Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    19/11/2021, 23:31

General

  • Target

    B4A1AFA93C65EBA3AB6EFEB4624DCC8D65DBDEFEFE682.exe

  • Size

    3.9MB

  • MD5

    6cc8cc6b06447c3e62aee854db3ecab1

  • SHA1

    4d0514a2da8278af75ef6cef61c045ef1fc75841

  • SHA256

    b4a1afa93c65eba3ab6efeb4624dcc8d65dbdefefe682bb26a1e2d9aa94415bd

  • SHA512

    3b8b4bc899b0e90f79f67e0dd4418ec6e378b144bc68791e4c44a0a35a7e0f3e503e9515c7b4ba4ede8944966bdfd8ddbdad94319ca2c540a6de57bb57bba504

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

redline

Botnet

she

C2

135.181.129.119:4805

Extracted

Family

redline

Botnet

media8

C2

91.121.67.60:2151

Extracted

Family

redline

Botnet

ANI

C2

45.142.215.47:27643

Extracted

Family

smokeloader

Version

2020

C2

http://gmpeople.com/upload/

http://mile48.com/upload/

http://lecanardstsornin.com/upload/

http://m3600.com/upload/

http://camasirx.com/upload/

rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 7 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar Stealer 1 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 25 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 13 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 3 IoCs
  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 18 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s UserManager
    1⤵
      PID:1208
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
      1⤵
        PID:1884
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s BITS
        1⤵
        • Suspicious use of SetThreadContext
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:3140
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
          • Drops file in System32 directory
          • Checks processor information in registry
          • Modifies data under HKEY_USERS
          • Modifies registry class
          PID:4760
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s WpnService
        1⤵
          PID:2684
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
          1⤵
            PID:2668
            • C:\Windows\system32\wbem\WMIADAP.EXE
              wmiadap.exe /F /T /R
              2⤵
                PID:2748
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s Browser
              1⤵
                PID:2572
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                1⤵
                  PID:2340
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
                  1⤵
                    PID:2324
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s SENS
                    1⤵
                      PID:1428
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s Themes
                      1⤵
                        PID:1224
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                        1⤵
                          PID:1080
                        • c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                          1⤵
                          • Drops file in System32 directory
                          PID:864
                        • c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                          1⤵
                            PID:304
                          • C:\Users\Admin\AppData\Local\Temp\B4A1AFA93C65EBA3AB6EFEB4624DCC8D65DBDEFEFE682.exe
                            "C:\Users\Admin\AppData\Local\Temp\B4A1AFA93C65EBA3AB6EFEB4624DCC8D65DBDEFEFE682.exe"
                            1⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2700
                            • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                              "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                              2⤵
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              PID:2620
                              • C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\setup_install.exe
                                "C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\setup_install.exe"
                                3⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Suspicious use of WriteProcessMemory
                                PID:1492
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                  4⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:3972
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                    5⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3852
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c Mon0043022f9dc5.exe
                                  4⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:3992
                                  • C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon0043022f9dc5.exe
                                    Mon0043022f9dc5.exe
                                    5⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    PID:1664
                                    • C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon0043022f9dc5.exe
                                      C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon0043022f9dc5.exe
                                      6⤵
                                      • Executes dropped EXE
                                      PID:3788
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c Mon00960700006114a4f.exe
                                  4⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:2980
                                  • C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon00960700006114a4f.exe
                                    Mon00960700006114a4f.exe
                                    5⤵
                                    • Executes dropped EXE
                                    PID:336
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c Mon008681a14ee98d06.exe
                                  4⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:1708
                                  • C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon008681a14ee98d06.exe
                                    Mon008681a14ee98d06.exe
                                    5⤵
                                    • Executes dropped EXE
                                    PID:708
                                    • C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon008681a14ee98d06.exe
                                      C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon008681a14ee98d06.exe
                                      6⤵
                                      • Executes dropped EXE
                                      PID:856
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c Mon006e0c9e4e.exe
                                  4⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:1796
                                  • C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon006e0c9e4e.exe
                                    Mon006e0c9e4e.exe
                                    5⤵
                                    • Executes dropped EXE
                                    • Checks computer location settings
                                    PID:3528
                                    • C:\Users\Admin\Pictures\Adobe Films\6P_RSlyUu3twgX1fdkdgChdT.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\6P_RSlyUu3twgX1fdkdgChdT.exe"
                                      6⤵
                                      • Executes dropped EXE
                                      PID:4272
                                    • C:\Users\Admin\Pictures\Adobe Films\7kRnTnUo8_262rOKDF7mHled.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\7kRnTnUo8_262rOKDF7mHled.exe"
                                      6⤵
                                      • Executes dropped EXE
                                      PID:4684
                                      • C:\Users\Admin\Pictures\Adobe Films\7kRnTnUo8_262rOKDF7mHled.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\7kRnTnUo8_262rOKDF7mHled.exe"
                                        7⤵
                                          PID:1408
                                      • C:\Users\Admin\Pictures\Adobe Films\bHgo7kAJ9etG6X7WJR_A_Wi3.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\bHgo7kAJ9etG6X7WJR_A_Wi3.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        PID:724
                                        • C:\Windows\SysWOW64\schtasks.exe
                                          schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                          7⤵
                                          • Creates scheduled task(s)
                                          PID:4108
                                        • C:\Windows\SysWOW64\schtasks.exe
                                          schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                          7⤵
                                          • Creates scheduled task(s)
                                          PID:4296
                                        • C:\Users\Admin\Documents\BhDvHzZM52f50ARvI4c2vnJF.exe
                                          "C:\Users\Admin\Documents\BhDvHzZM52f50ARvI4c2vnJF.exe"
                                          7⤵
                                            PID:356
                                        • C:\Users\Admin\Pictures\Adobe Films\gQ0ksUSMtcx_WInfZjK52TCK.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\gQ0ksUSMtcx_WInfZjK52TCK.exe"
                                          6⤵
                                          • Executes dropped EXE
                                          PID:4268
                                        • C:\Users\Admin\Pictures\Adobe Films\CIhNZ_M3_mF03CNH5bQOs5L9.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\CIhNZ_M3_mF03CNH5bQOs5L9.exe"
                                          6⤵
                                          • Executes dropped EXE
                                          PID:2292
                                        • C:\Users\Admin\Pictures\Adobe Films\FHE6lAdTaq3gWAImHB5C73DL.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\FHE6lAdTaq3gWAImHB5C73DL.exe"
                                          6⤵
                                            PID:2600
                                          • C:\Users\Admin\Pictures\Adobe Films\GdV94xhX0LQiBFsi5GYWkRo0.exe
                                            "C:\Users\Admin\Pictures\Adobe Films\GdV94xhX0LQiBFsi5GYWkRo0.exe"
                                            6⤵
                                              PID:356
                                            • C:\Users\Admin\Pictures\Adobe Films\Em_21pcmeM7PfGvLv2hKSAhy.exe
                                              "C:\Users\Admin\Pictures\Adobe Films\Em_21pcmeM7PfGvLv2hKSAhy.exe"
                                              6⤵
                                                PID:4888
                                                • C:\Program Files (x86)\Company\NewProduct\rtst1039.exe
                                                  "C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"
                                                  7⤵
                                                    PID:4728
                                                  • C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
                                                    "C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
                                                    7⤵
                                                      PID:4628
                                                    • C:\Program Files (x86)\Company\NewProduct\inst2.exe
                                                      "C:\Program Files (x86)\Company\NewProduct\inst2.exe"
                                                      7⤵
                                                        PID:4724
                                                    • C:\Users\Admin\Pictures\Adobe Films\WbkReg_FGej9xUrxMGY42SBo.exe
                                                      "C:\Users\Admin\Pictures\Adobe Films\WbkReg_FGej9xUrxMGY42SBo.exe"
                                                      6⤵
                                                        PID:4788
                                                      • C:\Users\Admin\Pictures\Adobe Films\tXTv1C1fi0tlvN2dcZgHwEaI.exe
                                                        "C:\Users\Admin\Pictures\Adobe Films\tXTv1C1fi0tlvN2dcZgHwEaI.exe"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        PID:4892
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          cmd.exe /c taskkill /f /im chrome.exe
                                                          7⤵
                                                            PID:4092
                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                              taskkill /f /im chrome.exe
                                                              8⤵
                                                              • Kills process with taskkill
                                                              PID:4792
                                                        • C:\Users\Admin\Pictures\Adobe Films\YOcQbTwvabGYokAkTD8D65B4.exe
                                                          "C:\Users\Admin\Pictures\Adobe Films\YOcQbTwvabGYokAkTD8D65B4.exe"
                                                          6⤵
                                                          • Executes dropped EXE
                                                          PID:4928
                                                          • C:\Users\Admin\Pictures\Adobe Films\YOcQbTwvabGYokAkTD8D65B4.exe
                                                            "C:\Users\Admin\Pictures\Adobe Films\YOcQbTwvabGYokAkTD8D65B4.exe"
                                                            7⤵
                                                              PID:1756
                                                          • C:\Users\Admin\Pictures\Adobe Films\D9cVfmsrB_sBuADs1Mk7LLlq.exe
                                                            "C:\Users\Admin\Pictures\Adobe Films\D9cVfmsrB_sBuADs1Mk7LLlq.exe"
                                                            6⤵
                                                            • Executes dropped EXE
                                                            PID:3920
                                                          • C:\Users\Admin\Pictures\Adobe Films\u8hDs78gxU7DwKZ7DWIHhHJq.exe
                                                            "C:\Users\Admin\Pictures\Adobe Films\u8hDs78gxU7DwKZ7DWIHhHJq.exe"
                                                            6⤵
                                                              PID:3756
                                                            • C:\Users\Admin\Pictures\Adobe Films\H1iUWQxAROBMSWrMQQ781hm3.exe
                                                              "C:\Users\Admin\Pictures\Adobe Films\H1iUWQxAROBMSWrMQQ781hm3.exe"
                                                              6⤵
                                                                PID:4848
                                                              • C:\Users\Admin\Pictures\Adobe Films\q5P4tNogyiWutqVdi8X3ZQlb.exe
                                                                "C:\Users\Admin\Pictures\Adobe Films\q5P4tNogyiWutqVdi8X3ZQlb.exe"
                                                                6⤵
                                                                  PID:3760
                                                                • C:\Users\Admin\Pictures\Adobe Films\oRuxlniPk8hXTX6E1AIOa2Wm.exe
                                                                  "C:\Users\Admin\Pictures\Adobe Films\oRuxlniPk8hXTX6E1AIOa2Wm.exe"
                                                                  6⤵
                                                                    PID:5076
                                                                  • C:\Users\Admin\Pictures\Adobe Films\Z1hk6x9tM_BYDyOHVLCpRsaT.exe
                                                                    "C:\Users\Admin\Pictures\Adobe Films\Z1hk6x9tM_BYDyOHVLCpRsaT.exe"
                                                                    6⤵
                                                                      PID:4656
                                                                      • C:\Users\Admin\AppData\Roaming\4741445.exe
                                                                        "C:\Users\Admin\AppData\Roaming\4741445.exe"
                                                                        7⤵
                                                                          PID:4016
                                                                        • C:\Users\Admin\AppData\Roaming\6182707.exe
                                                                          "C:\Users\Admin\AppData\Roaming\6182707.exe"
                                                                          7⤵
                                                                            PID:4404
                                                                            • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                              "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                              8⤵
                                                                                PID:2080
                                                                            • C:\Users\Admin\AppData\Roaming\5526124.exe
                                                                              "C:\Users\Admin\AppData\Roaming\5526124.exe"
                                                                              7⤵
                                                                                PID:4444
                                                                              • C:\Users\Admin\AppData\Roaming\2614619.exe
                                                                                "C:\Users\Admin\AppData\Roaming\2614619.exe"
                                                                                7⤵
                                                                                  PID:1944
                                                                                • C:\Users\Admin\AppData\Roaming\487090.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\487090.exe"
                                                                                  7⤵
                                                                                    PID:1868
                                                                                  • C:\Users\Admin\AppData\Roaming\4526407.exe
                                                                                    "C:\Users\Admin\AppData\Roaming\4526407.exe"
                                                                                    7⤵
                                                                                      PID:4684
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\t_aU_MVro8neShAzQVUH3cHI.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\t_aU_MVro8neShAzQVUH3cHI.exe"
                                                                                    6⤵
                                                                                      PID:1588
                                                                                    • C:\Users\Admin\Pictures\Adobe Films\m9IDwlzFsU4t7jqtxhwRk4gk.exe
                                                                                      "C:\Users\Admin\Pictures\Adobe Films\m9IDwlzFsU4t7jqtxhwRk4gk.exe"
                                                                                      6⤵
                                                                                        PID:5072
                                                                                      • C:\Users\Admin\Pictures\Adobe Films\MbYNRLNwRzvM7y7VZ54N3H1W.exe
                                                                                        "C:\Users\Admin\Pictures\Adobe Films\MbYNRLNwRzvM7y7VZ54N3H1W.exe"
                                                                                        6⤵
                                                                                          PID:3088
                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 400
                                                                                            7⤵
                                                                                            • Program crash
                                                                                            PID:3096
                                                                                        • C:\Users\Admin\Pictures\Adobe Films\CTn93SCQX6oSZEeioMNBjFyi.exe
                                                                                          "C:\Users\Admin\Pictures\Adobe Films\CTn93SCQX6oSZEeioMNBjFyi.exe"
                                                                                          6⤵
                                                                                            PID:4052
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 400
                                                                                              7⤵
                                                                                              • Program crash
                                                                                              PID:3160
                                                                                          • C:\Users\Admin\Pictures\Adobe Films\xoJeW2eRpAzNtKrM_NbVYKk1.exe
                                                                                            "C:\Users\Admin\Pictures\Adobe Films\xoJeW2eRpAzNtKrM_NbVYKk1.exe"
                                                                                            6⤵
                                                                                              PID:3804
                                                                                            • C:\Users\Admin\Pictures\Adobe Films\di3XfZfrk2aSPcYVXFdQJrMX.exe
                                                                                              "C:\Users\Admin\Pictures\Adobe Films\di3XfZfrk2aSPcYVXFdQJrMX.exe"
                                                                                              6⤵
                                                                                                PID:5048
                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                  7⤵
                                                                                                    PID:2236
                                                                                                • C:\Users\Admin\Pictures\Adobe Films\EqdGP70Dnw2Crn8iWTX4uL4o.exe
                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\EqdGP70Dnw2Crn8iWTX4uL4o.exe"
                                                                                                  6⤵
                                                                                                    PID:4872
                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                      7⤵
                                                                                                        PID:3152
                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\76813c8PleK0rJCmNmWwGD5M.exe
                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\76813c8PleK0rJCmNmWwGD5M.exe"
                                                                                                      6⤵
                                                                                                        PID:4780
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-3KDHC.tmp\76813c8PleK0rJCmNmWwGD5M.tmp
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\is-3KDHC.tmp\76813c8PleK0rJCmNmWwGD5M.tmp" /SL5="$F0236,506127,422400,C:\Users\Admin\Pictures\Adobe Films\76813c8PleK0rJCmNmWwGD5M.exe"
                                                                                                          7⤵
                                                                                                            PID:4804
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c Mon00f7a983c912.exe
                                                                                                      4⤵
                                                                                                        PID:3608
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon00f7a983c912.exe
                                                                                                          Mon00f7a983c912.exe
                                                                                                          5⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Checks SCSI registry key(s)
                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                          PID:3720
                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 452
                                                                                                        4⤵
                                                                                                        • Program crash
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:916
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c Mon00855f3273ffa1.exe
                                                                                                        4⤵
                                                                                                          PID:704
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c Mon004fc084d88.exe
                                                                                                          4⤵
                                                                                                            PID:1260
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c Mon005b8992d66f.exe
                                                                                                            4⤵
                                                                                                              PID:2624
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c Mon005ca14730a60d6.exe /mixone
                                                                                                              4⤵
                                                                                                                PID:488
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c Mon00c91c19de7f75af.exe
                                                                                                                4⤵
                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                PID:2268
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c Mon00e90248133.exe
                                                                                                                4⤵
                                                                                                                  PID:772
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c Mon000eb84e5bb87a8eb.exe
                                                                                                                  4⤵
                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                  PID:1252
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon005ca14730a60d6.exe
                                                                                                            Mon005ca14730a60d6.exe /mixone
                                                                                                            1⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                                                                            PID:2072
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 660
                                                                                                              2⤵
                                                                                                              • Program crash
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:4480
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 688
                                                                                                              2⤵
                                                                                                              • Program crash
                                                                                                              PID:4588
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 780
                                                                                                              2⤵
                                                                                                              • Program crash
                                                                                                              PID:5064
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 804
                                                                                                              2⤵
                                                                                                              • Program crash
                                                                                                              PID:4272
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 864
                                                                                                              2⤵
                                                                                                              • Program crash
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:4588
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 908
                                                                                                              2⤵
                                                                                                              • Program crash
                                                                                                              PID:5112
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1096
                                                                                                              2⤵
                                                                                                              • Program crash
                                                                                                              PID:2292
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1296
                                                                                                              2⤵
                                                                                                              • Program crash
                                                                                                              PID:4924
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1308
                                                                                                              2⤵
                                                                                                              • Program crash
                                                                                                              PID:972
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon00e90248133.exe
                                                                                                            Mon00e90248133.exe
                                                                                                            1⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:1332
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              cmd.exe /c taskkill /f /im chrome.exe
                                                                                                              2⤵
                                                                                                                PID:4408
                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                  taskkill /f /im chrome.exe
                                                                                                                  3⤵
                                                                                                                  • Kills process with taskkill
                                                                                                                  PID:4660
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon004fc084d88.exe
                                                                                                              Mon004fc084d88.exe
                                                                                                              1⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:496
                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                              "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon000eb84e5bb87a8eb.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon000eb84e5bb87a8eb.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
                                                                                                              1⤵
                                                                                                                PID:2124
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon000eb84e5bb87a8eb.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon000eb84e5bb87a8eb.exe" ) do taskkill /F -Im "%~NxU"
                                                                                                                  2⤵
                                                                                                                    PID:2084
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\09xU.exE
                                                                                                                      09xU.EXE -pPtzyIkqLZoCarb5ew
                                                                                                                      3⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:2600
                                                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                                                        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
                                                                                                                        4⤵
                                                                                                                          PID:1928
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"
                                                                                                                            5⤵
                                                                                                                              PID:3100
                                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                                            "C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )
                                                                                                                            4⤵
                                                                                                                              PID:4892
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                "C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
                                                                                                                                5⤵
                                                                                                                                  PID:5104
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" eCHO "
                                                                                                                                    6⤵
                                                                                                                                      PID:4136
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
                                                                                                                                      6⤵
                                                                                                                                        PID:4124
                                                                                                                                      • C:\Windows\SysWOW64\control.exe
                                                                                                                                        control .\R6f7sE.I
                                                                                                                                        6⤵
                                                                                                                                          PID:4620
                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                            "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
                                                                                                                                            7⤵
                                                                                                                                            • Loads dropped DLL
                                                                                                                                            PID:4824
                                                                                                                                            • C:\Windows\system32\RunDll32.exe
                                                                                                                                              C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
                                                                                                                                              8⤵
                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                              PID:708
                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
                                                                                                                                                9⤵
                                                                                                                                                • Loads dropped DLL
                                                                                                                                                PID:2916
                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                    taskkill /F -Im "Mon000eb84e5bb87a8eb.exe"
                                                                                                                                    3⤵
                                                                                                                                    • Kills process with taskkill
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:2696
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon00855f3273ffa1.exe
                                                                                                                                Mon00855f3273ffa1.exe
                                                                                                                                1⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:1872
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon005b8992d66f.exe
                                                                                                                                Mon005b8992d66f.exe
                                                                                                                                1⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:2912
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon00c91c19de7f75af.exe
                                                                                                                                Mon00c91c19de7f75af.exe
                                                                                                                                1⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:4032
                                                                                                                                • C:\Windows\system32\WerFault.exe
                                                                                                                                  C:\Windows\system32\WerFault.exe -u -p 4032 -s 1768
                                                                                                                                  2⤵
                                                                                                                                  • Program crash
                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                  PID:2940
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSC3A898F5\Mon000eb84e5bb87a8eb.exe
                                                                                                                                Mon000eb84e5bb87a8eb.exe
                                                                                                                                1⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:388
                                                                                                                              • C:\Windows\system32\rundll32.exe
                                                                                                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                1⤵
                                                                                                                                • Process spawned unexpected child process
                                                                                                                                PID:4440
                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                  2⤵
                                                                                                                                  • Loads dropped DLL
                                                                                                                                  • Modifies registry class
                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                  PID:4512

                                                                                                                              Network

                                                                                                                                    MITRE ATT&CK Enterprise v6

                                                                                                                                    Replay Monitor

                                                                                                                                    Loading Replay Monitor...

                                                                                                                                    Downloads

                                                                                                                                    • memory/304-323-0x000001C314980000-0x000001C3149F2000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      456KB

                                                                                                                                    • memory/388-173-0x0000000000080000-0x0000000000081000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/388-177-0x0000000000080000-0x0000000000081000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/496-218-0x000000001AF60000-0x000000001AF62000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      8KB

                                                                                                                                    • memory/496-200-0x0000000000390000-0x0000000000391000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/496-211-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/708-221-0x00000000051F0000-0x00000000051F1000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/708-204-0x0000000000800000-0x0000000000801000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/856-279-0x0000000004F20000-0x0000000005526000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      6.0MB

                                                                                                                                    • memory/856-255-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      136KB

                                                                                                                                    • memory/864-352-0x00000197757D0000-0x0000019775842000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      456KB

                                                                                                                                    • memory/1080-322-0x00000219E2140000-0x00000219E21B2000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      456KB

                                                                                                                                    • memory/1208-356-0x0000011DF48A0000-0x0000011DF4912000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      456KB

                                                                                                                                    • memory/1224-355-0x00000255E6E40000-0x00000255E6EB2000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      456KB

                                                                                                                                    • memory/1428-353-0x000001A320240000-0x000001A3202B2000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      456KB

                                                                                                                                    • memory/1492-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      572KB

                                                                                                                                    • memory/1492-137-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      100KB

                                                                                                                                    • memory/1492-135-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1.5MB

                                                                                                                                    • memory/1492-139-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      100KB

                                                                                                                                    • memory/1492-131-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      572KB

                                                                                                                                    • memory/1492-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1.5MB

                                                                                                                                    • memory/1492-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1.5MB

                                                                                                                                    • memory/1492-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      572KB

                                                                                                                                    • memory/1492-134-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      100KB

                                                                                                                                    • memory/1492-136-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1.5MB

                                                                                                                                    • memory/1492-141-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      100KB

                                                                                                                                    • memory/1492-142-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      152KB

                                                                                                                                    • memory/1664-203-0x0000000000C00000-0x0000000000C01000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/1664-216-0x00000000053E0000-0x00000000053E1000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/1664-220-0x0000000005620000-0x0000000005621000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/1664-223-0x0000000005B30000-0x0000000005B31000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/1664-212-0x0000000005420000-0x0000000005421000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/1884-354-0x00000186F2EA0000-0x00000186F2F12000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      456KB

                                                                                                                                    • memory/2072-191-0x00000000019A6000-0x00000000019CF000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      164KB

                                                                                                                                    • memory/2072-229-0x00000000017F0000-0x000000000193A000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1.3MB

                                                                                                                                    • memory/2072-231-0x0000000000400000-0x00000000016E0000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      18.9MB

                                                                                                                                    • memory/2324-313-0x000002823D7B0000-0x000002823D822000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      456KB

                                                                                                                                    • memory/2340-326-0x0000023ACEDA0000-0x0000023ACEE12000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      456KB

                                                                                                                                    • memory/2572-312-0x000001E9BD680000-0x000001E9BD6F2000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      456KB

                                                                                                                                    • memory/2600-243-0x00000000004D0000-0x00000000004D1000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/2600-693-0x00000000004A0000-0x00000000005EA000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1.3MB

                                                                                                                                    • memory/2600-242-0x00000000004D0000-0x00000000004D1000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/2668-358-0x0000026D17D00000-0x0000026D17D72000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      456KB

                                                                                                                                    • memory/2684-360-0x0000027156BA0000-0x0000027156C12000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      456KB

                                                                                                                                    • memory/2912-250-0x0000000003562000-0x0000000003563000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/2912-251-0x0000000003563000-0x0000000003564000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/2912-247-0x0000000006800000-0x0000000006801000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/2912-238-0x00000000037C0000-0x00000000037DD000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      116KB

                                                                                                                                    • memory/2912-236-0x00000000033B0000-0x00000000033CF000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      124KB

                                                                                                                                    • memory/2912-195-0x0000000001828000-0x000000000184B000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      140KB

                                                                                                                                    • memory/2912-241-0x0000000006150000-0x0000000006151000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/2912-235-0x0000000003560000-0x0000000003561000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/2912-246-0x00000000067D0000-0x00000000067D1000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/2912-270-0x0000000003564000-0x0000000003566000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      8KB

                                                                                                                                    • memory/2912-253-0x0000000006910000-0x0000000006911000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/2912-233-0x0000000000400000-0x00000000016E0000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      18.9MB

                                                                                                                                    • memory/2912-232-0x0000000003310000-0x0000000003340000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      192KB

                                                                                                                                    • memory/2916-498-0x0000000004B90000-0x0000000004C3B000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      684KB

                                                                                                                                    • memory/3004-290-0x0000000000650000-0x0000000000665000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      84KB

                                                                                                                                    • memory/3140-310-0x0000020EF4DA0000-0x0000020EF4E12000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      456KB

                                                                                                                                    • memory/3140-307-0x0000020EF4CE0000-0x0000020EF4D2D000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      308KB

                                                                                                                                    • memory/3528-613-0x0000000005500000-0x000000000564C000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1.3MB

                                                                                                                                    • memory/3720-234-0x0000000000400000-0x00000000016C7000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      18.8MB

                                                                                                                                    • memory/3720-230-0x0000000001720000-0x0000000001729000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      36KB

                                                                                                                                    • memory/3720-207-0x00000000018E6000-0x00000000018F6000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                    • memory/3788-257-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      136KB

                                                                                                                                    • memory/3788-280-0x0000000005330000-0x0000000005936000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      6.0MB

                                                                                                                                    • memory/3804-719-0x0000000005990000-0x0000000005991000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/3804-662-0x0000000077280000-0x000000007740E000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1.6MB

                                                                                                                                    • memory/3852-225-0x0000000006C10000-0x0000000006C11000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/3852-245-0x0000000007910000-0x0000000007911000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/3852-209-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/3852-214-0x0000000006DE0000-0x0000000006DE1000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/3852-359-0x00000000067A3000-0x00000000067A4000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/3852-222-0x0000000006B70000-0x0000000006B71000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/3852-227-0x0000000007500000-0x0000000007501000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/3852-194-0x0000000000B70000-0x0000000000B71000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/3852-316-0x000000007EF00000-0x000000007EF01000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/3852-226-0x0000000007410000-0x0000000007411000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/3852-196-0x0000000000B70000-0x0000000000B71000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/3852-248-0x0000000007E50000-0x0000000007E51000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/3852-210-0x00000000067A0000-0x00000000067A1000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/3852-219-0x00000000067A2000-0x00000000067A3000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/4032-180-0x0000000000F30000-0x0000000000F31000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/4032-206-0x000000001BB00000-0x000000001BB02000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      8KB

                                                                                                                                    • memory/4268-672-0x0000000000460000-0x00000000005AA000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1.3MB

                                                                                                                                    • memory/4268-701-0x0000000004C52000-0x0000000004C53000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/4512-288-0x0000000004848000-0x0000000004949000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1.0MB

                                                                                                                                    • memory/4512-289-0x0000000002ED0000-0x0000000002F2D000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      372KB

                                                                                                                                    • memory/4724-657-0x00000000001E0000-0x00000000001F0000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                    • memory/4760-517-0x000001FC71D00000-0x000001FC71E05000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1.0MB

                                                                                                                                    • memory/4760-515-0x000001FC70C40000-0x000001FC70C5B000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      108KB

                                                                                                                                    • memory/4760-320-0x000001FC6F400000-0x000001FC6F472000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      456KB

                                                                                                                                    • memory/4788-713-0x0000000002280000-0x0000000002355000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      852KB

                                                                                                                                    • memory/4788-708-0x0000000000550000-0x000000000069A000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1.3MB

                                                                                                                                    • memory/4824-425-0x0000000005450000-0x00000000054FB000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      684KB

                                                                                                                                    • memory/4824-423-0x00000000052C0000-0x000000000539F000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      892KB

                                                                                                                                    • memory/4848-648-0x0000000077280000-0x000000007740E000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1.6MB

                                                                                                                                    • memory/4872-642-0x00000000007C0000-0x000000000090A000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1.3MB

                                                                                                                                    • memory/4872-644-0x00000000027D0000-0x00000000027D1000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/4872-685-0x00000000027E0000-0x00000000027E1000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/4928-678-0x00000000001E0000-0x00000000001E9000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      36KB

                                                                                                                                    • memory/5048-640-0x00000000022D0000-0x0000000002330000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      384KB

                                                                                                                                    • memory/5072-666-0x0000000077280000-0x000000007740E000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1.6MB

                                                                                                                                    • memory/5076-653-0x0000000077280000-0x000000007740E000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1.6MB