Resubmissions

13-08-2021 10:16

210813-wpta271jdx 10

08-08-2021 23:00

210808-fgs5g9pxfs 10

07-08-2021 23:12

210807-g2jw1lmd4a 10

07-08-2021 16:10

210807-51nhct4kfx 10

06-08-2021 23:43

210806-gc2271nxwj 10

06-08-2021 06:00

210806-f443x39x8a 10

05-08-2021 17:08

210805-97y6banvvx 10

04-08-2021 17:25

210804-hkxx2ntr8x 10

04-08-2021 12:12

210804-rjbg4b4y7n 10

03-08-2021 17:12

210803-r2h7ytjwqj 10

Analysis

  • max time kernel
    6s
  • max time network
    174s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    19-07-2021 22:53

General

  • Target

    8 (23).exe

  • Size

    3.0MB

  • MD5

    bb072cad921aa5ce8b97706ce01bc570

  • SHA1

    18bf034906c1341b7817e7361ad27a4425d820bd

  • SHA256

    817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

  • SHA512

    d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Malware Config

Extracted

Family

vidar

Version

39.6

Botnet

933

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    933

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32
rc4.i32

Extracted

Family

vidar

Version

39.6

Botnet

865

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    865

Extracted

Family

vidar

Version

39.6

Botnet

903

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    903

Extracted

Family

redline

Botnet

AniNEW

C2

akedauiver.xyz:80

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 7 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • redlinestealer 7 IoCs

    RedlineStealer.

  • Vidar Stealer 6 IoCs
  • ASPack v2.12-2.42 9 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Loads dropped DLL 6 IoCs
  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 16 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8 (23).exe
    "C:\Users\Admin\AppData\Local\Temp\8 (23).exe"
    1⤵
      PID:3016
      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
        "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2432
        • C:\Users\Admin\AppData\Local\Temp\7zS0899CF44\setup_install.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS0899CF44\setup_install.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:3416
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c sonia_1.exe
            4⤵
              PID:3464
              • C:\Users\Admin\AppData\Local\Temp\7zS0899CF44\sonia_1.exe
                sonia_1.exe
                5⤵
                  PID:416
                  • C:\Users\Admin\AppData\Local\Temp\7zS0899CF44\sonia_1.exe
                    "C:\Users\Admin\AppData\Local\Temp\7zS0899CF44\sonia_1.exe" -a
                    6⤵
                      PID:2196
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c sonia_3.exe
                  4⤵
                    PID:3776
                    • C:\Users\Admin\AppData\Local\Temp\7zS0899CF44\sonia_3.exe
                      sonia_3.exe
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3016
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 904
                        6⤵
                        • Program crash
                        PID:3680
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c sonia_4.exe
                    4⤵
                      PID:2144
                      • C:\Users\Admin\AppData\Local\Temp\7zS0899CF44\sonia_4.exe
                        sonia_4.exe
                        5⤵
                          PID:2764
                          • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                            "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                            6⤵
                              PID:2276
                              • C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
                                "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
                                7⤵
                                  PID:4248
                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                    8⤵
                                      PID:4960
                                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                      8⤵
                                        PID:5528
                                    • C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe
                                      "C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe"
                                      7⤵
                                        PID:4380
                                        • C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe
                                          C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe
                                          8⤵
                                            PID:5096
                                        • C:\Users\Admin\AppData\Local\Temp\setup 326.exe
                                          "C:\Users\Admin\AppData\Local\Temp\setup 326.exe"
                                          7⤵
                                            PID:4472
                                            • C:\Windows\winnetdriv.exe
                                              "C:\Users\Admin\AppData\Local\Temp\setup 326.exe" 1626746228 0
                                              8⤵
                                                PID:4720
                                            • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                              "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                              7⤵
                                                PID:4572
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 776
                                                  8⤵
                                                  • Program crash
                                                  PID:4816
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 804
                                                  8⤵
                                                  • Program crash
                                                  PID:4840
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 876
                                                  8⤵
                                                  • Program crash
                                                  PID:684
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 948
                                                  8⤵
                                                  • Program crash
                                                  PID:5480
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 996
                                                  8⤵
                                                  • Program crash
                                                  PID:5676
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 960
                                                  8⤵
                                                  • Program crash
                                                  PID:5908
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1064
                                                  8⤵
                                                  • Program crash
                                                  PID:5412
                                              • C:\Users\Admin\AppData\Local\Temp\zhangd.exe
                                                "C:\Users\Admin\AppData\Local\Temp\zhangd.exe"
                                                7⤵
                                                  PID:4732
                                                  • C:\Users\Admin\AppData\Local\Temp\zhangd.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\zhangd.exe" -a
                                                    8⤵
                                                      PID:1736
                                                  • C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
                                                    7⤵
                                                      PID:4920
                                                      • C:\Windows\system32\WerFault.exe
                                                        C:\Windows\system32\WerFault.exe -u -p 4920 -s 1004
                                                        8⤵
                                                        • Program crash
                                                        PID:2376
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c sonia_6.exe
                                                4⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:1076
                                                • C:\Users\Admin\AppData\Local\Temp\7zS0899CF44\sonia_6.exe
                                                  sonia_6.exe
                                                  5⤵
                                                  • Executes dropped EXE
                                                  PID:988
                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                    6⤵
                                                      PID:3196
                                                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                      6⤵
                                                        PID:500
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c sonia_7.exe
                                                    4⤵
                                                      PID:3636
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c sonia_5.exe
                                                      4⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:1080
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c sonia_2.exe
                                                      4⤵
                                                        PID:1484
                                                • C:\Users\Admin\AppData\Local\Temp\7zS0899CF44\sonia_5.exe
                                                  sonia_5.exe
                                                  1⤵
                                                  • Executes dropped EXE
                                                  PID:3856
                                                  • C:\Users\Admin\Documents\JVZgLKj7guLwmLxFCu2YdbeU.exe
                                                    "C:\Users\Admin\Documents\JVZgLKj7guLwmLxFCu2YdbeU.exe"
                                                    2⤵
                                                      PID:996
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp
                                                        3⤵
                                                          PID:4620
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            cmd
                                                            4⤵
                                                              PID:5000
                                                        • C:\Users\Admin\Documents\o0e4IcGNDQANAigBdZn2fmDj.exe
                                                          "C:\Users\Admin\Documents\o0e4IcGNDQANAigBdZn2fmDj.exe"
                                                          2⤵
                                                            PID:788
                                                          • C:\Users\Admin\Documents\_vuRwoRfNfPwVMFr0rHl2yBc.exe
                                                            "C:\Users\Admin\Documents\_vuRwoRfNfPwVMFr0rHl2yBc.exe"
                                                            2⤵
                                                              PID:2784
                                                              • C:\Users\Admin\Documents\_vuRwoRfNfPwVMFr0rHl2yBc.exe
                                                                C:\Users\Admin\Documents\_vuRwoRfNfPwVMFr0rHl2yBc.exe
                                                                3⤵
                                                                  PID:4364
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /c taskkill /im _vuRwoRfNfPwVMFr0rHl2yBc.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\_vuRwoRfNfPwVMFr0rHl2yBc.exe" & del C:\ProgramData\*.dll & exit
                                                                    4⤵
                                                                      PID:6176
                                                                • C:\Users\Admin\Documents\VNK0nXcKsq23u8xsKUgsEp23.exe
                                                                  "C:\Users\Admin\Documents\VNK0nXcKsq23u8xsKUgsEp23.exe"
                                                                  2⤵
                                                                    PID:4640
                                                                    • C:\Users\Admin\Documents\VNK0nXcKsq23u8xsKUgsEp23.exe
                                                                      C:\Users\Admin\Documents\VNK0nXcKsq23u8xsKUgsEp23.exe
                                                                      3⤵
                                                                        PID:4312
                                                                    • C:\Users\Admin\Documents\mqrnl8Mcvj_Ov_VxP84E5rpd.exe
                                                                      "C:\Users\Admin\Documents\mqrnl8Mcvj_Ov_VxP84E5rpd.exe"
                                                                      2⤵
                                                                        PID:4396
                                                                      • C:\Users\Admin\Documents\QTclbTgpNMM3J5nK_kIHrDcv.exe
                                                                        "C:\Users\Admin\Documents\QTclbTgpNMM3J5nK_kIHrDcv.exe"
                                                                        2⤵
                                                                          PID:4388
                                                                        • C:\Users\Admin\Documents\RByIivWaB1l_UOl9Zv7yhugu.exe
                                                                          "C:\Users\Admin\Documents\RByIivWaB1l_UOl9Zv7yhugu.exe"
                                                                          2⤵
                                                                            PID:4500
                                                                            • C:\Users\Admin\Documents\RByIivWaB1l_UOl9Zv7yhugu.exe
                                                                              "C:\Users\Admin\Documents\RByIivWaB1l_UOl9Zv7yhugu.exe" -a
                                                                              3⤵
                                                                                PID:4552
                                                                            • C:\Users\Admin\Documents\dcNM2xWV8qTFn4hannclCaTF.exe
                                                                              "C:\Users\Admin\Documents\dcNM2xWV8qTFn4hannclCaTF.exe"
                                                                              2⤵
                                                                                PID:4544
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 908
                                                                                  3⤵
                                                                                  • Program crash
                                                                                  PID:5704
                                                                              • C:\Users\Admin\Documents\N5kbv3s_qqQzfKQt4jxPsmVN.exe
                                                                                "C:\Users\Admin\Documents\N5kbv3s_qqQzfKQt4jxPsmVN.exe"
                                                                                2⤵
                                                                                  PID:2104
                                                                                • C:\Users\Admin\Documents\BWolAaq271Sa_DM_YeLLECow.exe
                                                                                  "C:\Users\Admin\Documents\BWolAaq271Sa_DM_YeLLECow.exe"
                                                                                  2⤵
                                                                                    PID:4428
                                                                                  • C:\Users\Admin\Documents\jou3ixt3CBviJrp9QbM_mthN.exe
                                                                                    "C:\Users\Admin\Documents\jou3ixt3CBviJrp9QbM_mthN.exe"
                                                                                    2⤵
                                                                                      PID:4748
                                                                                      • C:\Users\Admin\Documents\jou3ixt3CBviJrp9QbM_mthN.exe
                                                                                        C:\Users\Admin\Documents\jou3ixt3CBviJrp9QbM_mthN.exe
                                                                                        3⤵
                                                                                          PID:3572
                                                                                      • C:\Users\Admin\Documents\8lSh1Vvv6sQSpddEo91Ov3vO.exe
                                                                                        "C:\Users\Admin\Documents\8lSh1Vvv6sQSpddEo91Ov3vO.exe"
                                                                                        2⤵
                                                                                          PID:4168
                                                                                        • C:\Users\Admin\Documents\vJ1IOOhn2OemMf6foBMW9foP.exe
                                                                                          "C:\Users\Admin\Documents\vJ1IOOhn2OemMf6foBMW9foP.exe"
                                                                                          2⤵
                                                                                            PID:2184
                                                                                            • C:\Users\Admin\Documents\vJ1IOOhn2OemMf6foBMW9foP.exe
                                                                                              "C:\Users\Admin\Documents\vJ1IOOhn2OemMf6foBMW9foP.exe"
                                                                                              3⤵
                                                                                                PID:4816
                                                                                            • C:\Users\Admin\Documents\kUnEr_lSv0s37tzd7KDkdxNG.exe
                                                                                              "C:\Users\Admin\Documents\kUnEr_lSv0s37tzd7KDkdxNG.exe"
                                                                                              2⤵
                                                                                                PID:3848
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 664
                                                                                                  3⤵
                                                                                                  • Program crash
                                                                                                  PID:4164
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 672
                                                                                                  3⤵
                                                                                                  • Program crash
                                                                                                  PID:5380
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 644
                                                                                                  3⤵
                                                                                                  • Program crash
                                                                                                  PID:5624
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 708
                                                                                                  3⤵
                                                                                                  • Program crash
                                                                                                  PID:5796
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 856
                                                                                                  3⤵
                                                                                                  • Program crash
                                                                                                  PID:6140
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 1004
                                                                                                  3⤵
                                                                                                  • Program crash
                                                                                                  PID:6484
                                                                                              • C:\Users\Admin\Documents\qNkrgmVk7MNF9P_JHQttR0s7.exe
                                                                                                "C:\Users\Admin\Documents\qNkrgmVk7MNF9P_JHQttR0s7.exe"
                                                                                                2⤵
                                                                                                  PID:1304
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                    C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                    3⤵
                                                                                                      PID:5244
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                      3⤵
                                                                                                        PID:5820
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                        3⤵
                                                                                                          PID:5488
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                          C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                          3⤵
                                                                                                            PID:5904
                                                                                                        • C:\Users\Admin\Documents\k1qE2eNvjcyyI805DZ_UtkUK.exe
                                                                                                          "C:\Users\Admin\Documents\k1qE2eNvjcyyI805DZ_UtkUK.exe"
                                                                                                          2⤵
                                                                                                            PID:2296
                                                                                                          • C:\Users\Admin\Documents\TEsOjemfJiQSTWlG5q3v5BTN.exe
                                                                                                            "C:\Users\Admin\Documents\TEsOjemfJiQSTWlG5q3v5BTN.exe"
                                                                                                            2⤵
                                                                                                              PID:4408
                                                                                                            • C:\Users\Admin\Documents\j2CX_2c2UbOd2faDguMy4DXT.exe
                                                                                                              "C:\Users\Admin\Documents\j2CX_2c2UbOd2faDguMy4DXT.exe"
                                                                                                              2⤵
                                                                                                                PID:5052
                                                                                                              • C:\Users\Admin\Documents\RLEXiRXWq7AIhqK_HGrwW1mb.exe
                                                                                                                "C:\Users\Admin\Documents\RLEXiRXWq7AIhqK_HGrwW1mb.exe"
                                                                                                                2⤵
                                                                                                                  PID:4788
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS0899CF44\sonia_2.exe
                                                                                                                sonia_2.exe
                                                                                                                1⤵
                                                                                                                  PID:1680
                                                                                                                • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                  1⤵
                                                                                                                  • Process spawned unexpected child process
                                                                                                                  PID:3020
                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                    rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                    2⤵
                                                                                                                      PID:1676
                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                    C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                    1⤵
                                                                                                                      PID:2096
                                                                                                                    • C:\Users\Admin\Documents\j2CX_2c2UbOd2faDguMy4DXT.exe
                                                                                                                      C:\Users\Admin\Documents\j2CX_2c2UbOd2faDguMy4DXT.exe
                                                                                                                      1⤵
                                                                                                                        PID:4368
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                                                                                        1⤵
                                                                                                                          PID:496
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0F128406\setup_install.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS0F128406\setup_install.exe"
                                                                                                                            2⤵
                                                                                                                              PID:3772
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c karotima_2.exe
                                                                                                                                3⤵
                                                                                                                                  PID:5220
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS0F128406\karotima_2.exe
                                                                                                                                    karotima_2.exe
                                                                                                                                    4⤵
                                                                                                                                      PID:5616
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0F128406\karotima_2.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zS0F128406\karotima_2.exe" -a
                                                                                                                                        5⤵
                                                                                                                                          PID:6004
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c karotima_1.exe
                                                                                                                                      3⤵
                                                                                                                                        PID:5212
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS0F128406\karotima_1.exe
                                                                                                                                          karotima_1.exe
                                                                                                                                          4⤵
                                                                                                                                            PID:5608
                                                                                                                                            • C:\Users\Admin\Documents\4DEhUhCe8L2VBMiG8VIHxdS8.exe
                                                                                                                                              "C:\Users\Admin\Documents\4DEhUhCe8L2VBMiG8VIHxdS8.exe"
                                                                                                                                              5⤵
                                                                                                                                                PID:6024
                                                                                                                                                • C:\Users\Admin\Documents\4DEhUhCe8L2VBMiG8VIHxdS8.exe
                                                                                                                                                  C:\Users\Admin\Documents\4DEhUhCe8L2VBMiG8VIHxdS8.exe
                                                                                                                                                  6⤵
                                                                                                                                                    PID:6864
                                                                                                                                                • C:\Users\Admin\Documents\i12bOrGpBHP6nu8te4tziZWr.exe
                                                                                                                                                  "C:\Users\Admin\Documents\i12bOrGpBHP6nu8te4tziZWr.exe"
                                                                                                                                                  5⤵
                                                                                                                                                    PID:612
                                                                                                                                                    • C:\Users\Admin\Documents\i12bOrGpBHP6nu8te4tziZWr.exe
                                                                                                                                                      C:\Users\Admin\Documents\i12bOrGpBHP6nu8te4tziZWr.exe
                                                                                                                                                      6⤵
                                                                                                                                                        PID:6880
                                                                                                                                                    • C:\Users\Admin\Documents\Q3bYAZes5K56SSye4T1Wba1F.exe
                                                                                                                                                      "C:\Users\Admin\Documents\Q3bYAZes5K56SSye4T1Wba1F.exe"
                                                                                                                                                      5⤵
                                                                                                                                                        PID:6076
                                                                                                                                                      • C:\Users\Admin\Documents\R4dG_Ubhl4xPX3WsjuK2favM.exe
                                                                                                                                                        "C:\Users\Admin\Documents\R4dG_Ubhl4xPX3WsjuK2favM.exe"
                                                                                                                                                        5⤵
                                                                                                                                                          PID:5156
                                                                                                                                                        • C:\Users\Admin\Documents\Nj2SoaDuat6Nxhzi63V20D0t.exe
                                                                                                                                                          "C:\Users\Admin\Documents\Nj2SoaDuat6Nxhzi63V20D0t.exe"
                                                                                                                                                          5⤵
                                                                                                                                                            PID:4768
                                                                                                                                                            • C:\Users\Admin\Documents\Nj2SoaDuat6Nxhzi63V20D0t.exe
                                                                                                                                                              C:\Users\Admin\Documents\Nj2SoaDuat6Nxhzi63V20D0t.exe
                                                                                                                                                              6⤵
                                                                                                                                                                PID:7104
                                                                                                                                                            • C:\Users\Admin\Documents\iS_Y1oKRdPsa5QslbDrgj42M.exe
                                                                                                                                                              "C:\Users\Admin\Documents\iS_Y1oKRdPsa5QslbDrgj42M.exe"
                                                                                                                                                              5⤵
                                                                                                                                                                PID:5936
                                                                                                                                                              • C:\Users\Admin\Documents\O_rQyOPRNm_grA7HVz5UmSx9.exe
                                                                                                                                                                "C:\Users\Admin\Documents\O_rQyOPRNm_grA7HVz5UmSx9.exe"
                                                                                                                                                                5⤵
                                                                                                                                                                  PID:5928
                                                                                                                                                                • C:\Users\Admin\Documents\ub8u7sKjV_uM87eNeZvJbbIt.exe
                                                                                                                                                                  "C:\Users\Admin\Documents\ub8u7sKjV_uM87eNeZvJbbIt.exe"
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:2896
                                                                                                                                                                  • C:\Users\Admin\Documents\7_BfstJ4iFlJs15hZ7HeOW5s.exe
                                                                                                                                                                    "C:\Users\Admin\Documents\7_BfstJ4iFlJs15hZ7HeOW5s.exe"
                                                                                                                                                                    5⤵
                                                                                                                                                                      PID:5388
                                                                                                                                                                    • C:\Users\Admin\Documents\vJ8TY9RMVSfSwwDR8eSveXL0.exe
                                                                                                                                                                      "C:\Users\Admin\Documents\vJ8TY9RMVSfSwwDR8eSveXL0.exe"
                                                                                                                                                                      5⤵
                                                                                                                                                                        PID:6240
                                                                                                                                                                      • C:\Users\Admin\Documents\9fWP1iytSHSrKrDG5p2Zz8RD.exe
                                                                                                                                                                        "C:\Users\Admin\Documents\9fWP1iytSHSrKrDG5p2Zz8RD.exe"
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:5048
                                                                                                                                                                        • C:\Users\Admin\Documents\E4wsA__B3jrwTEGqyABNhL2T.exe
                                                                                                                                                                          "C:\Users\Admin\Documents\E4wsA__B3jrwTEGqyABNhL2T.exe"
                                                                                                                                                                          5⤵
                                                                                                                                                                            PID:6080
                                                                                                                                                                          • C:\Users\Admin\Documents\dYRZpRyvvzNggn9Adi0zY6fA.exe
                                                                                                                                                                            "C:\Users\Admin\Documents\dYRZpRyvvzNggn9Adi0zY6fA.exe"
                                                                                                                                                                            5⤵
                                                                                                                                                                              PID:5140
                                                                                                                                                                            • C:\Users\Admin\Documents\EVad6TKdZzLX6xOVKcmmPqTw.exe
                                                                                                                                                                              "C:\Users\Admin\Documents\EVad6TKdZzLX6xOVKcmmPqTw.exe"
                                                                                                                                                                              5⤵
                                                                                                                                                                                PID:5688
                                                                                                                                                                              • C:\Users\Admin\Documents\eZpUp38tQkrRz2EWFqUUBSYD.exe
                                                                                                                                                                                "C:\Users\Admin\Documents\eZpUp38tQkrRz2EWFqUUBSYD.exe"
                                                                                                                                                                                5⤵
                                                                                                                                                                                  PID:5136
                                                                                                                                                                                • C:\Users\Admin\Documents\bFMxQd7qSYNsqtmSvLKikmFH.exe
                                                                                                                                                                                  "C:\Users\Admin\Documents\bFMxQd7qSYNsqtmSvLKikmFH.exe"
                                                                                                                                                                                  5⤵
                                                                                                                                                                                    PID:196
                                                                                                                                                                                  • C:\Users\Admin\Documents\fhomcLjts4wxBA8EUddOsyBx.exe
                                                                                                                                                                                    "C:\Users\Admin\Documents\fhomcLjts4wxBA8EUddOsyBx.exe"
                                                                                                                                                                                    5⤵
                                                                                                                                                                                      PID:5976
                                                                                                                                                                                    • C:\Users\Admin\Documents\V0Fc4dVOeCEuxluIb1wSOKVF.exe
                                                                                                                                                                                      "C:\Users\Admin\Documents\V0Fc4dVOeCEuxluIb1wSOKVF.exe"
                                                                                                                                                                                      5⤵
                                                                                                                                                                                        PID:496
                                                                                                                                                                                      • C:\Users\Admin\Documents\nL85jkph2NEcbqI__zIrwkNt.exe
                                                                                                                                                                                        "C:\Users\Admin\Documents\nL85jkph2NEcbqI__zIrwkNt.exe"
                                                                                                                                                                                        5⤵
                                                                                                                                                                                          PID:6696
                                                                                                                                                                                        • C:\Users\Admin\Documents\yu7rKBPC5z4YMHagLcwHyAhm.exe
                                                                                                                                                                                          "C:\Users\Admin\Documents\yu7rKBPC5z4YMHagLcwHyAhm.exe"
                                                                                                                                                                                          5⤵
                                                                                                                                                                                            PID:6932
                                                                                                                                                                                  • C:\Users\Admin\Documents\k1qE2eNvjcyyI805DZ_UtkUK.exe
                                                                                                                                                                                    C:\Users\Admin\Documents\k1qE2eNvjcyyI805DZ_UtkUK.exe
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:2132
                                                                                                                                                                                    • C:\Users\Admin\Documents\RLEXiRXWq7AIhqK_HGrwW1mb.exe
                                                                                                                                                                                      C:\Users\Admin\Documents\RLEXiRXWq7AIhqK_HGrwW1mb.exe
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:4476
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1D58.exe
                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\1D58.exe
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:2196
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat" "
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:4676
                                                                                                                                                                                            • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                              explorer https://iplogger.org/2LBCU6
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:4796
                                                                                                                                                                                            • C:\Users\Admin\Documents\k1qE2eNvjcyyI805DZ_UtkUK.exe
                                                                                                                                                                                              C:\Users\Admin\Documents\k1qE2eNvjcyyI805DZ_UtkUK.exe
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:2848
                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                  PID:2108
                                                                                                                                                                                                • C:\Windows\explorer.exe
                                                                                                                                                                                                  C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                    PID:5236
                                                                                                                                                                                                  • C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe
                                                                                                                                                                                                    "C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                      PID:3644
                                                                                                                                                                                                      • C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe
                                                                                                                                                                                                        "C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:6940
                                                                                                                                                                                                      • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                        rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                                                                                        PID:4928
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\5D11.exe
                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\5D11.exe
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                          PID:6100
                                                                                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                            PID:5464
                                                                                                                                                                                                          • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                            PID:5148
                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                              PID:4608
                                                                                                                                                                                                            • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                              C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:6432

                                                                                                                                                                                                              Network

                                                                                                                                                                                                              MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                              Replay Monitor

                                                                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                                                                              Downloads

                                                                                                                                                                                                              • memory/68-210-0x000001F5A3030000-0x000001F5A30A1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                452KB

                                                                                                                                                                                                              • memory/68-454-0x000001F5A35A0000-0x000001F5A3611000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                452KB

                                                                                                                                                                                                              • memory/788-342-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                1.6MB

                                                                                                                                                                                                              • memory/788-355-0x0000000001270000-0x0000000001271000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/788-378-0x0000000005740000-0x0000000005741000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/1032-239-0x00000229A8860000-0x00000229A88D1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                452KB

                                                                                                                                                                                                              • memory/1120-214-0x0000022DEB750000-0x0000022DEB7C1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                452KB

                                                                                                                                                                                                              • memory/1268-246-0x000002A94F1D0000-0x000002A94F241000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                452KB

                                                                                                                                                                                                              • memory/1304-418-0x0000011147CD0000-0x0000011147DA1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                836KB

                                                                                                                                                                                                              • memory/1304-415-0x0000011147C60000-0x0000011147CCF000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                444KB

                                                                                                                                                                                                              • memory/1316-271-0x00000280C1F70000-0x00000280C1FE1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                452KB

                                                                                                                                                                                                              • memory/1448-243-0x0000024AA2900000-0x0000024AA2971000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                452KB

                                                                                                                                                                                                              • memory/1676-189-0x00000000049C3000-0x0000000004AC4000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                1.0MB

                                                                                                                                                                                                              • memory/1676-194-0x0000000004AD0000-0x0000000004B2D000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                372KB

                                                                                                                                                                                                              • memory/1680-182-0x0000000000400000-0x0000000000896000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4.6MB

                                                                                                                                                                                                              • memory/1680-181-0x0000000000030000-0x0000000000039000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                36KB

                                                                                                                                                                                                              • memory/1896-249-0x0000021BF0CD0000-0x0000021BF0D41000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                452KB

                                                                                                                                                                                                              • memory/2096-199-0x0000022CC3940000-0x0000022CC39B1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                452KB

                                                                                                                                                                                                              • memory/2096-438-0x0000022CC5160000-0x0000022CC517B000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                108KB

                                                                                                                                                                                                              • memory/2096-445-0x0000022CC6100000-0x0000022CC6206000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                1.0MB

                                                                                                                                                                                                              • memory/2108-429-0x0000000004F80000-0x0000000004FDD000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                372KB

                                                                                                                                                                                                              • memory/2108-427-0x0000000004E70000-0x0000000004F71000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                1.0MB

                                                                                                                                                                                                              • memory/2184-464-0x00000000008B0000-0x00000000009FA000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                1.3MB

                                                                                                                                                                                                              • memory/2276-186-0x0000000000140000-0x0000000000141000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/2296-370-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/2296-339-0x00000000004C0000-0x00000000004C1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/2416-216-0x0000011F466B0000-0x0000011F46721000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                452KB

                                                                                                                                                                                                              • memory/2484-459-0x000002D76D110000-0x000002D76D181000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                452KB

                                                                                                                                                                                                              • memory/2484-213-0x000002D76D070000-0x000002D76D0E1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                452KB

                                                                                                                                                                                                              • memory/2596-197-0x000001F72A900000-0x000001F72A971000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                452KB

                                                                                                                                                                                                              • memory/2596-449-0x000001F72ACC0000-0x000001F72AD31000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                452KB

                                                                                                                                                                                                              • memory/2752-273-0x000001E5E9040000-0x000001E5E90B1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                452KB

                                                                                                                                                                                                              • memory/2760-272-0x0000024613A40000-0x0000024613AB1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                452KB

                                                                                                                                                                                                              • memory/2764-164-0x00000000003B0000-0x00000000003B1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/2764-166-0x00000000023A0000-0x00000000023A2000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                8KB

                                                                                                                                                                                                              • memory/2784-293-0x00000000005C0000-0x00000000005C1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/2784-312-0x0000000005020000-0x0000000005021000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/2848-462-0x00000000052F0000-0x00000000058F6000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                6.0MB

                                                                                                                                                                                                              • memory/3016-192-0x0000000000BE0000-0x0000000000C7D000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                628KB

                                                                                                                                                                                                              • memory/3016-198-0x0000000000400000-0x00000000008F2000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4.9MB

                                                                                                                                                                                                              • memory/3024-269-0x0000000000CD0000-0x0000000000CE5000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                84KB

                                                                                                                                                                                                              • memory/3416-133-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                152KB

                                                                                                                                                                                                              • memory/3416-145-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                100KB

                                                                                                                                                                                                              • memory/3416-134-0x0000000000400000-0x000000000051D000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                1.1MB

                                                                                                                                                                                                              • memory/3416-131-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                572KB

                                                                                                                                                                                                              • memory/3416-148-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                100KB

                                                                                                                                                                                                              • memory/3416-151-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                100KB

                                                                                                                                                                                                              • memory/3416-149-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                100KB

                                                                                                                                                                                                              • memory/3416-132-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                1.5MB

                                                                                                                                                                                                              • memory/3572-441-0x0000000004D20000-0x0000000005326000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                6.0MB

                                                                                                                                                                                                              • memory/3624-184-0x0000027F21600000-0x0000027F2164C000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                304KB

                                                                                                                                                                                                              • memory/3624-433-0x0000027F21650000-0x0000027F2169C000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                304KB

                                                                                                                                                                                                              • memory/3624-188-0x0000027F216C0000-0x0000027F21731000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                452KB

                                                                                                                                                                                                              • memory/3624-434-0x0000027F21900000-0x0000027F21971000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                452KB

                                                                                                                                                                                                              • memory/3644-456-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/3848-461-0x00000000008B0000-0x00000000009FA000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                1.3MB

                                                                                                                                                                                                              • memory/4312-458-0x0000000005780000-0x0000000005D86000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                6.0MB

                                                                                                                                                                                                              • memory/4364-408-0x0000000000400000-0x00000000004A1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                644KB

                                                                                                                                                                                                              • memory/4368-425-0x0000000004CA0000-0x00000000052A6000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                6.0MB

                                                                                                                                                                                                              • memory/4380-237-0x00000000048E0000-0x00000000048E1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/4380-232-0x0000000000030000-0x0000000000031000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/4380-253-0x0000000004A90000-0x0000000004A91000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/4380-252-0x0000000000B00000-0x0000000000B01000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/4388-307-0x0000000000400000-0x000000000064F000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                2.3MB

                                                                                                                                                                                                              • memory/4396-373-0x0000000003BD0000-0x0000000003BD1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/4396-328-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                1.6MB

                                                                                                                                                                                                              • memory/4396-351-0x0000000001370000-0x0000000001371000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/4428-304-0x00000000001A0000-0x00000000001A1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/4428-349-0x0000000004980000-0x0000000004F86000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                6.0MB

                                                                                                                                                                                                              • memory/4428-344-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/4472-222-0x0000000000400000-0x00000000004E4000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                912KB

                                                                                                                                                                                                              • memory/4476-452-0x0000000004DC0000-0x00000000053C6000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                6.0MB

                                                                                                                                                                                                              • memory/4544-413-0x0000000002690000-0x000000000272D000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                628KB

                                                                                                                                                                                                              • memory/4544-424-0x0000000000400000-0x00000000009F0000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                5.9MB

                                                                                                                                                                                                              • memory/4572-422-0x0000000000400000-0x00000000009BE000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                5.7MB

                                                                                                                                                                                                              • memory/4572-419-0x00000000001D0000-0x00000000001FE000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                184KB

                                                                                                                                                                                                              • memory/4640-325-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/4640-352-0x00000000056B0000-0x00000000056B1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/4720-248-0x00000000008F0000-0x00000000009D4000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                912KB

                                                                                                                                                                                                              • memory/4748-361-0x0000000005560000-0x0000000005561000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/4748-326-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/4788-334-0x0000000000B10000-0x0000000000B2C000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                112KB

                                                                                                                                                                                                              • memory/4788-305-0x00000000002F0000-0x00000000002F1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/4788-314-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/4920-264-0x000001EC06410000-0x000001EC06411000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/5052-356-0x00000000050A0000-0x00000000050A1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/5052-331-0x0000000000740000-0x0000000000741000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/5096-320-0x0000000005310000-0x0000000005311000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/5096-318-0x00000000052B0000-0x00000000052B1000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/5096-315-0x0000000005860000-0x0000000005861000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                4KB

                                                                                                                                                                                                              • memory/5096-347-0x0000000005250000-0x0000000005856000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                6.0MB

                                                                                                                                                                                                              • memory/5096-288-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                120KB