Analysis

  • max time kernel
    92s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    19/11/2021, 21:58

General

  • Target

    022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe

  • Size

    403KB

  • MD5

    f957e397e71010885b67f2afe37d8161

  • SHA1

    a8bf84b971b37ac6e7f66c5e5a7e971a7741401e

  • SHA256

    022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66

  • SHA512

    8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6

Malware Config

Extracted

Family

socelars

C2

http://www.gianninidesign.com/

Extracted

Family

redline

Botnet

555

C2

91.206.14.151:64591

Extracted

Family

smokeloader

Version

2020

C2

http://membro.at/upload/

http://jeevanpunetha.com/upload/

http://misipu.cn/upload/

http://zavodooo.ru/upload/

http://targiko.ru/upload/

http://vues3d.com/upload/

rc4.i32
rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

udptest

C2

193.56.146.64:65441

Extracted

Family

redline

Botnet

bbbb

C2

37.9.13.169:63912

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

ddf183af4241e3172885cf1b2c4c1fb4ee03d05a

Attributes
  • url4cnc

    http://91.219.236.27/capibar

    http://5.181.156.92/capibar

    http://91.219.236.207/capibar

    http://185.225.19.18/capibar

    http://91.219.237.227/capibar

    https://t.me/capibar

rc4.plain
rc4.plain

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 25 IoCs
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 17 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 7 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 9 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
    "C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Users\Admin\Pictures\Adobe Films\LUR58T8ha0SYLkgjopFYszr1.exe
      "C:\Users\Admin\Pictures\Adobe Films\LUR58T8ha0SYLkgjopFYszr1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2224
    • C:\Users\Admin\Pictures\Adobe Films\iOQgSJtYCZEln8V8xrIq3YiN.exe
      "C:\Users\Admin\Pictures\Adobe Films\iOQgSJtYCZEln8V8xrIq3YiN.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:1500
      • C:\Users\Admin\Documents\AEbY8UAJWi1MpTVXKD8ohyjZ.exe
        "C:\Users\Admin\Documents\AEbY8UAJWi1MpTVXKD8ohyjZ.exe"
        3⤵
          PID:4840
          • C:\Users\Admin\Pictures\Adobe Films\kl3RAAS6f1tz1p8g3_dRwt1s.exe
            "C:\Users\Admin\Pictures\Adobe Films\kl3RAAS6f1tz1p8g3_dRwt1s.exe"
            4⤵
              PID:4492
            • C:\Users\Admin\Pictures\Adobe Films\pZxwNsmoJVuinHL_7isgP_W4.exe
              "C:\Users\Admin\Pictures\Adobe Films\pZxwNsmoJVuinHL_7isgP_W4.exe"
              4⤵
                PID:1540
              • C:\Users\Admin\Pictures\Adobe Films\iotJdjs4abKDV9eYu1gdEi0W.exe
                "C:\Users\Admin\Pictures\Adobe Films\iotJdjs4abKDV9eYu1gdEi0W.exe"
                4⤵
                  PID:3176
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c taskkill /f /im chrome.exe
                    5⤵
                      PID:5512
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /f /im chrome.exe
                        6⤵
                        • Kills process with taskkill
                        PID:5904
                  • C:\Users\Admin\Pictures\Adobe Films\IxEhVnrW48SVjvCjX7vv_cpf.exe
                    "C:\Users\Admin\Pictures\Adobe Films\IxEhVnrW48SVjvCjX7vv_cpf.exe"
                    4⤵
                      PID:2412
                    • C:\Users\Admin\Pictures\Adobe Films\m65n_w3rGTQHMRdhjZEt34AM.exe
                      "C:\Users\Admin\Pictures\Adobe Films\m65n_w3rGTQHMRdhjZEt34AM.exe"
                      4⤵
                        PID:2728
                      • C:\Users\Admin\Pictures\Adobe Films\QP5JjEmOTRwEfS1PGyZBtLEe.exe
                        "C:\Users\Admin\Pictures\Adobe Films\QP5JjEmOTRwEfS1PGyZBtLEe.exe"
                        4⤵
                          PID:5316
                          • C:\Users\Admin\AppData\Local\Temp\is-M9F2I.tmp\QP5JjEmOTRwEfS1PGyZBtLEe.tmp
                            "C:\Users\Admin\AppData\Local\Temp\is-M9F2I.tmp\QP5JjEmOTRwEfS1PGyZBtLEe.tmp" /SL5="$102C6,506127,422400,C:\Users\Admin\Pictures\Adobe Films\QP5JjEmOTRwEfS1PGyZBtLEe.exe"
                            5⤵
                              PID:5444
                              • C:\Users\Admin\AppData\Local\Temp\is-V7U4T.tmp\lakazet.exe
                                "C:\Users\Admin\AppData\Local\Temp\is-V7U4T.tmp\lakazet.exe" /S /UID=2709
                                6⤵
                                  PID:5960
                                  • C:\Users\Admin\AppData\Local\Temp\54-c314b-afd-bc69c-0edf7316fc4d3\Fanulukeni.exe
                                    "C:\Users\Admin\AppData\Local\Temp\54-c314b-afd-bc69c-0edf7316fc4d3\Fanulukeni.exe"
                                    7⤵
                                      PID:676
                              • C:\Users\Admin\Pictures\Adobe Films\6BLHxGgQFAe5umiNXvTolJSF.exe
                                "C:\Users\Admin\Pictures\Adobe Films\6BLHxGgQFAe5umiNXvTolJSF.exe"
                                4⤵
                                  PID:6132
                                  • C:\Users\Admin\Pictures\Adobe Films\6BLHxGgQFAe5umiNXvTolJSF.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\6BLHxGgQFAe5umiNXvTolJSF.exe" -u
                                    5⤵
                                      PID:3808
                                  • C:\Users\Admin\Pictures\Adobe Films\T83J5ZnzUDjn4_QClZDSO1Jv.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\T83J5ZnzUDjn4_QClZDSO1Jv.exe"
                                    4⤵
                                      PID:6048
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                    3⤵
                                    • Creates scheduled task(s)
                                    PID:4868
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                    3⤵
                                    • Creates scheduled task(s)
                                    PID:4900
                                • C:\Users\Admin\Pictures\Adobe Films\c3jlwI22KyQswLqpMAZMLoNv.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\c3jlwI22KyQswLqpMAZMLoNv.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:1184
                                  • C:\Users\Admin\Pictures\Adobe Films\c3jlwI22KyQswLqpMAZMLoNv.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\c3jlwI22KyQswLqpMAZMLoNv.exe"
                                    3⤵
                                      PID:4464
                                  • C:\Users\Admin\Pictures\Adobe Films\sjP2NNGLkLXmtRLr84FTXoXx.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\sjP2NNGLkLXmtRLr84FTXoXx.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    PID:1236
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /c taskkill /im sjP2NNGLkLXmtRLr84FTXoXx.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\sjP2NNGLkLXmtRLr84FTXoXx.exe" & del C:\ProgramData\*.dll & exit
                                      3⤵
                                        PID:5988
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /im sjP2NNGLkLXmtRLr84FTXoXx.exe /f
                                          4⤵
                                          • Kills process with taskkill
                                          PID:5764
                                    • C:\Users\Admin\Pictures\Adobe Films\ZtQmi64xfNHBdyzqDnGYn0w1.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\ZtQmi64xfNHBdyzqDnGYn0w1.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      PID:2584
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 660
                                        3⤵
                                        • Program crash
                                        PID:1536
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 640
                                        3⤵
                                        • Program crash
                                        PID:4760
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 688
                                        3⤵
                                        • Program crash
                                        PID:4584
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 860
                                        3⤵
                                        • Program crash
                                        PID:5008
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 676
                                        3⤵
                                        • Program crash
                                        PID:4252
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1116
                                        3⤵
                                        • Program crash
                                        PID:4380
                                    • C:\Users\Admin\Pictures\Adobe Films\4a_srNM9UohMmVM9bKpDSGS4.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\4a_srNM9UohMmVM9bKpDSGS4.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      PID:1180
                                    • C:\Users\Admin\Pictures\Adobe Films\Rn16AjUDOEUw_Phj5cpEWNW3.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\Rn16AjUDOEUw_Phj5cpEWNW3.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      PID:2400
                                      • C:\Users\Admin\AppData\Roaming\4804460.exe
                                        "C:\Users\Admin\AppData\Roaming\4804460.exe"
                                        3⤵
                                          PID:5108
                                        • C:\Users\Admin\AppData\Roaming\8470958.exe
                                          "C:\Users\Admin\AppData\Roaming\8470958.exe"
                                          3⤵
                                            PID:3488
                                            • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                              "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                              4⤵
                                                PID:4688
                                            • C:\Users\Admin\AppData\Roaming\736162.exe
                                              "C:\Users\Admin\AppData\Roaming\736162.exe"
                                              3⤵
                                                PID:4392
                                              • C:\Users\Admin\AppData\Roaming\7442260.exe
                                                "C:\Users\Admin\AppData\Roaming\7442260.exe"
                                                3⤵
                                                  PID:4728
                                                  • C:\Users\Admin\AppData\Roaming\4836048.exe
                                                    "C:\Users\Admin\AppData\Roaming\4836048.exe"
                                                    4⤵
                                                      PID:4772
                                                      • C:\Windows\SysWOW64\mshta.exe
                                                        "C:\Windows\System32\mshta.exe" vbsCRIPT: CLOSe ( CREateoBjECt ( "WscrIPT.ShELl" ). RuN( "cmd /R COpy /Y ""C:\Users\Admin\AppData\Roaming\4836048.exe"" UvBEEXS0j9TB14.exE && start UvBEeXS0J9tB14.ExE -pkJzup02N2uLj2E & IF """" == """" for %v iN ( ""C:\Users\Admin\AppData\Roaming\4836048.exe"" ) do taskkill -IM ""%~NXv"" /F " , 0, TRuE) )
                                                        5⤵
                                                          PID:1248
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /R COpy /Y "C:\Users\Admin\AppData\Roaming\4836048.exe" UvBEEXS0j9TB14.exE && start UvBEeXS0J9tB14.ExE -pkJzup02N2uLj2E & IF "" == "" for %v iN ( "C:\Users\Admin\AppData\Roaming\4836048.exe" ) do taskkill -IM "%~NXv" /F
                                                            6⤵
                                                              PID:3888
                                                              • C:\Users\Admin\AppData\Local\Temp\UvBEEXS0j9TB14.exE
                                                                UvBEeXS0J9tB14.ExE -pkJzup02N2uLj2E
                                                                7⤵
                                                                  PID:5284
                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                    "C:\Windows\System32\mshta.exe" vbsCRIPT: CLOSe ( CREateoBjECt ( "WscrIPT.ShELl" ). RuN( "cmd /R COpy /Y ""C:\Users\Admin\AppData\Local\Temp\UvBEEXS0j9TB14.exE"" UvBEEXS0j9TB14.exE && start UvBEeXS0J9tB14.ExE -pkJzup02N2uLj2E & IF ""-pkJzup02N2uLj2E "" == """" for %v iN ( ""C:\Users\Admin\AppData\Local\Temp\UvBEEXS0j9TB14.exE"" ) do taskkill -IM ""%~NXv"" /F " , 0, TRuE) )
                                                                    8⤵
                                                                      PID:5380
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /R COpy /Y "C:\Users\Admin\AppData\Local\Temp\UvBEEXS0j9TB14.exE" UvBEEXS0j9TB14.exE && start UvBEeXS0J9tB14.ExE -pkJzup02N2uLj2E & IF "-pkJzup02N2uLj2E " == "" for %v iN ( "C:\Users\Admin\AppData\Local\Temp\UvBEEXS0j9TB14.exE" ) do taskkill -IM "%~NXv" /F
                                                                        9⤵
                                                                          PID:5568
                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                        "C:\Windows\System32\mshta.exe" VBscRipT: Close ( creatEobJEcT ( "wsCriPT.ShEll" ). RUn( "cMd.Exe /C echO dPPgqC:\Users\Admin\AppData\RoamingJfp> ubQM.U & eCho | sET /P = ""MZ"" > aDE8.34 & CopY /B /y aDe8.34 + GCB~m_.PJ+ NrTw.Mq + Y14qE.K + CPWM.WE + BAN3N.L + uBQM.u LSSVZU.yk~ & StArt msiexec -y .\LsSVZU.yK~ " , 0, trUe ) )
                                                                        8⤵
                                                                          PID:5844
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C echO dPPgqC:\Users\Admin\AppData\RoamingJfp> ubQM.U & eCho | sET /P = "MZ" > aDE8.34 & CopY /B /y aDe8.34 + GCB~m_.PJ+ NrTw.Mq + Y14qE.K + CPWM.WE + BAN3N.L + uBQM.u LSSVZU.yk~ & StArt msiexec -y .\LsSVZU.yK~
                                                                            9⤵
                                                                              PID:5148
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /S /D /c" eCho "
                                                                                10⤵
                                                                                • Blocklisted process makes network request
                                                                                PID:2720
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>aDE8.34"
                                                                                10⤵
                                                                                  PID:5796
                                                                                • C:\Windows\SysWOW64\msiexec.exe
                                                                                  msiexec -y .\LsSVZU.yK~
                                                                                  10⤵
                                                                                    PID:5620
                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                              taskkill -IM "4836048.exe" /F
                                                                              7⤵
                                                                              • Kills process with taskkill
                                                                              PID:5612
                                                                      • C:\Users\Admin\AppData\Roaming\7816279.exe
                                                                        "C:\Users\Admin\AppData\Roaming\7816279.exe"
                                                                        4⤵
                                                                          PID:1128
                                                                      • C:\Users\Admin\AppData\Roaming\6628600.exe
                                                                        "C:\Users\Admin\AppData\Roaming\6628600.exe"
                                                                        3⤵
                                                                          PID:4756
                                                                        • C:\Users\Admin\AppData\Roaming\5530473.exe
                                                                          "C:\Users\Admin\AppData\Roaming\5530473.exe"
                                                                          3⤵
                                                                            PID:4660
                                                                        • C:\Users\Admin\Pictures\Adobe Films\sxrRrick3gD4kfxFesJBiP0k.exe
                                                                          "C:\Users\Admin\Pictures\Adobe Films\sxrRrick3gD4kfxFesJBiP0k.exe"
                                                                          2⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:676
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            cmd.exe /c taskkill /f /im chrome.exe
                                                                            3⤵
                                                                              PID:2404
                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                taskkill /f /im chrome.exe
                                                                                4⤵
                                                                                • Kills process with taskkill
                                                                                PID:5160
                                                                          • C:\Users\Admin\Pictures\Adobe Films\PeRBFnMEUcYITSFocoY9fLRF.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\PeRBFnMEUcYITSFocoY9fLRF.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            PID:1448
                                                                          • C:\Users\Admin\Pictures\Adobe Films\jBWeyRHTi62HuqZULFmHBJZQ.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\jBWeyRHTi62HuqZULFmHBJZQ.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            PID:892
                                                                          • C:\Users\Admin\Pictures\Adobe Films\FvB0vwSDHiNEaiHHprj88QvP.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\FvB0vwSDHiNEaiHHprj88QvP.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Checks SCSI registry key(s)
                                                                            PID:1316
                                                                          • C:\Users\Admin\Pictures\Adobe Films\x_aSVw4EDPeHhdDlVBUwnD5i.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\x_aSVw4EDPeHhdDlVBUwnD5i.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Drops file in Program Files directory
                                                                            PID:3640
                                                                            • C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
                                                                              "C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
                                                                              3⤵
                                                                                PID:1732
                                                                              • C:\Program Files (x86)\Company\NewProduct\rtst1039.exe
                                                                                "C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"
                                                                                3⤵
                                                                                  PID:684
                                                                                • C:\Program Files (x86)\Company\NewProduct\inst2.exe
                                                                                  "C:\Program Files (x86)\Company\NewProduct\inst2.exe"
                                                                                  3⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:1104
                                                                              • C:\Users\Admin\Pictures\Adobe Films\nAcUXNNobKFMoFFQJ9XOsJ52.exe
                                                                                "C:\Users\Admin\Pictures\Adobe Films\nAcUXNNobKFMoFFQJ9XOsJ52.exe"
                                                                                2⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetThreadContext
                                                                                PID:1232
                                                                                • C:\Users\Admin\Pictures\Adobe Films\nAcUXNNobKFMoFFQJ9XOsJ52.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\nAcUXNNobKFMoFFQJ9XOsJ52.exe"
                                                                                  3⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:3052
                                                                              • C:\Users\Admin\Pictures\Adobe Films\uvSQkFfGlN4hF4GFY7NSg2XG.exe
                                                                                "C:\Users\Admin\Pictures\Adobe Films\uvSQkFfGlN4hF4GFY7NSg2XG.exe"
                                                                                2⤵
                                                                                • Executes dropped EXE
                                                                                PID:2640
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 396
                                                                                  3⤵
                                                                                  • Program crash
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:3320
                                                                              • C:\Users\Admin\Pictures\Adobe Films\WH0lWYx3KsYqWPkVAZlF8sNH.exe
                                                                                "C:\Users\Admin\Pictures\Adobe Films\WH0lWYx3KsYqWPkVAZlF8sNH.exe"
                                                                                2⤵
                                                                                • Executes dropped EXE
                                                                                PID:3240
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 400
                                                                                  3⤵
                                                                                  • Drops file in Windows directory
                                                                                  • Program crash
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:4068
                                                                              • C:\Users\Admin\Pictures\Adobe Films\0x6o3hs3eABLDe2nznrTWCcJ.exe
                                                                                "C:\Users\Admin\Pictures\Adobe Films\0x6o3hs3eABLDe2nznrTWCcJ.exe"
                                                                                2⤵
                                                                                • Executes dropped EXE
                                                                                • Checks BIOS information in registry
                                                                                • Checks whether UAC is enabled
                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                PID:2396
                                                                              • C:\Users\Admin\Pictures\Adobe Films\4XXl_o0ZoNjiS8c1uCdyespF.exe
                                                                                "C:\Users\Admin\Pictures\Adobe Films\4XXl_o0ZoNjiS8c1uCdyespF.exe"
                                                                                2⤵
                                                                                • Executes dropped EXE
                                                                                • Checks BIOS information in registry
                                                                                • Checks whether UAC is enabled
                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                PID:2208
                                                                              • C:\Users\Admin\Pictures\Adobe Films\cS1iPoHMzXj4Y6kY3A6yydrM.exe
                                                                                "C:\Users\Admin\Pictures\Adobe Films\cS1iPoHMzXj4Y6kY3A6yydrM.exe"
                                                                                2⤵
                                                                                • Executes dropped EXE
                                                                                • Checks BIOS information in registry
                                                                                • Checks whether UAC is enabled
                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                PID:3896
                                                                              • C:\Users\Admin\Pictures\Adobe Films\Ns_bc3yvvzhDnhFBWNVaCAoA.exe
                                                                                "C:\Users\Admin\Pictures\Adobe Films\Ns_bc3yvvzhDnhFBWNVaCAoA.exe"
                                                                                2⤵
                                                                                • Executes dropped EXE
                                                                                • Checks BIOS information in registry
                                                                                • Checks whether UAC is enabled
                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                PID:1968
                                                                              • C:\Users\Admin\Pictures\Adobe Films\FgfMTZvTbi4wD01SGlMOF8MG.exe
                                                                                "C:\Users\Admin\Pictures\Adobe Films\FgfMTZvTbi4wD01SGlMOF8MG.exe"
                                                                                2⤵
                                                                                • Executes dropped EXE
                                                                                • Checks BIOS information in registry
                                                                                • Checks whether UAC is enabled
                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                PID:1964
                                                                              • C:\Users\Admin\Pictures\Adobe Films\jRu17kZMHmlu09jEcP7j8AiT.exe
                                                                                "C:\Users\Admin\Pictures\Adobe Films\jRu17kZMHmlu09jEcP7j8AiT.exe"
                                                                                2⤵
                                                                                • Executes dropped EXE
                                                                                • Checks BIOS information in registry
                                                                                • Checks whether UAC is enabled
                                                                                PID:2108
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 560
                                                                                  3⤵
                                                                                  • Program crash
                                                                                  PID:4212
                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                  3⤵
                                                                                    PID:3884
                                                                                • C:\Users\Admin\Pictures\Adobe Films\SIv0sTchmQvzTnVJQD4OBmUl.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\SIv0sTchmQvzTnVJQD4OBmUl.exe"
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • Checks BIOS information in registry
                                                                                  • Checks whether UAC is enabled
                                                                                  PID:1864
                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                    3⤵
                                                                                      PID:2868
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\TxDbe8aS2EdqwtmMaCuHHaCv.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\TxDbe8aS2EdqwtmMaCuHHaCv.exe"
                                                                                    2⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:2308
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\abhu1kShLo0fkEoK5LZXfLdY.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\abhu1kShLo0fkEoK5LZXfLdY.exe"
                                                                                    2⤵
                                                                                      PID:5028
                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-8H5D1.tmp\abhu1kShLo0fkEoK5LZXfLdY.tmp
                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-8H5D1.tmp\abhu1kShLo0fkEoK5LZXfLdY.tmp" /SL5="$201DA,506127,422400,C:\Users\Admin\Pictures\Adobe Films\abhu1kShLo0fkEoK5LZXfLdY.exe"
                                                                                        3⤵
                                                                                          PID:5056
                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-TNQAE.tmp\lakazet.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-TNQAE.tmp\lakazet.exe" /S /UID=2709
                                                                                            4⤵
                                                                                              PID:4500
                                                                                              • C:\Users\Admin\AppData\Local\Temp\46-90760-4ae-abfb4-3b57f2a72566d\Julenemilae.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\46-90760-4ae-abfb4-3b57f2a72566d\Julenemilae.exe"
                                                                                                5⤵
                                                                                                  PID:5648
                                                                                                • C:\Users\Admin\AppData\Local\Temp\09-bb974-dd8-6bfa3-75ae17bb20c3f\Xaeshapaerepae.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\09-bb974-dd8-6bfa3-75ae17bb20c3f\Xaeshapaerepae.exe"
                                                                                                  5⤵
                                                                                                    PID:5728
                                                                                                  • C:\Program Files\Windows Multimedia Platform\VKDAEILCWR\foldershare.exe
                                                                                                    "C:\Program Files\Windows Multimedia Platform\VKDAEILCWR\foldershare.exe" /VERYSILENT
                                                                                                    5⤵
                                                                                                      PID:5536
                                                                                            • C:\Users\Admin\AppData\Local\Temp\C72F.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\C72F.exe
                                                                                              1⤵
                                                                                                PID:3700
                                                                                                • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
                                                                                                  2⤵
                                                                                                    PID:3092
                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                  1⤵
                                                                                                    PID:6184

                                                                                                  Network

                                                                                                        MITRE ATT&CK Enterprise v6

                                                                                                        Replay Monitor

                                                                                                        Loading Replay Monitor...

                                                                                                        Downloads

                                                                                                        • memory/1180-220-0x00000000023C0000-0x00000000023C1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/1180-291-0x00000000023C4000-0x00000000023C6000-memory.dmp

                                                                                                          Filesize

                                                                                                          8KB

                                                                                                        • memory/1180-235-0x00000000023D0000-0x00000000023FE000-memory.dmp

                                                                                                          Filesize

                                                                                                          184KB

                                                                                                        • memory/1180-243-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/1180-261-0x0000000002580000-0x00000000025AC000-memory.dmp

                                                                                                          Filesize

                                                                                                          176KB

                                                                                                        • memory/1184-328-0x00000000001F0000-0x00000000001F6000-memory.dmp

                                                                                                          Filesize

                                                                                                          24KB

                                                                                                        • memory/1236-215-0x0000000001FF0000-0x000000000206C000-memory.dmp

                                                                                                          Filesize

                                                                                                          496KB

                                                                                                        • memory/1316-210-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                                          Filesize

                                                                                                          200KB

                                                                                                        • memory/1316-202-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

                                                                                                          Filesize

                                                                                                          32KB

                                                                                                        • memory/1448-234-0x0000000002160000-0x00000000021EF000-memory.dmp

                                                                                                          Filesize

                                                                                                          572KB

                                                                                                        • memory/1448-238-0x0000000000400000-0x0000000000491000-memory.dmp

                                                                                                          Filesize

                                                                                                          580KB

                                                                                                        • memory/1448-225-0x00000000020C0000-0x000000000210F000-memory.dmp

                                                                                                          Filesize

                                                                                                          316KB

                                                                                                        • memory/1732-247-0x0000000000030000-0x0000000000033000-memory.dmp

                                                                                                          Filesize

                                                                                                          12KB

                                                                                                        • memory/1864-194-0x0000000000400000-0x0000000000765000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.4MB

                                                                                                        • memory/1864-191-0x0000000000400000-0x0000000000765000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.4MB

                                                                                                        • memory/1864-267-0x0000000000400000-0x0000000000765000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.4MB

                                                                                                        • memory/1864-260-0x0000000000400000-0x0000000000765000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.4MB

                                                                                                        • memory/1864-188-0x0000000000400000-0x0000000000765000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.4MB

                                                                                                        • memory/1964-237-0x0000000000D80000-0x0000000000D81000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/1968-296-0x00000000055A0000-0x00000000055A1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/1968-226-0x0000000001060000-0x0000000001061000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-351-0x0000000002600000-0x0000000002601000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-338-0x0000000002360000-0x0000000002361000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-358-0x0000000002740000-0x0000000002741000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-331-0x00000000034B0000-0x00000000034B1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-360-0x00000000026F0000-0x00000000026F1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-301-0x00000000027C0000-0x00000000027C1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-322-0x00000000034B0000-0x00000000034B1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-307-0x00000000027B0000-0x00000000027B1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-356-0x0000000002720000-0x0000000002721000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-359-0x0000000002700000-0x0000000002701000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-361-0x0000000002760000-0x0000000002761000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-189-0x00000000027D0000-0x00000000027D1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-192-0x00000000027E0000-0x00000000027E1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-195-0x0000000002790000-0x0000000002791000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-197-0x0000000000400000-0x0000000000750000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.3MB

                                                                                                        • memory/2108-355-0x0000000002710000-0x0000000002711000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-354-0x00000000034B0000-0x00000000034B1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-196-0x0000000002800000-0x0000000002801000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-173-0x00000000022B0000-0x0000000002310000-memory.dmp

                                                                                                          Filesize

                                                                                                          384KB

                                                                                                        • memory/2108-353-0x00000000034B0000-0x00000000034B1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-251-0x0000000000400000-0x0000000000750000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.3MB

                                                                                                        • memory/2108-311-0x0000000002820000-0x0000000002821000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-346-0x00000000023D0000-0x00000000023D1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-193-0x0000000000400000-0x0000000000750000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.3MB

                                                                                                        • memory/2108-357-0x00000000026D0000-0x00000000026D1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-366-0x00000000034B0000-0x00000000034B1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-339-0x0000000002380000-0x0000000002381000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-365-0x00000000034B0000-0x00000000034B1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-314-0x00000000027F0000-0x00000000027F1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-335-0x00000000023A0000-0x00000000023A1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-364-0x00000000034B0000-0x00000000034B1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-187-0x0000000000400000-0x0000000000750000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.3MB

                                                                                                        • memory/2108-336-0x00000000023B0000-0x00000000023B1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-334-0x00000000034B0000-0x00000000034B1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-363-0x00000000034B0000-0x00000000034B1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-190-0x0000000000400000-0x0000000000750000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.3MB

                                                                                                        • memory/2108-320-0x00000000034B0000-0x00000000034B1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-316-0x00000000034C0000-0x00000000034C1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2108-362-0x00000000034B0000-0x00000000034B1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2208-217-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2208-277-0x00000000053C0000-0x00000000053C1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2208-295-0x00000000052A0000-0x00000000052A1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2308-337-0x0000000003050000-0x000000000345F000-memory.dmp

                                                                                                          Filesize

                                                                                                          4.1MB

                                                                                                        • memory/2308-341-0x0000000003460000-0x0000000003D02000-memory.dmp

                                                                                                          Filesize

                                                                                                          8.6MB

                                                                                                        • memory/2308-349-0x0000000000400000-0x0000000000CBD000-memory.dmp

                                                                                                          Filesize

                                                                                                          8.7MB

                                                                                                        • memory/2396-218-0x00000000013B0000-0x00000000013B1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2396-288-0x0000000003D50000-0x0000000003D51000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2396-200-0x00000000771D0000-0x000000007735E000-memory.dmp

                                                                                                          Filesize

                                                                                                          1.6MB

                                                                                                        • memory/2400-271-0x0000000005660000-0x0000000005661000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2400-230-0x0000000002F40000-0x0000000002F41000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2400-185-0x0000000000D10000-0x0000000000D11000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2400-198-0x0000000002F30000-0x0000000002F31000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2400-208-0x00000000030E0000-0x00000000030F1000-memory.dmp

                                                                                                          Filesize

                                                                                                          68KB

                                                                                                        • memory/2584-204-0x0000000000400000-0x000000000044F000-memory.dmp

                                                                                                          Filesize

                                                                                                          316KB

                                                                                                        • memory/2720-115-0x0000000005D00000-0x0000000005E4C000-memory.dmp

                                                                                                          Filesize

                                                                                                          1.3MB

                                                                                                        • memory/2868-263-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                          Filesize

                                                                                                          128KB

                                                                                                        • memory/2868-326-0x0000000008D50000-0x0000000009356000-memory.dmp

                                                                                                          Filesize

                                                                                                          6.0MB

                                                                                                        • memory/2868-294-0x0000000004620000-0x0000000004621000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2868-290-0x0000000004620000-0x0000000004621000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/3052-219-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                          Filesize

                                                                                                          36KB

                                                                                                        • memory/3056-305-0x0000000000CB0000-0x0000000000CC6000-memory.dmp

                                                                                                          Filesize

                                                                                                          88KB

                                                                                                        • memory/3884-289-0x0000000004470000-0x0000000004471000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/3884-293-0x0000000004470000-0x0000000004471000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/3884-323-0x0000000008BE0000-0x00000000091E6000-memory.dmp

                                                                                                          Filesize

                                                                                                          6.0MB

                                                                                                        • memory/3884-258-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                          Filesize

                                                                                                          128KB

                                                                                                        • memory/3896-275-0x00000000055B0000-0x00000000055B1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/3896-207-0x0000000000100000-0x0000000000101000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/3896-199-0x00000000771D0000-0x000000007735E000-memory.dmp

                                                                                                          Filesize

                                                                                                          1.6MB

                                                                                                        • memory/3896-284-0x00000000056C0000-0x00000000056C1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/3896-252-0x00000000056D0000-0x00000000056D1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/3896-232-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/3896-246-0x0000000002C40000-0x0000000002C41000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/4464-344-0x0000000000400000-0x000000000040B000-memory.dmp

                                                                                                          Filesize

                                                                                                          44KB