                                                                Download

                                                                                                                                              • memory/1204-433-0x0000000003BA0000-0x0000000003BB5000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                84KB

                                                                                                                                                Download

                                                                                                                                              • memory/1540-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                1.5MB

                                                                                                                                                Download

                                                                                                                                              • memory/1540-91-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                1.5MB

                                                                                                                                                Download

                                                                                                                                              • memory/1540-99-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                572KB

                                                                                                                                                Download

                                                                                                                                              • memory/1540-95-0x0000000000400000-0x000000000051D000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                1.1MB

                                                                                                                                                Download

                                                                                                                                              • memory/1540-89-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                                Download

                                                                                                                                              • memory/1540-92-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                152KB

                                                                                                                                                Download

                                                                                                                                              • memory/1540-94-0x0000000000400000-0x000000000051D000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                1.1MB

                                                                                                                                                Download

                                                                                                                                              • memory/1540-97-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                                Download

                                                                                                                                              • memory/1540-88-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                572KB

                                                                                                                                                Download

                                                                                                                                              • memory/1540-96-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                                Download

                                                                                                                                              • memory/1540-93-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                152KB

                                                                                                                                                Download

                                                                                                                                              • memory/1540-98-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                                Download

                                                                                                                                              • memory/1616-184-0x0000000000580000-0x00000000005E0000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                384KB

                                                                                                                                                Download

                                                                                                                                              • memory/1732-182-0x0000000000420000-0x0000000000491000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                452KB

                                                                                                                                                Download

                                                                                                                                              • memory/1872-183-0x0000000000400000-0x00000000008F2000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.9MB

                                                                                                                                                Download

                                                                                                                                              • memory/1872-180-0x0000000000900000-0x000000000099D000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                628KB

                                                                                                                                                Download

                                                                                                                                              • memory/1996-190-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                                Download

                                                                                                                                              • memory/2008-164-0x000000001AFE0000-0x000000001AFE2000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                8KB

                                                                                                                                                Download

                                                                                                                                              • memory/2008-150-0x0000000001030000-0x0000000001031000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                                Download

                                                                                                                                              • memory/2016-170-0x00000000001D0000-0x00000000001D9000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                36KB

                                                                                                                                                Download

                                                                                                                                              • memory/2016-171-0x0000000000400000-0x0000000000896000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.6MB

                                                                                                                                                Download

                                                                                                                                              • memory/2112-428-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                                Download

                                                                                                                                              • memory/2156-309-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                                Download

                                                                                                                                              • memory/2156-209-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                                Download

                                                                                                                                              • memory/2204-312-0x0000000000400000-0x0000000002C66000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                40.4MB

                                                                                                                                                Download

                                                                                                                                              • memory/2204-212-0x0000000000240000-0x0000000000249000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                36KB

                                                                                                                                                Download

                                                                                                                                              • memory/2228-208-0x00000000002F0000-0x0000000000309000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                                Download

                                                                                                                                              • memory/2228-207-0x000000001A890000-0x000000001A892000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                8KB

                                                                                                                                                Download

                                                                                                                                              • memory/2228-205-0x0000000000860000-0x0000000000861000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                                Download

                                                                                                                                              • memory/2240-225-0x0000000000EF0000-0x0000000001FDD000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                16.9MB

                                                                                                                                                Download

                                                                                                                                              • memory/2240-245-0x0000000000EF1000-0x0000000000F7F000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                568KB

                                                                                                                                                Download

                                                                                                                                              • memory/2240-247-0x0000000000EF1000-0x0000000000F7F000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                568KB

                                                                                                                                                Download

                                                                                                                                              • memory/2260-313-0x0000000000400000-0x0000000002C81000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                40.5MB

                                                                                                                                                Download

                                                                                                                                              • memory/2260-211-0x0000000000280000-0x00000000002CA000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                296KB

                                                                                                                                                Download

                                                                                                                                              • memory/2500-319-0x0000000000400000-0x0000000002C75000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                40.5MB

                                                                                                                                                Download

                                                                                                                                              • memory/2500-317-0x00000000002D0000-0x00000000002FF000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                188KB

                                                                                                                                                Download

                                                                                                                                              • memory/2512-316-0x0000000000240000-0x000000000026E000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                184KB

                                                                                                                                                Download

                                                                                                                                              • memory/2512-318-0x0000000000400000-0x000000000325A000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                46.4MB

                                                                                                                                                Download

                                                                                                                                              • memory/2524-328-0x0000000000350000-0x00000000003ED000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                628KB

                                                                                                                                                Download

                                                                                                                                              • memory/2536-237-0x00000000003F0000-0x0000000000400000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                64KB

                                                                                                                                                Download

                                                                                                                                              • memory/2536-310-0x0000000000440000-0x0000000000452000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                72KB

                                                                                                                                                Download

                                                                                                                                              • memory/2544-240-0x0000000001080000-0x0000000001081000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                                Download

                                                                                                                                              • memory/2544-324-0x0000000004D70000-0x0000000004D71000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                                Download

                                                                                                                                              • memory/2548-439-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                200KB

                                                                                                                                                Download

                                                                                                                                              • memory/2548-440-0x00000000046A1000-0x00000000046A2000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                                Download

                                                                                                                                              • memory/2548-441-0x00000000046A2000-0x00000000046A3000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                                Download

                                                                                                                                              • memory/2548-442-0x00000000046A3000-0x00000000046A4000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                                Download

                                                                                                                                              • memory/2548-443-0x00000000046A4000-0x00000000046A6000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                8KB

                                                                                                                                                Download

                                                                                                                                              • memory/2600-311-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                80KB

                                                                                                                                                Download

                                                                                                                                              • memory/2608-253-0x00000000010E0000-0x00000000010E1000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                                Download

                                                                                                                                              • memory/2624-323-0x0000000000400000-0x0000000003096000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                44.6MB

                                                                                                                                                Download

                                                                                                                                              • memory/2624-322-0x0000000003720000-0x00000000063B6000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                44.6MB

                                                                                                                                                Download

                                                                                                                                              • memory/2656-432-0x0000000000400000-0x0000000000896000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.6MB

                                                                                                                                                Download

                                                                                                                                              • memory/2852-434-0x0000000000220000-0x000000000024F000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                188KB

                                                                                                                                                Download

                                                                                                                                              • memory/2852-435-0x0000000000400000-0x0000000002C7F000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                40.5MB

                                                                                                                                                Download

                                                                                                                                              • memory/2852-436-0x00000000070E1000-0x00000000070E2000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                                Download

                                                                                                                                              • memory/2904-315-0x0000000000060000-0x00000000000AE000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                312KB

                                                                                                                                                Download

                                                                                                                                              • memory/2904-321-0x0000000000490000-0x0000000000504000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                464KB

                                                                                                                                                Download

                                                                                                                                              • memory/2960-320-0x0000000000500000-0x0000000000574000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                464KB

                                                                                                                                                Download

                                                                                                                                              • memory/2992-325-0x0000000000260000-0x0000000000261000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                                Download

                                                                                                                                              • memory/2992-333-0x0000000000620000-0x0000000000621000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                                Download

                                                                                                                                              • memory/2992-337-0x0000000002270000-0x0000000002271000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                                Download

                                                                                                                                              • memory/2992-258-0x0000000001F50000-0x0000000001F8C000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                240KB

                                                                                                                                                Download

                                                                                                                                              • memory/2992-336-0x00000000020F0000-0x000000000224C000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                1.4MB

                                                                                                                                                Download

                                                                                                                                              • memory/2992-332-0x0000000000610000-0x0000000000611000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                                Download

                                                                                                                                              • memory/2992-331-0x0000000000600000-0x0000000000601000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                                Download