Analysis

  • max time kernel
    15s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    21/11/2021, 15:16

General

  • Target

    b16504e25ef918a88c54371fea0e49aa.exe

  • Size

    13.8MB

  • MD5

    b16504e25ef918a88c54371fea0e49aa

  • SHA1

    786cb7fa904b8c19c055b6a49527f7e9d907307a

  • SHA256

    4066a70177c5b8a86458e8727efaa599b0de0e342fd709eec5d3b78ed066cd67

  • SHA512

    7a549cf81e37f2c52ecd87b3827f99da8c3bc175a029c0387964a26005dd0fbc918de3261d1e3bd42104bc53eca16325817d85be60bd78688be16118e23ad102

Malware Config

Extracted

Family

amadey

Version

2.82

C2

185.215.113.45/g4MbvE/index.php

Extracted

Family

socelars

C2

http://www.gianninidesign.com/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

C2

http://membro.at/upload/

http://jeevanpunetha.com/upload/

http://misipu.cn/upload/

http://zavodooo.ru/upload/

http://targiko.ru/upload/

http://vues3d.com/upload/

rc4.i32
rc4.i32

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • suricata: ET MALWARE Amadey CnC Check-In

    suricata: ET MALWARE Amadey CnC Check-In

  • suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata: ET MALWARE GCleaner Downloader Activity M5

  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 16 IoCs
  • Loads dropped DLL 7 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 7 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b16504e25ef918a88c54371fea0e49aa.exe
    "C:\Users\Admin\AppData\Local\Temp\b16504e25ef918a88c54371fea0e49aa.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3988
      • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:436
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:380
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
            5⤵
              PID:2896
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1580
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
              5⤵
                PID:1624
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Wed0534fdcb003d1e565.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1068
              • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed0534fdcb003d1e565.exe
                Wed0534fdcb003d1e565.exe
                5⤵
                • Executes dropped EXE
                PID:1796
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Wed05530159d4f285214.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1244
              • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05530159d4f285214.exe
                Wed05530159d4f285214.exe
                5⤵
                • Executes dropped EXE
                PID:1528
                • C:\Users\Admin\Pictures\Adobe Films\UViMP2qWyimoUYIkt0l4crIc.exe
                  "C:\Users\Admin\Pictures\Adobe Films\UViMP2qWyimoUYIkt0l4crIc.exe"
                  6⤵
                    PID:1840
                  • C:\Users\Admin\Pictures\Adobe Films\7_AZnSJ8y09DZ8IqiB4VjXjp.exe
                    "C:\Users\Admin\Pictures\Adobe Films\7_AZnSJ8y09DZ8IqiB4VjXjp.exe"
                    6⤵
                      PID:4796
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 400
                        7⤵
                        • Program crash
                        PID:1868
                    • C:\Users\Admin\Pictures\Adobe Films\9qVDblyhKVsXgcOtAd2T_NFA.exe
                      "C:\Users\Admin\Pictures\Adobe Films\9qVDblyhKVsXgcOtAd2T_NFA.exe"
                      6⤵
                        PID:4784
                      • C:\Users\Admin\Pictures\Adobe Films\8rFk5mzjxBvbENtc8tMixYIb.exe
                        "C:\Users\Admin\Pictures\Adobe Films\8rFk5mzjxBvbENtc8tMixYIb.exe"
                        6⤵
                          PID:4776
                        • C:\Users\Admin\Pictures\Adobe Films\CkV3bMfdkB5vKXlrVdUcFFht.exe
                          "C:\Users\Admin\Pictures\Adobe Films\CkV3bMfdkB5vKXlrVdUcFFht.exe"
                          6⤵
                            PID:4768
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 660
                              7⤵
                              • Program crash
                              PID:5580
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 672
                              7⤵
                              • Program crash
                              PID:5748
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 636
                              7⤵
                              • Program crash
                              PID:6012
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 692
                              7⤵
                              • Program crash
                              PID:4980
                          • C:\Users\Admin\Pictures\Adobe Films\QmFgp5twAUM0MMenh4LSdZph.exe
                            "C:\Users\Admin\Pictures\Adobe Films\QmFgp5twAUM0MMenh4LSdZph.exe"
                            6⤵
                              PID:4752
                              • C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
                                "C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
                                7⤵
                                  PID:4416
                                • C:\Program Files (x86)\Company\NewProduct\rtst1039.exe
                                  "C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"
                                  7⤵
                                    PID:2004
                                  • C:\Program Files (x86)\Company\NewProduct\inst2.exe
                                    "C:\Program Files (x86)\Company\NewProduct\inst2.exe"
                                    7⤵
                                      PID:5080
                                  • C:\Users\Admin\Pictures\Adobe Films\a_Mmu11QY_atLtuOBgrqU0HT.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\a_Mmu11QY_atLtuOBgrqU0HT.exe"
                                    6⤵
                                      PID:4760
                                    • C:\Users\Admin\Pictures\Adobe Films\sthgODbYX2Of11giWTy_BR6J.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\sthgODbYX2Of11giWTy_BR6J.exe"
                                      6⤵
                                        PID:4716
                                        • C:\Users\Admin\Pictures\Adobe Films\sthgODbYX2Of11giWTy_BR6J.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\sthgODbYX2Of11giWTy_BR6J.exe"
                                          7⤵
                                            PID:4100
                                        • C:\Users\Admin\Pictures\Adobe Films\wtaq_s4fd9o57dywCuwgZ0Lx.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\wtaq_s4fd9o57dywCuwgZ0Lx.exe"
                                          6⤵
                                            PID:4700
                                            • C:\Windows\SysWOW64\schtasks.exe
                                              schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                              7⤵
                                              • Creates scheduled task(s)
                                              PID:3592
                                            • C:\Windows\SysWOW64\schtasks.exe
                                              schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                              7⤵
                                              • Creates scheduled task(s)
                                              PID:4544
                                            • C:\Users\Admin\Documents\PuV639husrW7hD5QLRXbQ0s7.exe
                                              "C:\Users\Admin\Documents\PuV639husrW7hD5QLRXbQ0s7.exe"
                                              7⤵
                                                PID:1964
                                            • C:\Users\Admin\Pictures\Adobe Films\KdckbJbEvXnawneMgWVcVVKT.exe
                                              "C:\Users\Admin\Pictures\Adobe Films\KdckbJbEvXnawneMgWVcVVKT.exe"
                                              6⤵
                                                PID:4904
                                              • C:\Users\Admin\Pictures\Adobe Films\CehC_XT5Mlez10jq8xidjaja.exe
                                                "C:\Users\Admin\Pictures\Adobe Films\CehC_XT5Mlez10jq8xidjaja.exe"
                                                6⤵
                                                  PID:4888
                                                  • C:\Users\Admin\AppData\Roaming\4455073.exe
                                                    "C:\Users\Admin\AppData\Roaming\4455073.exe"
                                                    7⤵
                                                      PID:4848
                                                    • C:\Users\Admin\AppData\Roaming\3896197.exe
                                                      "C:\Users\Admin\AppData\Roaming\3896197.exe"
                                                      7⤵
                                                        PID:2464
                                                        • C:\Users\Admin\AppData\Roaming\73986821\7398656173986561.exe
                                                          "C:\Users\Admin\AppData\Roaming\73986821\7398656173986561.exe"
                                                          8⤵
                                                            PID:5480
                                                        • C:\Users\Admin\AppData\Roaming\3553767.exe
                                                          "C:\Users\Admin\AppData\Roaming\3553767.exe"
                                                          7⤵
                                                            PID:2284
                                                          • C:\Users\Admin\AppData\Roaming\3808550.exe
                                                            "C:\Users\Admin\AppData\Roaming\3808550.exe"
                                                            7⤵
                                                              PID:5160
                                                            • C:\Users\Admin\AppData\Roaming\2024155.exe
                                                              "C:\Users\Admin\AppData\Roaming\2024155.exe"
                                                              7⤵
                                                                PID:5188
                                                              • C:\Users\Admin\AppData\Roaming\5720338.exe
                                                                "C:\Users\Admin\AppData\Roaming\5720338.exe"
                                                                7⤵
                                                                  PID:5204
                                                              • C:\Users\Admin\Pictures\Adobe Films\EJveuBqJvSoclsucoPaVvMNo.exe
                                                                "C:\Users\Admin\Pictures\Adobe Films\EJveuBqJvSoclsucoPaVvMNo.exe"
                                                                6⤵
                                                                  PID:2160
                                                                • C:\Users\Admin\Pictures\Adobe Films\v4t5hwiVCu9sVy3TKEpsvy3I.exe
                                                                  "C:\Users\Admin\Pictures\Adobe Films\v4t5hwiVCu9sVy3TKEpsvy3I.exe"
                                                                  6⤵
                                                                    PID:1708
                                                                  • C:\Users\Admin\Pictures\Adobe Films\alAWlw1xAudIQwzPfJCsecuG.exe
                                                                    "C:\Users\Admin\Pictures\Adobe Films\alAWlw1xAudIQwzPfJCsecuG.exe"
                                                                    6⤵
                                                                      PID:68
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 68 -s 396
                                                                        7⤵
                                                                        • Program crash
                                                                        PID:848
                                                                    • C:\Users\Admin\Pictures\Adobe Films\28quGJwtreiiFR1HusWUIyYe.exe
                                                                      "C:\Users\Admin\Pictures\Adobe Films\28quGJwtreiiFR1HusWUIyYe.exe"
                                                                      6⤵
                                                                        PID:2376
                                                                        • C:\Users\Admin\Pictures\Adobe Films\28quGJwtreiiFR1HusWUIyYe.exe
                                                                          "C:\Users\Admin\Pictures\Adobe Films\28quGJwtreiiFR1HusWUIyYe.exe"
                                                                          7⤵
                                                                            PID:5032
                                                                        • C:\Users\Admin\Pictures\Adobe Films\qbBeUVl9QNwds05tTMjsz4CM.exe
                                                                          "C:\Users\Admin\Pictures\Adobe Films\qbBeUVl9QNwds05tTMjsz4CM.exe"
                                                                          6⤵
                                                                            PID:2320
                                                                          • C:\Users\Admin\Pictures\Adobe Films\7fxKjDDZlkmkCuW8KHnMODyf.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\7fxKjDDZlkmkCuW8KHnMODyf.exe"
                                                                            6⤵
                                                                              PID:5108
                                                                            • C:\Users\Admin\Pictures\Adobe Films\CFLWmpJmaQrDqAyz8kGzwPJq.exe
                                                                              "C:\Users\Admin\Pictures\Adobe Films\CFLWmpJmaQrDqAyz8kGzwPJq.exe"
                                                                              6⤵
                                                                                PID:836
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 404
                                                                                  7⤵
                                                                                  • Program crash
                                                                                  PID:2296
                                                                              • C:\Users\Admin\Pictures\Adobe Films\sR5jjruz5krCmz6OIuyKYr9_.exe
                                                                                "C:\Users\Admin\Pictures\Adobe Films\sR5jjruz5krCmz6OIuyKYr9_.exe"
                                                                                6⤵
                                                                                  PID:3772
                                                                                • C:\Users\Admin\Pictures\Adobe Films\8T41KE8gpE6KXMeNoNpBc45O.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\8T41KE8gpE6KXMeNoNpBc45O.exe"
                                                                                  6⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:904
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    cmd.exe /c taskkill /f /im chrome.exe
                                                                                    7⤵
                                                                                      PID:5852
                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                        taskkill /f /im chrome.exe
                                                                                        8⤵
                                                                                        • Kills process with taskkill
                                                                                        PID:5068
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\zLl1mBuFAW0A1ffc07ghZJHU.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\zLl1mBuFAW0A1ffc07ghZJHU.exe"
                                                                                    6⤵
                                                                                      PID:3844
                                                                                    • C:\Users\Admin\Pictures\Adobe Films\Dv1gZvMUBfPFrQitpaSknZyB.exe
                                                                                      "C:\Users\Admin\Pictures\Adobe Films\Dv1gZvMUBfPFrQitpaSknZyB.exe"
                                                                                      6⤵
                                                                                        PID:3040
                                                                                        • C:\Users\Admin\Pictures\Adobe Films\Dv1gZvMUBfPFrQitpaSknZyB.exe
                                                                                          "C:\Users\Admin\Pictures\Adobe Films\Dv1gZvMUBfPFrQitpaSknZyB.exe"
                                                                                          7⤵
                                                                                            PID:6056
                                                                                        • C:\Users\Admin\Pictures\Adobe Films\bit8uz5HLoPvGcl9EO9IVdux.exe
                                                                                          "C:\Users\Admin\Pictures\Adobe Films\bit8uz5HLoPvGcl9EO9IVdux.exe"
                                                                                          6⤵
                                                                                            PID:4752
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c Wed055e29ac05f0e14.exe
                                                                                        4⤵
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:1268
                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed055e29ac05f0e14.exe
                                                                                          Wed055e29ac05f0e14.exe
                                                                                          5⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:764
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c Wed058cca47ea86cc0b.exe
                                                                                        4⤵
                                                                                          PID:1100
                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed058cca47ea86cc0b.exe
                                                                                            Wed058cca47ea86cc0b.exe
                                                                                            5⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:700
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c Wed05572ff115815bed.exe
                                                                                          4⤵
                                                                                            PID:3220
                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05572ff115815bed.exe
                                                                                              Wed05572ff115815bed.exe
                                                                                              5⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:1888
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c Wed05b5c2705a.exe
                                                                                            4⤵
                                                                                              PID:3880
                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05b5c2705a.exe
                                                                                                Wed05b5c2705a.exe
                                                                                                5⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:1240
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c Wed0507640eb5b.exe
                                                                                              4⤵
                                                                                                PID:2200
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c Wed0504ce1fce545657.exe
                                                                                                4⤵
                                                                                                  PID:2764
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c Wed059a025cf2a.exe
                                                                                                  4⤵
                                                                                                    PID:2080
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c Wed059ecd633701f3.exe
                                                                                                    4⤵
                                                                                                      PID:1560
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c Wed05c770a4470c.exe /mixtwo
                                                                                                      4⤵
                                                                                                        PID:2464
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c Wed05cb54d5272ed03.exe
                                                                                                        4⤵
                                                                                                          PID:3476
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c Wed058c3464dcf6606b1.exe
                                                                                                          4⤵
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:2416
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c Wed05c754f5b2a7ed96.exe
                                                                                                          4⤵
                                                                                                            PID:1104
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c Wed05ecd67738969.exe
                                                                                                            4⤵
                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                            PID:3816
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05ecd67738969.exe
                                                                                                      Wed05ecd67738969.exe
                                                                                                      1⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:884
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        cmd.exe /c taskkill /f /im chrome.exe
                                                                                                        2⤵
                                                                                                          PID:4128
                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                            taskkill /f /im chrome.exe
                                                                                                            3⤵
                                                                                                            • Kills process with taskkill
                                                                                                            PID:2120
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-49M53.tmp\Wed055e29ac05f0e14.tmp
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-49M53.tmp\Wed055e29ac05f0e14.tmp" /SL5="$501C8,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed055e29ac05f0e14.exe"
                                                                                                        1⤵
                                                                                                        • Executes dropped EXE
                                                                                                        PID:2880
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed055e29ac05f0e14.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed055e29ac05f0e14.exe" /SILENT
                                                                                                          2⤵
                                                                                                            PID:2108
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05c770a4470c.exe
                                                                                                          Wed05c770a4470c.exe /mixtwo
                                                                                                          1⤵
                                                                                                            PID:3128
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              "C:\Windows\System32\cmd.exe" /c taskkill /im "Wed05c770a4470c.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05c770a4470c.exe" & exit
                                                                                                              2⤵
                                                                                                                PID:4288
                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                  taskkill /im "Wed05c770a4470c.exe" /f
                                                                                                                  3⤵
                                                                                                                  • Kills process with taskkill
                                                                                                                  PID:4952
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\is-6G32C.tmp\Wed05c754f5b2a7ed96.tmp
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\is-6G32C.tmp\Wed05c754f5b2a7ed96.tmp" /SL5="$30172,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05c754f5b2a7ed96.exe"
                                                                                                              1⤵
                                                                                                                PID:3088
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059a025cf2a.exe
                                                                                                                C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059a025cf2a.exe
                                                                                                                1⤵
                                                                                                                  PID:2372
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059ecd633701f3.exe
                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059ecd633701f3.exe
                                                                                                                  1⤵
                                                                                                                    PID:2324
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-6JHED.tmp\Wed055e29ac05f0e14.tmp
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-6JHED.tmp\Wed055e29ac05f0e14.tmp" /SL5="$6006A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed055e29ac05f0e14.exe" /SILENT
                                                                                                                    1⤵
                                                                                                                      PID:3596
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-DPROD.tmp\winhostdll.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-DPROD.tmp\winhostdll.exe" ss1
                                                                                                                        2⤵
                                                                                                                          PID:4988
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed058cca47ea86cc0b.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed058cca47ea86cc0b.exe" -u
                                                                                                                        1⤵
                                                                                                                          PID:1708
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05cb54d5272ed03.exe
                                                                                                                          Wed05cb54d5272ed03.exe
                                                                                                                          1⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:2164
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"
                                                                                                                            2⤵
                                                                                                                              PID:2948
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\
                                                                                                                                3⤵
                                                                                                                                  PID:904
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\
                                                                                                                                    4⤵
                                                                                                                                      PID:4484
                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe" /F
                                                                                                                                    3⤵
                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                    PID:2160
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05c770a4470c.exe
                                                                                                                                Wed05c770a4470c.exe /mixtwo
                                                                                                                                1⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                PID:3560
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059ecd633701f3.exe
                                                                                                                                Wed059ecd633701f3.exe
                                                                                                                                1⤵
                                                                                                                                  PID:3780
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059ecd633701f3.exe
                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059ecd633701f3.exe
                                                                                                                                    2⤵
                                                                                                                                      PID:3344
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059a025cf2a.exe
                                                                                                                                    Wed059a025cf2a.exe
                                                                                                                                    1⤵
                                                                                                                                      PID:904
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059a025cf2a.exe
                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059a025cf2a.exe
                                                                                                                                        2⤵
                                                                                                                                          PID:1188
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05c754f5b2a7ed96.exe
                                                                                                                                        Wed05c754f5b2a7ed96.exe
                                                                                                                                        1⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        PID:1616
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed058c3464dcf6606b1.exe
                                                                                                                                        Wed058c3464dcf6606b1.exe
                                                                                                                                        1⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        PID:1312
                                                                                                                                      • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                        C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                        1⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        PID:3780
                                                                                                                                        • C:\Windows\system32\rundll32.exe
                                                                                                                                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                          2⤵
                                                                                                                                          • Process spawned unexpected child process
                                                                                                                                          PID:4184
                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                            3⤵
                                                                                                                                              PID:4208
                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                          C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                          1⤵
                                                                                                                                            PID:4400
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe
                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe
                                                                                                                                            1⤵
                                                                                                                                              PID:4504

                                                                                                                                            Network

                                                                                                                                                  MITRE ATT&CK Enterprise v6

                                                                                                                                                  Replay Monitor

                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                  Downloads

                                                                                                                                                  • memory/356-384-0x00000253F9260000-0x00000253F92D2000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    456KB

                                                                                                                                                  • memory/436-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    1.5MB

                                                                                                                                                  • memory/436-145-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    100KB

                                                                                                                                                  • memory/436-141-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    100KB

                                                                                                                                                  • memory/436-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    1.5MB

                                                                                                                                                  • memory/436-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    572KB

                                                                                                                                                  • memory/436-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    1.5MB

                                                                                                                                                  • memory/436-136-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    1.5MB

                                                                                                                                                  • memory/436-144-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    100KB

                                                                                                                                                  • memory/436-140-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    152KB

                                                                                                                                                  • memory/436-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    572KB

                                                                                                                                                  • memory/436-146-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    100KB

                                                                                                                                                  • memory/436-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    572KB

                                                                                                                                                  • memory/764-215-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    80KB

                                                                                                                                                  • memory/836-427-0x0000000000C40000-0x0000000000D8A000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    1.3MB

                                                                                                                                                  • memory/904-251-0x00000000055A0000-0x00000000055A1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/904-221-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/904-239-0x0000000002D30000-0x0000000002D31000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/904-230-0x0000000005350000-0x0000000005351000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/904-255-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1028-440-0x0000021FD1540000-0x0000021FD15B2000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    456KB

                                                                                                                                                  • memory/1088-436-0x000002A072870000-0x000002A0728E2000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    456KB

                                                                                                                                                  • memory/1188-334-0x0000000005410000-0x0000000005A16000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    6.0MB

                                                                                                                                                  • memory/1212-493-0x000001D961D40000-0x000001D961DB2000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    456KB

                                                                                                                                                  • memory/1240-287-0x0000000003190000-0x0000000003A32000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    8.6MB

                                                                                                                                                  • memory/1240-292-0x0000000000400000-0x0000000000CBD000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    8.7MB

                                                                                                                                                  • memory/1240-281-0x0000000002D80000-0x000000000318F000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4.1MB

                                                                                                                                                  • memory/1312-231-0x0000000002640000-0x0000000002667000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    156KB

                                                                                                                                                  • memory/1312-224-0x0000000007390000-0x0000000007391000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1312-191-0x00000000005F0000-0x00000000005F1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1412-454-0x0000021114D70000-0x0000021114DE2000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    456KB

                                                                                                                                                  • memory/1528-295-0x0000000003520000-0x000000000366C000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    1.3MB

                                                                                                                                                  • memory/1616-210-0x0000000000400000-0x00000000004D8000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    864KB

                                                                                                                                                  • memory/1624-274-0x0000000007ED0000-0x0000000007ED1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1624-289-0x00000000086C0000-0x00000000086C1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1624-443-0x0000000004AB3000-0x0000000004AB4000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1624-201-0x0000000004AB2000-0x0000000004AB3000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1624-268-0x0000000007770000-0x0000000007771000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1624-161-0x0000000003250000-0x0000000003251000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1624-249-0x00000000074F0000-0x00000000074F1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1624-165-0x0000000003250000-0x0000000003251000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1624-420-0x000000007EAB0000-0x000000007EAB1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1624-271-0x00000000077E0000-0x00000000077E1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1624-217-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1796-245-0x00000000007C0000-0x00000000007C9000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    36KB

                                                                                                                                                  • memory/1796-241-0x0000000000610000-0x0000000000618000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    32KB

                                                                                                                                                  • memory/1796-248-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    168KB

                                                                                                                                                  • memory/1872-472-0x0000021EA9360000-0x0000021EA93D2000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    456KB

                                                                                                                                                  • memory/2108-254-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    80KB

                                                                                                                                                  • memory/2160-515-0x0000000005E10000-0x0000000005E11000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2160-534-0x00000000774C0000-0x000000007764E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    1.6MB

                                                                                                                                                  • memory/2164-256-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2164-260-0x0000000003840000-0x0000000003841000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2164-263-0x0000000003860000-0x0000000003861000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2164-267-0x0000000003870000-0x0000000003871000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2164-270-0x0000000003880000-0x0000000003881000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2164-273-0x0000000003890000-0x0000000003891000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2164-276-0x0000000000F80000-0x000000000175E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    7.9MB

                                                                                                                                                  • memory/2320-462-0x00000000774C0000-0x000000007764E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    1.6MB

                                                                                                                                                  • memory/2320-541-0x0000000005570000-0x0000000005571000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2524-537-0x000002655A0B0000-0x000002655A122000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    456KB

                                                                                                                                                  • memory/2524-423-0x0000026559B60000-0x0000026559BD2000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    456KB

                                                                                                                                                  • memory/2560-523-0x000001774B870000-0x000001774B8E2000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    456KB

                                                                                                                                                  • memory/2560-410-0x000001774B640000-0x000001774B6B2000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    456KB

                                                                                                                                                  • memory/2708-486-0x000001E5A4C40000-0x000001E5A4CB2000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    456KB

                                                                                                                                                  • memory/2708-415-0x000001E5A4780000-0x000001E5A47F2000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    456KB

                                                                                                                                                  • memory/2792-528-0x0000017336BC0000-0x0000017336C32000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    456KB

                                                                                                                                                  • memory/2800-545-0x000001DC7D840000-0x000001DC7D8B2000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    456KB

                                                                                                                                                  • memory/2808-293-0x0000000000830000-0x0000000000846000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    88KB

                                                                                                                                                  • memory/2880-257-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2896-163-0x0000000003380000-0x0000000003381000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2896-185-0x0000000004C50000-0x0000000004C51000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2896-284-0x0000000008360000-0x0000000008361000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2896-194-0x0000000007840000-0x0000000007841000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2896-226-0x00000000051F2000-0x00000000051F3000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2896-160-0x0000000003380000-0x0000000003381000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2896-392-0x000000007F2E0000-0x000000007F2E1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2896-193-0x00000000051F0000-0x00000000051F1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2948-299-0x0000000002840000-0x0000000002841000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2948-302-0x0000000002890000-0x0000000002891000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2948-300-0x0000000002870000-0x0000000002871000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2948-303-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2948-301-0x0000000002880000-0x0000000002881000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2948-304-0x0000000000180000-0x000000000095E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    7.9MB

                                                                                                                                                  • memory/2948-298-0x0000000000E90000-0x0000000000E91000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/3088-244-0x0000000000890000-0x0000000000891000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/3128-246-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    320KB

                                                                                                                                                  • memory/3128-232-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    320KB

                                                                                                                                                  • memory/3344-337-0x0000000005080000-0x0000000005686000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    6.0MB

                                                                                                                                                  • memory/3540-350-0x00000235FAC30000-0x00000235FAC7D000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    308KB

                                                                                                                                                  • memory/3540-369-0x00000235FACF0000-0x00000235FAD62000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    456KB

                                                                                                                                                  • memory/3596-278-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/3780-235-0x00000000003A0000-0x00000000003A1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/3780-262-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/4208-345-0x0000000004D40000-0x0000000004E41000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    1.0MB

                                                                                                                                                  • memory/4208-347-0x0000000004B80000-0x0000000004BDD000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    372KB

                                                                                                                                                  • memory/4400-373-0x000001B5E8800000-0x000001B5E8872000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    456KB

                                                                                                                                                  • memory/4716-407-0x0000000004990000-0x0000000004991000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/4776-468-0x0000000000510000-0x000000000065A000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    1.3MB

                                                                                                                                                  • memory/4796-401-0x0000000000DA0000-0x0000000000E00000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    384KB

                                                                                                                                                  • memory/4888-479-0x00000000070F0000-0x00000000070F1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/4904-499-0x00000000774C0000-0x000000007764E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    1.6MB

                                                                                                                                                  • memory/4904-510-0x0000000006260000-0x0000000006261000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/5080-449-0x00000000001F0000-0x0000000000200000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    64KB

                                                                                                                                                  • memory/5108-438-0x00000000774C0000-0x000000007764E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    1.6MB

                                                                                                                                                  • memory/5108-502-0x0000000005600000-0x0000000005601000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB