Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

022e3c30a1...66.exe

windows7_x64

10

022e3c30a1...66.exe

windows10_x64

10

043d28836f...9f.exe

windows7_x64

10

043d28836f...9f.exe

windows10_x64

10

096fc162ed...c8.exe

windows7_x64

10

096fc162ed...c8.exe

windows10_x64

10

1ad787b5aa...62.exe

windows7_x64

10

1ad787b5aa...62.exe

windows10_x64

10

258cbb13ac...bd.exe

windows7_x64

10

258cbb13ac...bd.exe

windows10_x64

10

25d79c1a50...7f.exe

windows7_x64

10

25d79c1a50...7f.exe

windows10_x64

10

4d27dca0a1...ef.exe

windows7_x64

10

4d27dca0a1...ef.exe

windows10_x64

10

500e7e5c00...44.exe

windows7_x64

10

500e7e5c00...44.exe

windows10_x64

10

578a3a7a2b...b3.exe

windows7_x64

10

578a3a7a2b...b3.exe

windows10_x64

10

7dc7ca2414...84.exe

windows7_x64

10

7dc7ca2414...84.exe

windows10_x64

10

96c9fde298...34.exe

windows7_x64

10

96c9fde298...34.exe

windows10_x64

10

9c4880a98c...82.exe

windows7_x64

10

9c4880a98c...82.exe

windows10_x64

10

a1dad4a83d...c4.exe

windows7_x64

10

a1dad4a83d...c4.exe

windows10_x64

10

acf1b7d80f...e0.exe

windows7_x64

10

acf1b7d80f...e0.exe

windows10_x64

10

ca14b87b56...83.exe

windows7_x64

10

ca14b87b56...83.exe

windows10_x64

10

cbf31d825a...d2.exe

windows7_x64

8

cbf31d825a...d2.exe

windows10_x64

10

Analysis

  • max time kernel
    196s
  • max time network
    205s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    08/11/2021, 10:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe

  • Size

    3.6MB

  • MD5

    9725f7f222530388cb2743504a6e0667

  • SHA1

    56d0eb91855e326b050c904147f4d9dafc596d70

  • SHA256

    9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782

  • SHA512

    ea5aedb3c3ab725c9afc65481ef7b59cdfad80613aaf43a8e76ec94045824269b008007644cb7943e65e98a87650f7f980afcd66ae1dee7807d84be57c018663

Score
10/10
redlinesmokeloaderfucker2media20aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

fucker2

C2

135.181.129.119:4805

Extracted

Family

redline

Botnet

media20

C2

91.121.67.60:2151

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata
  • suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata
  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Downloads MZ/PE file
  • Executes dropped EXE 32 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 13 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops Chrome extension 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 7 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 10 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 20 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Browser
    1⤵
      PID:2796
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s WpnService
      1⤵
        PID:2644
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
        1⤵
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2620
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s BITS
        1⤵
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:3176
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
          • Drops file in System32 directory
          • Checks processor information in registry
          • Modifies data under HKEY_USERS
          • Modifies registry class
          PID:4900
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
        1⤵
          PID:2440
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
          1⤵
            PID:2416
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
            1⤵
              PID:1964
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s SENS
              1⤵
                PID:1440
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s Themes
                1⤵
                  PID:1288
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                  1⤵
                    PID:1216
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                    1⤵
                      PID:1100
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                      1⤵
                      • Drops file in System32 directory
                      PID:1040
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                      1⤵
                        PID:312
                      • C:\Users\Admin\AppData\Local\Temp\9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
                        "C:\Users\Admin\AppData\Local\Temp\9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe"
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1320
                        • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                          "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of WriteProcessMemory
                          PID:1280
                          • C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\setup_install.exe
                            "C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\setup_install.exe"
                            3⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious use of WriteProcessMemory
                            PID:3344
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                              4⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3972
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                                5⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:716
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                              4⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1836
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                5⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2640
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Wed128c2773227671b3f.exe
                              4⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1092
                              • C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed128c2773227671b3f.exe
                                Wed128c2773227671b3f.exe
                                5⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                PID:3600
                                • C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed128c2773227671b3f.exe
                                  C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed128c2773227671b3f.exe
                                  6⤵
                                  • Executes dropped EXE
                                  PID:4384
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Wed126ca6605dbec0399.exe /mixone
                              4⤵
                              • Suspicious use of WriteProcessMemory
                              PID:668
                              • C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed126ca6605dbec0399.exe
                                Wed126ca6605dbec0399.exe /mixone
                                5⤵
                                • Executes dropped EXE
                                PID:3908
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 672
                                  6⤵
                                  • Program crash
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4172
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 808
                                  6⤵
                                  • Program crash
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4468
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 784
                                  6⤵
                                  • Program crash
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4688
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 824
                                  6⤵
                                  • Program crash
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5088
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 948
                                  6⤵
                                  • Program crash
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4784
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 1092
                                  6⤵
                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                  • Program crash
                                  PID:3892
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Wed1217e6a0ef74ed.exe
                              4⤵
                              • Suspicious use of WriteProcessMemory
                              PID:360
                              • C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed1217e6a0ef74ed.exe
                                Wed1217e6a0ef74ed.exe
                                5⤵
                                • Executes dropped EXE
                                PID:2504
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Wed12fb2a5c52f05816.exe
                              4⤵
                              • Suspicious use of WriteProcessMemory
                              PID:368
                              • C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed12fb2a5c52f05816.exe
                                Wed12fb2a5c52f05816.exe
                                5⤵
                                • Executes dropped EXE
                                PID:1148
                                • C:\Windows\SysWOW64\mshta.exe
                                  "C:\Windows\System32\mshta.exe" vBSCripT:cLOSe ( creaTeoBJeCT ( "wSCrIpT.shell" ).RuN ( "CMd.ExE /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed12fb2a5c52f05816.exe"" VAKlCUnlQu.exe && STArt VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm & If """" =="""" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed12fb2a5c52f05816.exe"" ) do taskkill -F -IM ""%~nxE"" " ,0 , TRUe ) )
                                  6⤵
                                    PID:2076
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed12fb2a5c52f05816.exe" VAKlCUnlQu.exe && STArt VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm & If "" =="" for %E in ( "C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed12fb2a5c52f05816.exe" ) do taskkill -F -IM "%~nxE"
                                      7⤵
                                        PID:4368
                                        • C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe
                                          VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm
                                          8⤵
                                          • Executes dropped EXE
                                          PID:4528
                                          • C:\Windows\SysWOW64\mshta.exe
                                            "C:\Windows\System32\mshta.exe" vBSCripT:cLOSe ( creaTeoBJeCT ( "wSCrIpT.shell" ).RuN ( "CMd.ExE /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe"" VAKlCUnlQu.exe && STArt VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm & If ""-PRwIZKFgSE6xyUR7ivEyVbD3Oolfm "" =="""" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe"" ) do taskkill -F -IM ""%~nxE"" " ,0 , TRUe ) )
                                            9⤵
                                              PID:4640
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe" VAKlCUnlQu.exe && STArt VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm & If "-PRwIZKFgSE6xyUR7ivEyVbD3Oolfm " =="" for %E in ( "C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe" ) do taskkill -F -IM "%~nxE"
                                                10⤵
                                                  PID:4824
                                              • C:\Windows\SysWOW64\mshta.exe
                                                "C:\Windows\System32\mshta.exe" vBSCrIpt: cLoSE ( CREaTEOBjECt ( "wSCRiPt.shell" ). RUn ( "cmD.exE /c eCHo | SEt /P = ""MZ"" > s4AW._YK & CoPy /B /y s4aW._YK + 4kt1N2.SAG + JISYX0.0 CFIfB.3 & DEl 4KT1N2.SAG JiSYX0.0 S4AW._YK& STArt msiexec /y .\CFIFB.3 ", 0 ,TRuE ) )
                                                9⤵
                                                  PID:1804
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /c eCHo | SEt /P = "MZ" > s4AW._YK & CoPy /B /y s4aW._YK+ 4kt1N2.SAG + JISYX0.0 CFIfB.3 & DEl 4KT1N2.SAG JiSYX0.0 S4AW._YK& STArt msiexec /y .\CFIFB.3
                                                    10⤵
                                                      PID:4504
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /S /D /c" eCHo "
                                                        11⤵
                                                          PID:2364
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>s4AW._YK"
                                                          11⤵
                                                          • Suspicious use of SetThreadContext
                                                          PID:2932
                                                        • C:\Windows\SysWOW64\msiexec.exe
                                                          msiexec /y .\CFIFB.3
                                                          11⤵
                                                          • Loads dropped DLL
                                                          PID:2272
                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                    taskkill -F -IM "Wed12fb2a5c52f05816.exe"
                                                    8⤵
                                                    • Kills process with taskkill
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:4872
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c Wed120b6f5c6d562.exe
                                            4⤵
                                              PID:3612
                                              • C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed120b6f5c6d562.exe
                                                Wed120b6f5c6d562.exe
                                                5⤵
                                                • Executes dropped EXE
                                                PID:3212
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c Wed12bcd18bdbc441.exe
                                              4⤵
                                                PID:1552
                                                • C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed12bcd18bdbc441.exe
                                                  Wed12bcd18bdbc441.exe
                                                  5⤵
                                                  • Executes dropped EXE
                                                  PID:2356
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c Wed12859e3c1cf63b6a0.exe
                                                4⤵
                                                  PID:1052
                                                  • C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed12859e3c1cf63b6a0.exe
                                                    Wed12859e3c1cf63b6a0.exe
                                                    5⤵
                                                      PID:2268
                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed12859e3c1cf63b6a0.exe
                                                        C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed12859e3c1cf63b6a0.exe
                                                        6⤵
                                                        • Executes dropped EXE
                                                        PID:4400
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c Wed1229427acd4bc167.exe
                                                    4⤵
                                                      PID:956
                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed1229427acd4bc167.exe
                                                        Wed1229427acd4bc167.exe
                                                        5⤵
                                                        • Executes dropped EXE
                                                        • Checks computer location settings
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:3824
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 1720
                                                          6⤵
                                                          • Program crash
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:4300
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c Wed121f7e9e92793cf.exe
                                                      4⤵
                                                        PID:3648
                                                        • C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed121f7e9e92793cf.exe
                                                          Wed121f7e9e92793cf.exe
                                                          5⤵
                                                          • Executes dropped EXE
                                                          PID:2932
                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed121f7e9e92793cf.exe
                                                            C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed121f7e9e92793cf.exe
                                                            6⤵
                                                            • Executes dropped EXE
                                                            PID:4392
                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed121f7e9e92793cf.exe
                                                            C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed121f7e9e92793cf.exe
                                                            6⤵
                                                            • Executes dropped EXE
                                                            PID:5104
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 596
                                                        4⤵
                                                        • Program crash
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1176
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c Wed1241cc206cfb.exe
                                                        4⤵
                                                          PID:2100
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c Wed12ebaf7883e1890d.exe
                                                          4⤵
                                                            PID:4092
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c Wed129eb9b8859.exe
                                                            4⤵
                                                              PID:1356
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c Wed12fbb08f1dfc28.exe
                                                              4⤵
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:1068
                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed1241cc206cfb.exe
                                                        Wed1241cc206cfb.exe
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2352
                                                        • C:\Users\Admin\AppData\Roaming\7242831.exe
                                                          "C:\Users\Admin\AppData\Roaming\7242831.exe"
                                                          2⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:4848
                                                        • C:\Users\Admin\AppData\Roaming\8381407.exe
                                                          "C:\Users\Admin\AppData\Roaming\8381407.exe"
                                                          2⤵
                                                          • Executes dropped EXE
                                                          • Checks BIOS information in registry
                                                          • Checks whether UAC is enabled
                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                          • Suspicious use of SetThreadContext
                                                          PID:2268
                                                        • C:\Users\Admin\AppData\Roaming\1057768.exe
                                                          "C:\Users\Admin\AppData\Roaming\1057768.exe"
                                                          2⤵
                                                          • Executes dropped EXE
                                                          PID:4944
                                                          • C:\Windows\SysWOW64\mshta.exe
                                                            "C:\Windows\System32\mshta.exe" vbSCripT: ClOSE ( CREatEobjeCt ( "WsCRIPt.sheLl" ). RuN ( "cMD.eXe /Q/c TyPe ""C:\Users\Admin\AppData\Roaming\1057768.exe"" >qYZE.eXe && sTaRt qYZE.eXE -ptCb5EYRlk5vz& IF """" == """" for %m IN ( ""C:\Users\Admin\AppData\Roaming\1057768.exe"" ) do taskkill /F -im ""%~nXm"" " , 0, tRUe ) )
                                                            3⤵
                                                              PID:4916
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /Q/c TyPe "C:\Users\Admin\AppData\Roaming\1057768.exe" >qYZE.eXe && sTaRt qYZE.eXE -ptCb5EYRlk5vz& IF "" == "" for %m IN ( "C:\Users\Admin\AppData\Roaming\1057768.exe" ) do taskkill /F -im "%~nXm"
                                                                4⤵
                                                                  PID:4768
                                                                  • C:\Users\Admin\AppData\Local\Temp\qYZE.eXe
                                                                    qYZE.eXE -ptCb5EYRlk5vz
                                                                    5⤵
                                                                    • Executes dropped EXE
                                                                    PID:3188
                                                                    • C:\Windows\SysWOW64\mshta.exe
                                                                      "C:\Windows\System32\mshta.exe" vbSCripT: ClOSE ( CREatEobjeCt ( "WsCRIPt.sheLl" ). RuN ( "cMD.eXe /Q/c TyPe ""C:\Users\Admin\AppData\Local\Temp\qYZE.eXe"" >qYZE.eXe && sTaRt qYZE.eXE -ptCb5EYRlk5vz& IF ""-ptCb5EYRlk5vz"" == """" for %m IN ( ""C:\Users\Admin\AppData\Local\Temp\qYZE.eXe"" ) do taskkill /F -im ""%~nXm"" " , 0, tRUe ) )
                                                                      6⤵
                                                                        PID:3184
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /Q/c TyPe "C:\Users\Admin\AppData\Local\Temp\qYZE.eXe" >qYZE.eXe && sTaRt qYZE.eXE -ptCb5EYRlk5vz& IF "-ptCb5EYRlk5vz" == "" for %m IN ( "C:\Users\Admin\AppData\Local\Temp\qYZE.eXe" ) do taskkill /F -im "%~nXm"
                                                                          7⤵
                                                                            PID:4820
                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                          "C:\Windows\System32\mshta.exe" VbScRIPt: cLOSe ( CREAteoBJeCT ( "wScripT.sHeLl" ). RuN ( "CMD /R EcHo | sET /P = ""MZ"" > xWMjA.R & cOpY /Y /b xWMJA.R + gVVBI.~ + RTXU4.XIZ + ycAolFG.S + 8YVAB.9U + 6Hi7P2BI.2 BN8YnAg.P & StaRT control.exe .\BN8YNAg.P " , 0 ,TrUE ) )
                                                                          6⤵
                                                                            PID:648
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /R EcHo | sET /P = "MZ" > xWMjA.R & cOpY /Y /b xWMJA.R + gVVBI.~ + RTXU4.XIZ + ycAolFG.S + 8YVAB.9U + 6Hi7P2BI.2 BN8YnAg.P &StaRT control.exe .\BN8YNAg.P
                                                                              7⤵
                                                                                PID:4276
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /S /D /c" EcHo "
                                                                                  8⤵
                                                                                    PID:4424
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>xWMjA.R"
                                                                                    8⤵
                                                                                      PID:4732
                                                                                    • C:\Windows\SysWOW64\control.exe
                                                                                      control.exe .\BN8YNAg.P
                                                                                      8⤵
                                                                                        PID:712
                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                          "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\BN8YNAg.P
                                                                                          9⤵
                                                                                          • Loads dropped DLL
                                                                                          PID:2468
                                                                                          • C:\Windows\system32\RunDll32.exe
                                                                                            C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\BN8YNAg.P
                                                                                            10⤵
                                                                                              PID:4876
                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\BN8YNAg.P
                                                                                                11⤵
                                                                                                • Loads dropped DLL
                                                                                                PID:4908
                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                    taskkill /F -im "1057768.exe"
                                                                                    5⤵
                                                                                    • Kills process with taskkill
                                                                                    PID:4212
                                                                            • C:\Users\Admin\AppData\Roaming\2685791.exe
                                                                              "C:\Users\Admin\AppData\Roaming\2685791.exe"
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              • Adds Run key to start application
                                                                              PID:1708
                                                                              • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                3⤵
                                                                                • Executes dropped EXE
                                                                                PID:4412
                                                                            • C:\Users\Admin\AppData\Roaming\4097367.exe
                                                                              "C:\Users\Admin\AppData\Roaming\4097367.exe"
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              PID:2992
                                                                          • C:\Users\Admin\AppData\Local\Temp\is-M25FE.tmp\Wed120b6f5c6d562.tmp
                                                                            "C:\Users\Admin\AppData\Local\Temp\is-M25FE.tmp\Wed120b6f5c6d562.tmp" /SL5="$501D0,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed120b6f5c6d562.exe"
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            PID:1544
                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed120b6f5c6d562.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed120b6f5c6d562.exe" /SILENT
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              PID:2612
                                                                              • C:\Users\Admin\AppData\Local\Temp\is-LSH51.tmp\Wed120b6f5c6d562.tmp
                                                                                "C:\Users\Admin\AppData\Local\Temp\is-LSH51.tmp\Wed120b6f5c6d562.tmp" /SL5="$301AC,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed120b6f5c6d562.exe" /SILENT
                                                                                3⤵
                                                                                • Executes dropped EXE
                                                                                • Loads dropped DLL
                                                                                PID:3160
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 656
                                                                            1⤵
                                                                            • Drops file in Windows directory
                                                                            • Program crash
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3572
                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed129eb9b8859.exe
                                                                            Wed129eb9b8859.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Checks computer location settings
                                                                            • Drops Chrome extension
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            PID:3292
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1792
                                                                              2⤵
                                                                              • Program crash
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:4292
                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed12ebaf7883e1890d.exe
                                                                            Wed12ebaf7883e1890d.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3376
                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0055F3F6\Wed12fbb08f1dfc28.exe
                                                                            Wed12fbb08f1dfc28.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Checks SCSI registry key(s)
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious behavior: MapViewOfSection
                                                                            PID:1796
                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                            1⤵
                                                                            • Loads dropped DLL
                                                                            • Modifies registry class
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:4704
                                                                          • C:\Windows\system32\rundll32.exe
                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            PID:4672
                                                                          • C:\Users\Admin\AppData\Local\Temp\3C21.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\3C21.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Drops startup file
                                                                            PID:4656
                                                                            • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                                                                              "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: AddClipboardFormatListener
                                                                              PID:60

                                                                          Network

                                                                          MITRE ATT&CK Enterprise v6

                                                                          Replay Monitor

                                                                          Loading Replay Monitor...

                                                                          Downloads

                                                                          • memory/312-966-0x0000014644120000-0x0000014644192000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                            Download

                                                                          • memory/312-311-0x00000146438C0000-0x00000146438C2000-memory.dmp

                                                                            Filesize

                                                                            8KB

                                                                            Download

                                                                          • memory/312-314-0x00000146438C0000-0x00000146438C2000-memory.dmp

                                                                            Filesize

                                                                            8KB

                                                                            Download

                                                                          • memory/312-332-0x00000146440A0000-0x0000014644112000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                            Download

                                                                          • memory/716-294-0x0000000008030000-0x0000000008031000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/716-270-0x00000000072A0000-0x00000000072A1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/716-243-0x0000000003140000-0x0000000003141000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/716-219-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/716-273-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/716-481-0x0000000003143000-0x0000000003144000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/716-217-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/716-456-0x000000007EF50000-0x000000007EF51000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/716-282-0x0000000007CA0000-0x0000000007CA1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/716-249-0x0000000003142000-0x0000000003143000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/716-300-0x0000000008550000-0x0000000008551000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/716-280-0x0000000007C30000-0x0000000007C31000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/1040-357-0x00000168D8D20000-0x00000168D8D92000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                            Download

                                                                          • memory/1100-354-0x0000026EF9840000-0x0000026EF98B2000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                            Download

                                                                          • memory/1216-383-0x000001EA53000000-0x000001EA53072000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                            Download

                                                                          • memory/1288-381-0x00000224385D0000-0x0000022438642000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                            Download

                                                                          • memory/1440-365-0x0000014420F10000-0x0000014420F82000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                            Download

                                                                          • memory/1440-965-0x0000014421080000-0x00000144210F2000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                            Download

                                                                          • memory/1544-222-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/1796-187-0x00000000031A1000-0x00000000031B2000-memory.dmp

                                                                            Filesize

                                                                            68KB

                                                                            Download

                                                                          • memory/1796-215-0x0000000000400000-0x0000000002DAA000-memory.dmp

                                                                            Filesize

                                                                            41.7MB

                                                                            Download

                                                                          • memory/1796-209-0x0000000000030000-0x0000000000039000-memory.dmp

                                                                            Filesize

                                                                            36KB

                                                                            Download

                                                                          • memory/1964-364-0x00000170E1780000-0x00000170E17F2000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                            Download

                                                                          • memory/2268-419-0x00000000053B0000-0x00000000053B1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/2268-262-0x00000000056A0000-0x00000000056A1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/2268-265-0x0000000005660000-0x00000000056D6000-memory.dmp

                                                                            Filesize

                                                                            472KB

                                                                            Download

                                                                          • memory/2268-395-0x0000000077050000-0x00000000771DE000-memory.dmp

                                                                            Filesize

                                                                            1.6MB

                                                                            Download

                                                                          • memory/2268-227-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/2272-570-0x00000000051F0000-0x000000000529D000-memory.dmp

                                                                            Filesize

                                                                            692KB

                                                                            Download

                                                                          • memory/2272-574-0x0000000005350000-0x00000000053FC000-memory.dmp

                                                                            Filesize

                                                                            688KB

                                                                            Download

                                                                          • memory/2352-244-0x0000000007A10000-0x0000000007A11000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/2352-225-0x0000000000C20000-0x0000000000C21000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/2416-338-0x000001FC5A550000-0x000001FC5A5C2000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                            Download

                                                                          • memory/2440-968-0x000001EDDEAE0000-0x000001EDDEB52000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                            Download

                                                                          • memory/2440-335-0x000001EDDEA60000-0x000001EDDEAD2000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                            Download

                                                                          • memory/2468-950-0x0000000004F20000-0x0000000004FD6000-memory.dmp

                                                                            Filesize

                                                                            728KB

                                                                            Download

                                                                          • memory/2468-693-0x0000000000E00000-0x0000000000EAE000-memory.dmp

                                                                            Filesize

                                                                            696KB

                                                                            Download

                                                                          • memory/2468-951-0x00000000050A0000-0x0000000005156000-memory.dmp

                                                                            Filesize

                                                                            728KB

                                                                            Download

                                                                          • memory/2612-245-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                            Filesize

                                                                            80KB

                                                                            Download

                                                                          • memory/2620-392-0x000002144E000000-0x000002144E072000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                            Download

                                                                          • memory/2640-248-0x0000000007102000-0x0000000007103000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/2640-240-0x0000000007740000-0x0000000007741000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/2640-482-0x0000000007103000-0x0000000007104000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/2640-452-0x000000007EF80000-0x000000007EF81000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/2640-218-0x0000000003040000-0x0000000003041000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/2640-220-0x0000000003040000-0x0000000003041000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/2640-235-0x0000000003160000-0x0000000003161000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/2640-242-0x0000000007100000-0x0000000007101000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/2644-394-0x000002ED0D0D0000-0x000002ED0D142000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                            Download

                                                                          • memory/2796-964-0x0000023AC4A30000-0x0000023AC4AA2000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                            Download

                                                                          • memory/2796-303-0x0000023AC3C30000-0x0000023AC3C32000-memory.dmp

                                                                            Filesize

                                                                            8KB

                                                                            Download

                                                                          • memory/2796-301-0x0000023AC3C30000-0x0000023AC3C32000-memory.dmp

                                                                            Filesize

                                                                            8KB

                                                                            Download

                                                                          • memory/2796-307-0x0000023AC4670000-0x0000023AC46E2000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                            Download

                                                                          • memory/2932-226-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/2932-268-0x00000000053F0000-0x0000000005466000-memory.dmp

                                                                            Filesize

                                                                            472KB

                                                                            Download

                                                                          • memory/2932-281-0x0000000005A40000-0x0000000005A41000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/2992-434-0x0000000005800000-0x0000000005801000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/3024-266-0x0000000000D50000-0x0000000000D66000-memory.dmp

                                                                            Filesize

                                                                            88KB

                                                                            Download

                                                                          • memory/3160-246-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/3176-310-0x0000025512C30000-0x0000025512CA2000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                            Download

                                                                          • memory/3176-293-0x0000025512890000-0x0000025512892000-memory.dmp

                                                                            Filesize

                                                                            8KB

                                                                            Download

                                                                          • memory/3176-292-0x0000025512890000-0x0000025512892000-memory.dmp

                                                                            Filesize

                                                                            8KB

                                                                            Download

                                                                          • memory/3176-306-0x00000255128B0000-0x00000255128FD000-memory.dmp

                                                                            Filesize

                                                                            308KB

                                                                            Download

                                                                          • memory/3212-211-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                            Filesize

                                                                            80KB

                                                                            Download

                                                                          • memory/3292-261-0x00000000057D0000-0x000000000591C000-memory.dmp

                                                                            Filesize

                                                                            1.3MB

                                                                            Download

                                                                          • memory/3344-141-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                            Filesize

                                                                            1.5MB

                                                                            Download

                                                                          • memory/3344-145-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                            Filesize

                                                                            100KB

                                                                            Download

                                                                          • memory/3344-142-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                            Filesize

                                                                            152KB

                                                                            Download

                                                                          • memory/3344-137-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                            Filesize

                                                                            572KB

                                                                            Download

                                                                          • memory/3344-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                            Filesize

                                                                            1.5MB

                                                                            Download

                                                                          • memory/3344-144-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                            Filesize

                                                                            100KB

                                                                            Download

                                                                          • memory/3344-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                            Filesize

                                                                            1.5MB

                                                                            Download

                                                                          • memory/3344-147-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                            Filesize

                                                                            100KB

                                                                            Download

                                                                          • memory/3344-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                            Filesize

                                                                            1.5MB

                                                                            Download

                                                                          • memory/3344-148-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                            Filesize

                                                                            100KB

                                                                            Download

                                                                          • memory/3344-136-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                            Filesize

                                                                            572KB

                                                                            Download

                                                                          • memory/3344-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                            Filesize

                                                                            572KB

                                                                            Download

                                                                          • memory/3376-204-0x0000000000E40000-0x0000000000E41000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/3376-212-0x000000001BB10000-0x000000001BB12000-memory.dmp

                                                                            Filesize

                                                                            8KB

                                                                            Download

                                                                          • memory/3600-228-0x00000000001B0000-0x00000000001B1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/3600-252-0x00000000049E0000-0x00000000049E1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/3600-267-0x0000000004B40000-0x0000000004B41000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/3824-260-0x0000000005C40000-0x0000000005D8C000-memory.dmp

                                                                            Filesize

                                                                            1.3MB

                                                                            Download

                                                                          • memory/3908-208-0x0000000002DD0000-0x0000000002E19000-memory.dmp

                                                                            Filesize

                                                                            292KB

                                                                            Download

                                                                          • memory/3908-216-0x0000000000400000-0x0000000002DC2000-memory.dmp

                                                                            Filesize

                                                                            41.8MB

                                                                            Download

                                                                          • memory/4384-315-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                            Filesize

                                                                            136KB

                                                                            Download

                                                                          • memory/4384-355-0x00000000056D0000-0x0000000005CD6000-memory.dmp

                                                                            Filesize

                                                                            6.0MB

                                                                            Download

                                                                          • memory/4400-316-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                            Filesize

                                                                            136KB

                                                                            Download

                                                                          • memory/4400-362-0x0000000005440000-0x0000000005A46000-memory.dmp

                                                                            Filesize

                                                                            6.0MB

                                                                            Download

                                                                          • memory/4412-474-0x0000000005130000-0x0000000005131000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/4704-298-0x0000000004EF2000-0x0000000004FF3000-memory.dmp

                                                                            Filesize

                                                                            1.0MB

                                                                            Download

                                                                          • memory/4704-302-0x0000000005060000-0x00000000050BD000-memory.dmp

                                                                            Filesize

                                                                            372KB

                                                                            Download

                                                                          • memory/4848-353-0x00000000051B0000-0x00000000051B1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/4848-309-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/4848-320-0x0000000001250000-0x0000000001251000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/4900-312-0x000002462E160000-0x000002462E162000-memory.dmp

                                                                            Filesize

                                                                            8KB

                                                                            Download

                                                                          • memory/4900-572-0x0000024630B00000-0x0000024630C05000-memory.dmp

                                                                            Filesize

                                                                            1.0MB

                                                                            Download

                                                                          • memory/4900-308-0x000002462E160000-0x000002462E162000-memory.dmp

                                                                            Filesize

                                                                            8KB

                                                                            Download

                                                                          • memory/4900-568-0x000002462E1A0000-0x000002462E1BB000-memory.dmp

                                                                            Filesize

                                                                            108KB

                                                                            Download

                                                                          • memory/4900-330-0x000002462E3D0000-0x000002462E442000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                            Download

                                                                          • memory/5104-386-0x0000000005780000-0x0000000005D86000-memory.dmp

                                                                            Filesize

                                                                            6.0MB

                                                                            Download