Analysis

  • max time kernel
    91s
  • max time network
    170s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    20/12/2021, 14:03

General

  • Target

    d5fab1031a7fd6d642bf23846b82a29e4ed708c19987dd29e8db2c749eb9e29f.exe

  • Size

    7.1MB

  • MD5

    589a3c71f1c0d919875f371a073da632

  • SHA1

    859c4c305af9f2a1f3e423f24de1f919b3353e0d

  • SHA256

    d5fab1031a7fd6d642bf23846b82a29e4ed708c19987dd29e8db2c749eb9e29f

  • SHA512

    cc95f95eecfa16d76d491ddba72e640eeeb39e8bcdaf8c5570ed87c84c6b63dc5fd8b4f726d8c136d6635d294a213b8b9038a5fa6513315a89031bc26f93d582

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

redline

Botnet

media18n

C2

65.108.69.168:13293

Extracted

Family

redline

Botnet

v3user1

C2

159.69.246.184:13127

Extracted

Family

vidar

Version

49.1

Botnet

915

C2

https://noc.social/@sergeev46

https://c.im/@sergeev47

Attributes
  • profile_id

    915

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata: ET MALWARE GCleaner Downloader Activity M5

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 38 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 15 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 3 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 22 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s WpnService
    1⤵
      PID:2712
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2696
      • C:\Windows\system32\wbem\WMIADAP.EXE
        wmiadap.exe /F /T /R
        2⤵
          PID:1088
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s BITS
        1⤵
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2288
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
          • Drops file in System32 directory
          • Checks processor information in registry
          • Modifies data under HKEY_USERS
          • Modifies registry class
          PID:5008
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Browser
        1⤵
          PID:2600
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
          1⤵
            PID:2428
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
            1⤵
              PID:2384
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
              1⤵
                PID:1904
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s SENS
                1⤵
                  PID:1456
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                  1⤵
                    PID:1416
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Themes
                    1⤵
                      PID:1220
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                      1⤵
                        PID:1192
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                        1⤵
                          PID:1092
                          • C:\Users\Admin\AppData\Roaming\vrwrvrr
                            C:\Users\Admin\AppData\Roaming\vrwrvrr
                            2⤵
                              PID:5732
                          • c:\windows\system32\svchost.exe
                            c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                            1⤵
                              PID:376
                            • C:\Users\Admin\AppData\Local\Temp\d5fab1031a7fd6d642bf23846b82a29e4ed708c19987dd29e8db2c749eb9e29f.exe
                              "C:\Users\Admin\AppData\Local\Temp\d5fab1031a7fd6d642bf23846b82a29e4ed708c19987dd29e8db2c749eb9e29f.exe"
                              1⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2640
                              • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                2⤵
                                • Executes dropped EXE
                                • Suspicious use of WriteProcessMemory
                                PID:1336
                                • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\setup_install.exe
                                  "C:\Users\Admin\AppData\Local\Temp\7zS835662F5\setup_install.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Suspicious use of WriteProcessMemory
                                  PID:1448
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                                    4⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:916
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                                      5⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2840
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                    4⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:3112
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                      5⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1856
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Sat02c99074b50d2364.exe
                                    4⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:1852
                                    • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat02c99074b50d2364.exe
                                      Sat02c99074b50d2364.exe
                                      5⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Checks processor information in registry
                                      PID:3692
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c taskkill /im Sat02c99074b50d2364.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat02c99074b50d2364.exe" & del C:\ProgramData\*.dll & exit
                                        6⤵
                                          PID:1380
                                          • C:\Windows\SysWOW64\taskkill.exe
                                            taskkill /im Sat02c99074b50d2364.exe /f
                                            7⤵
                                            • Kills process with taskkill
                                            PID:4820
                                          • C:\Windows\SysWOW64\timeout.exe
                                            timeout /t 6
                                            7⤵
                                            • Delays execution with timeout.exe
                                            PID:4648
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c Sat02f2628926e5.exe
                                      4⤵
                                        PID:3384
                                        • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat02f2628926e5.exe
                                          Sat02f2628926e5.exe
                                          5⤵
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          PID:1296
                                          • C:\Windows\SysWOW64\control.exe
                                            "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\UtX2LJRc.cPl",
                                            6⤵
                                              PID:3192
                                              • C:\Windows\SysWOW64\rundll32.exe
                                                "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\UtX2LJRc.cPl",
                                                7⤵
                                                • Loads dropped DLL
                                                PID:3212
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c Sat0272e8d8c10.exe
                                          4⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:1080
                                          • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat0272e8d8c10.exe
                                            Sat0272e8d8c10.exe
                                            5⤵
                                            • Executes dropped EXE
                                            PID:1356
                                            • C:\Users\Admin\AppData\Local\Temp\is-L4KO4.tmp\Sat0272e8d8c10.tmp
                                              "C:\Users\Admin\AppData\Local\Temp\is-L4KO4.tmp\Sat0272e8d8c10.tmp" /SL5="$60084,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat0272e8d8c10.exe"
                                              6⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              PID:1496
                                              • C:\Users\Admin\AppData\Local\Temp\is-1JO3I.tmp\Tougay.exe
                                                "C:\Users\Admin\AppData\Local\Temp\is-1JO3I.tmp\Tougay.exe" /S /UID=91
                                                7⤵
                                                • Executes dropped EXE
                                                PID:1976
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c Sat025c30e194937.exe
                                          4⤵
                                            PID:232
                                            • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat025c30e194937.exe
                                              Sat025c30e194937.exe
                                              5⤵
                                              • Executes dropped EXE
                                              PID:1396
                                              • C:\Users\Admin\AppData\Local\Temp\is-50JD7.tmp\Sat025c30e194937.tmp
                                                "C:\Users\Admin\AppData\Local\Temp\is-50JD7.tmp\Sat025c30e194937.tmp" /SL5="$10208,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat025c30e194937.exe"
                                                6⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                PID:524
                                                • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat025c30e194937.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat025c30e194937.exe" /SILENT
                                                  7⤵
                                                  • Executes dropped EXE
                                                  PID:1440
                                                  • C:\Users\Admin\AppData\Local\Temp\is-43G1U.tmp\Sat025c30e194937.tmp
                                                    "C:\Users\Admin\AppData\Local\Temp\is-43G1U.tmp\Sat025c30e194937.tmp" /SL5="$10224,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat025c30e194937.exe" /SILENT
                                                    8⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    PID:1336
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c Sat026a8b4cdc5d5aeeb.exe
                                            4⤵
                                              PID:212
                                              • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat026a8b4cdc5d5aeeb.exe
                                                Sat026a8b4cdc5d5aeeb.exe
                                                5⤵
                                                • Executes dropped EXE
                                                PID:3312
                                                • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat026a8b4cdc5d5aeeb.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat026a8b4cdc5d5aeeb.exe" -u
                                                  6⤵
                                                  • Executes dropped EXE
                                                  PID:988
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c Sat02a62626b8c64fb30.exe
                                              4⤵
                                                PID:416
                                                • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat02a62626b8c64fb30.exe
                                                  Sat02a62626b8c64fb30.exe
                                                  5⤵
                                                  • Executes dropped EXE
                                                  PID:1832
                                                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                    C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                    6⤵
                                                    • Executes dropped EXE
                                                    PID:2060
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c Sat021487edf10.exe
                                                4⤵
                                                  PID:1268
                                                  • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat021487edf10.exe
                                                    Sat021487edf10.exe
                                                    5⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3116
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd.exe /c taskkill /f /im chrome.exe
                                                      6⤵
                                                        PID:4592
                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                          taskkill /f /im chrome.exe
                                                          7⤵
                                                          • Kills process with taskkill
                                                          PID:4104
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c Sat02907defcc3745a86.exe
                                                    4⤵
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:2760
                                                    • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat02907defcc3745a86.exe
                                                      Sat02907defcc3745a86.exe
                                                      5⤵
                                                      • Executes dropped EXE
                                                      PID:968
                                                      • C:\Windows\SysWOW64\control.exe
                                                        "C:\Windows\System32\control.exe" .\D933.N
                                                        6⤵
                                                          PID:1776
                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                            "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\D933.N
                                                            7⤵
                                                            • Loads dropped DLL
                                                            PID:3852
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c Sat029e01af26d43.exe
                                                      4⤵
                                                        PID:1380
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c Sat022e1e9a13c36e.exe
                                                        4⤵
                                                          PID:1048
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c Sat02a6d7cf183.exe
                                                          4⤵
                                                            PID:3520
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c Sat02db10ecb050fb5f7.exe /mixtwo
                                                            4⤵
                                                              PID:3032
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c Sat0264224d20747.exe
                                                              4⤵
                                                                PID:736
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c Sat02cdf215315.exe
                                                                4⤵
                                                                  PID:976
                                                          • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat022e1e9a13c36e.exe
                                                            Sat022e1e9a13c36e.exe
                                                            1⤵
                                                            • Executes dropped EXE
                                                            • Checks SCSI registry key(s)
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious behavior: MapViewOfSection
                                                            PID:1480
                                                          • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat02db10ecb050fb5f7.exe
                                                            Sat02db10ecb050fb5f7.exe /mixtwo
                                                            1⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            PID:3304
                                                            • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat02db10ecb050fb5f7.exe
                                                              Sat02db10ecb050fb5f7.exe /mixtwo
                                                              2⤵
                                                              • Executes dropped EXE
                                                              PID:3908
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im "Sat02db10ecb050fb5f7.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat02db10ecb050fb5f7.exe" & exit
                                                                3⤵
                                                                  PID:1628
                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                    taskkill /im "Sat02db10ecb050fb5f7.exe" /f
                                                                    4⤵
                                                                    • Kills process with taskkill
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:3644
                                                            • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat029e01af26d43.exe
                                                              Sat029e01af26d43.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4028
                                                              • C:\Users\Admin\AppData\Local\7e9e2073-60ee-44ae-b22a-c6de0f1638ef.exe
                                                                "C:\Users\Admin\AppData\Local\7e9e2073-60ee-44ae-b22a-c6de0f1638ef.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2640
                                                              • C:\Users\Admin\AppData\Local\81df75f8-936b-4e53-9052-f903ab5e37a1.exe
                                                                "C:\Users\Admin\AppData\Local\81df75f8-936b-4e53-9052-f903ab5e37a1.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                • Adds Run key to start application
                                                                PID:1088
                                                                • C:\Users\Admin\AppData\Roaming\55652144\5041782850417828.exe
                                                                  "C:\Users\Admin\AppData\Roaming\55652144\5041782850417828.exe"
                                                                  3⤵
                                                                  • Executes dropped EXE
                                                                  PID:4908
                                                              • C:\Users\Admin\AppData\Local\644c9c42-b069-4c79-a073-424148d88faf.exe
                                                                "C:\Users\Admin\AppData\Local\644c9c42-b069-4c79-a073-424148d88faf.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                PID:4204
                                                              • C:\Users\Admin\AppData\Local\3fadc193-7662-4a79-a6ce-c44a81e62618.exe
                                                                "C:\Users\Admin\AppData\Local\3fadc193-7662-4a79-a6ce-c44a81e62618.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                PID:4304
                                                              • C:\Users\Admin\AppData\Local\ed02e20c-5720-40a2-a920-e772ee736fcd.exe
                                                                "C:\Users\Admin\AppData\Local\ed02e20c-5720-40a2-a920-e772ee736fcd.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:4412
                                                                • C:\Users\Admin\AppData\Roaming\3622331.exe
                                                                  "C:\Users\Admin\AppData\Roaming\3622331.exe"
                                                                  3⤵
                                                                  • Executes dropped EXE
                                                                  PID:1592
                                                                  • C:\Windows\SysWOW64\control.exe
                                                                    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                                                    4⤵
                                                                      PID:4320
                                                              • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat02a6d7cf183.exe
                                                                Sat02a6d7cf183.exe
                                                                1⤵
                                                                • Executes dropped EXE
                                                                • Checks computer location settings
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:1136
                                                                • C:\Users\Admin\Pictures\Adobe Films\LaABWsEUU9oXZVk2ae3h72cC.exe
                                                                  "C:\Users\Admin\Pictures\Adobe Films\LaABWsEUU9oXZVk2ae3h72cC.exe"
                                                                  2⤵
                                                                  • Executes dropped EXE
                                                                  PID:4156
                                                                • C:\Users\Admin\Pictures\Adobe Films\Ggy3n07JW3DtKrkeLPfP_D2q.exe
                                                                  "C:\Users\Admin\Pictures\Adobe Films\Ggy3n07JW3DtKrkeLPfP_D2q.exe"
                                                                  2⤵
                                                                  • Executes dropped EXE
                                                                  PID:2592
                                                                  • C:\Users\Admin\Pictures\Adobe Films\Ggy3n07JW3DtKrkeLPfP_D2q.exe
                                                                    "C:\Users\Admin\Pictures\Adobe Films\Ggy3n07JW3DtKrkeLPfP_D2q.exe"
                                                                    3⤵
                                                                      PID:5588
                                                                  • C:\Users\Admin\Pictures\Adobe Films\PnoxMxnasMhkSt0z7P1VNunn.exe
                                                                    "C:\Users\Admin\Pictures\Adobe Films\PnoxMxnasMhkSt0z7P1VNunn.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    PID:4412
                                                                  • C:\Users\Admin\Pictures\Adobe Films\ZjtnWmVUoXXaUXSDll8exwJa.exe
                                                                    "C:\Users\Admin\Pictures\Adobe Films\ZjtnWmVUoXXaUXSDll8exwJa.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    PID:4804
                                                                  • C:\Users\Admin\Pictures\Adobe Films\kbcRxw4qR3RGZwDNdcrfks2O.exe
                                                                    "C:\Users\Admin\Pictures\Adobe Films\kbcRxw4qR3RGZwDNdcrfks2O.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    PID:4416
                                                                  • C:\Users\Admin\Pictures\Adobe Films\lWrsiDk5qO8DtkqpiD1wPIbU.exe
                                                                    "C:\Users\Admin\Pictures\Adobe Films\lWrsiDk5qO8DtkqpiD1wPIbU.exe"
                                                                    2⤵
                                                                      PID:2028
                                                                    • C:\Users\Admin\Pictures\Adobe Films\a8ZLB4qhhhUQRhCBWQNx5Q4T.exe
                                                                      "C:\Users\Admin\Pictures\Adobe Films\a8ZLB4qhhhUQRhCBWQNx5Q4T.exe"
                                                                      2⤵
                                                                        PID:3820
                                                                      • C:\Users\Admin\Pictures\Adobe Films\oevQIiiYXbCP6iHJhMBBCQND.exe
                                                                        "C:\Users\Admin\Pictures\Adobe Films\oevQIiiYXbCP6iHJhMBBCQND.exe"
                                                                        2⤵
                                                                          PID:1860
                                                                        • C:\Users\Admin\Pictures\Adobe Films\VDSDFc9ucvp7ECb88qkvIME5.exe
                                                                          "C:\Users\Admin\Pictures\Adobe Films\VDSDFc9ucvp7ECb88qkvIME5.exe"
                                                                          2⤵
                                                                            PID:4232
                                                                          • C:\Users\Admin\Pictures\Adobe Films\lE3f2kkVD5jueeNgrfsy3GP_.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\lE3f2kkVD5jueeNgrfsy3GP_.exe"
                                                                            2⤵
                                                                              PID:932
                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS3119.tmp\Install.exe
                                                                                .\Install.exe
                                                                                3⤵
                                                                                  PID:5908
                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS5710.tmp\Install.exe
                                                                                    .\Install.exe /S /site_id "525403"
                                                                                    4⤵
                                                                                      PID:3632
                                                                                • C:\Users\Admin\Pictures\Adobe Films\XSxDJleVjqaIHO5wbARel9Yy.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\XSxDJleVjqaIHO5wbARel9Yy.exe"
                                                                                  2⤵
                                                                                    PID:1732
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\iVDMeqgOnYySGM5bQBSBHDkf.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\iVDMeqgOnYySGM5bQBSBHDkf.exe"
                                                                                    2⤵
                                                                                      PID:3624
                                                                                    • C:\Users\Admin\Pictures\Adobe Films\pYCsGJg_Y2sqQkcPcO4YIDvM.exe
                                                                                      "C:\Users\Admin\Pictures\Adobe Films\pYCsGJg_Y2sqQkcPcO4YIDvM.exe"
                                                                                      2⤵
                                                                                        PID:3972
                                                                                        • C:\Users\Admin\Pictures\Adobe Films\pYCsGJg_Y2sqQkcPcO4YIDvM.exe
                                                                                          "C:\Users\Admin\Pictures\Adobe Films\pYCsGJg_Y2sqQkcPcO4YIDvM.exe"
                                                                                          3⤵
                                                                                            PID:5896
                                                                                        • C:\Users\Admin\Pictures\Adobe Films\wCFv2cDFPbc7YCQexzi32jHr.exe
                                                                                          "C:\Users\Admin\Pictures\Adobe Films\wCFv2cDFPbc7YCQexzi32jHr.exe"
                                                                                          2⤵
                                                                                            PID:4276
                                                                                          • C:\Users\Admin\Pictures\Adobe Films\SNb325itgWuHYI8QrE2qtVyx.exe
                                                                                            "C:\Users\Admin\Pictures\Adobe Films\SNb325itgWuHYI8QrE2qtVyx.exe"
                                                                                            2⤵
                                                                                              PID:4284
                                                                                              • C:\Users\Admin\Pictures\Adobe Films\SNb325itgWuHYI8QrE2qtVyx.exe
                                                                                                "C:\Users\Admin\Pictures\Adobe Films\SNb325itgWuHYI8QrE2qtVyx.exe"
                                                                                                3⤵
                                                                                                  PID:5888
                                                                                                • C:\Users\Admin\Pictures\Adobe Films\SNb325itgWuHYI8QrE2qtVyx.exe
                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\SNb325itgWuHYI8QrE2qtVyx.exe"
                                                                                                  3⤵
                                                                                                    PID:6012
                                                                                                • C:\Users\Admin\Pictures\Adobe Films\RVzx5dDuCKOu4XU65hXG04iY.exe
                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\RVzx5dDuCKOu4XU65hXG04iY.exe"
                                                                                                  2⤵
                                                                                                    PID:384
                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\essbeKvBqCrJ_2kwXq9co7kz.exe
                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\essbeKvBqCrJ_2kwXq9co7kz.exe"
                                                                                                    2⤵
                                                                                                      PID:1104
                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\ljGtfGaHjbM0VXneidTfRVuS.exe
                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\ljGtfGaHjbM0VXneidTfRVuS.exe"
                                                                                                      2⤵
                                                                                                        PID:2844
                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\UKzuS7xgwFVYqkSG6HUTnPK8.exe
                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\UKzuS7xgwFVYqkSG6HUTnPK8.exe"
                                                                                                        2⤵
                                                                                                          PID:3356
                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\CeSNwalnbQGCiygp642J3OWp.exe
                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\CeSNwalnbQGCiygp642J3OWp.exe"
                                                                                                          2⤵
                                                                                                            PID:4876
                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\iibuvWyrO4Szp8XsfRxm7qPi.exe
                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\iibuvWyrO4Szp8XsfRxm7qPi.exe"
                                                                                                            2⤵
                                                                                                              PID:4720
                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\IZIcOubhKIsyJOyAfLfupAkZ.exe
                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\IZIcOubhKIsyJOyAfLfupAkZ.exe"
                                                                                                              2⤵
                                                                                                                PID:3736
                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\1pbuNbDSBzwSnAP4yAdjqVOI.exe
                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\1pbuNbDSBzwSnAP4yAdjqVOI.exe"
                                                                                                                2⤵
                                                                                                                  PID:4736
                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 660
                                                                                                                    3⤵
                                                                                                                    • Program crash
                                                                                                                    PID:4592
                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\OCuOhyn5c4jPhjstXY43wz7D.exe
                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\OCuOhyn5c4jPhjstXY43wz7D.exe"
                                                                                                                  2⤵
                                                                                                                    PID:1480
                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\DOQ7ZWtym5GKtf0wX3jpf5kF.exe
                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\DOQ7ZWtym5GKtf0wX3jpf5kF.exe"
                                                                                                                    2⤵
                                                                                                                      PID:1404
                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\LeeDnehVz2SjTzvbBYmkLhjW.exe
                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\LeeDnehVz2SjTzvbBYmkLhjW.exe"
                                                                                                                      2⤵
                                                                                                                        PID:1052
                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\1JJRoY7xuwnRvPoGZzdpF1II.exe
                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\1JJRoY7xuwnRvPoGZzdpF1II.exe"
                                                                                                                        2⤵
                                                                                                                          PID:888
                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\tVJxECEnFTW844HnuMYaOmYB.exe
                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\tVJxECEnFTW844HnuMYaOmYB.exe"
                                                                                                                          2⤵
                                                                                                                            PID:4248
                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\PsBIQZbeG8J4Vgev7n4ZbhTF.exe
                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\PsBIQZbeG8J4Vgev7n4ZbhTF.exe"
                                                                                                                            2⤵
                                                                                                                              PID:5004
                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\Zrq7tnDPZEFuTxoazWA7sEYq.exe
                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\Zrq7tnDPZEFuTxoazWA7sEYq.exe"
                                                                                                                              2⤵
                                                                                                                                PID:4788
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat02cdf215315.exe
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat02cdf215315.exe
                                                                                                                              1⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:1668
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat0264224d20747.exe
                                                                                                                              Sat0264224d20747.exe
                                                                                                                              1⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:1536
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat0264224d20747.exe
                                                                                                                                C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat0264224d20747.exe
                                                                                                                                2⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:3020
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS835662F5\Sat02cdf215315.exe
                                                                                                                              Sat02cdf215315.exe
                                                                                                                              1⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:1824
                                                                                                                            • C:\Windows\system32\rundll32.exe
                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                              1⤵
                                                                                                                              • Process spawned unexpected child process
                                                                                                                              PID:4760
                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                2⤵
                                                                                                                                • Loads dropped DLL
                                                                                                                                • Modifies registry class
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:4772

                                                                                                                            Network

                                                                                                                                  MITRE ATT&CK Enterprise v6

                                                                                                                                  Replay Monitor

                                                                                                                                  Loading Replay Monitor...

                                                                                                                                  Downloads

                                                                                                                                  • memory/376-429-0x00000215D1140000-0x00000215D11B2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    456KB

                                                                                                                                  • memory/524-251-0x0000000000A10000-0x0000000000A11000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/968-187-0x0000000000240000-0x0000000000241000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/968-182-0x0000000000240000-0x0000000000241000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1088-324-0x0000000000240000-0x0000000000241000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1092-444-0x000001C9EF650000-0x000001C9EF6C2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    456KB

                                                                                                                                  • memory/1136-319-0x0000000003A90000-0x0000000003BDE000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.3MB

                                                                                                                                  • memory/1192-437-0x00000167EA780000-0x00000167EA7F2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    456KB

                                                                                                                                  • memory/1220-462-0x0000018357990000-0x0000018357A02000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    456KB

                                                                                                                                  • memory/1296-204-0x0000000000770000-0x0000000000771000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1296-197-0x0000000000770000-0x0000000000771000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1336-275-0x0000000000690000-0x000000000073E000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    696KB

                                                                                                                                  • memory/1356-210-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    80KB

                                                                                                                                  • memory/1396-228-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    816KB

                                                                                                                                  • memory/1416-465-0x00000168ACC10000-0x00000168ACC82000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    456KB

                                                                                                                                  • memory/1440-260-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    816KB

                                                                                                                                  • memory/1448-144-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.5MB

                                                                                                                                  • memory/1448-142-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.5MB

                                                                                                                                  • memory/1448-136-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    100KB

                                                                                                                                  • memory/1448-139-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    100KB

                                                                                                                                  • memory/1448-145-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    152KB

                                                                                                                                  • memory/1448-138-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    100KB

                                                                                                                                  • memory/1448-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    572KB

                                                                                                                                  • memory/1448-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    572KB

                                                                                                                                  • memory/1448-141-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    100KB

                                                                                                                                  • memory/1448-137-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    572KB

                                                                                                                                  • memory/1448-143-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.5MB

                                                                                                                                  • memory/1448-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.5MB

                                                                                                                                  • memory/1456-449-0x0000020B5FC70000-0x0000020B5FCE2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    456KB

                                                                                                                                  • memory/1480-304-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    816KB

                                                                                                                                  • memory/1480-284-0x0000000000520000-0x0000000000529000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    36KB

                                                                                                                                  • memory/1496-237-0x00000000004C0000-0x000000000056E000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    696KB

                                                                                                                                  • memory/1536-225-0x0000000000A60000-0x0000000000A61000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1536-245-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1536-243-0x0000000005330000-0x0000000005331000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1536-268-0x0000000005B30000-0x0000000005B31000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1668-320-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1668-305-0x0000000005500000-0x0000000005501000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1668-285-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    128KB

                                                                                                                                  • memory/1668-364-0x0000000004EF0000-0x00000000054F6000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    6.0MB

                                                                                                                                  • memory/1732-538-0x00000000023A0000-0x00000000023E5000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    276KB

                                                                                                                                  • memory/1824-234-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1824-239-0x0000000004B20000-0x0000000004B21000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1824-209-0x0000000000350000-0x0000000000351000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1824-246-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1824-231-0x0000000004C70000-0x0000000004C71000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1856-261-0x00000000078E0000-0x00000000078E1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1856-215-0x0000000006BF0000-0x0000000006BF1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1856-194-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1856-484-0x000000007EC40000-0x000000007EC41000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1856-267-0x0000000007D00000-0x0000000007D01000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1856-264-0x0000000007A00000-0x0000000007A01000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1856-202-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1856-220-0x0000000007270000-0x0000000007271000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1856-221-0x0000000006BF2000-0x0000000006BF3000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1856-272-0x0000000007D70000-0x0000000007D71000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1856-211-0x0000000006C00000-0x0000000006C01000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/1904-447-0x0000023361610000-0x0000023361682000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    456KB

                                                                                                                                  • memory/1976-334-0x0000000002410000-0x0000000002412000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    8KB

                                                                                                                                  • memory/2060-279-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    340KB

                                                                                                                                  • memory/2288-407-0x000001C9F8AE0000-0x000001C9F8B52000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    456KB

                                                                                                                                  • memory/2288-406-0x000001C9F8A20000-0x000001C9F8A6D000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    308KB

                                                                                                                                  • memory/2384-432-0x000001FB96470000-0x000001FB964E2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    456KB

                                                                                                                                  • memory/2428-431-0x0000020349D40000-0x0000020349DB2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    456KB

                                                                                                                                  • memory/2600-413-0x00000145AE300000-0x00000145AE372000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    456KB

                                                                                                                                  • memory/2640-313-0x0000000000F60000-0x0000000000F61000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/2640-323-0x0000000005740000-0x00000000057A0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    384KB

                                                                                                                                  • memory/2640-315-0x0000000005730000-0x0000000005731000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/2640-348-0x00000000057F0000-0x00000000057F1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/2696-466-0x0000022803AA0000-0x0000022803B12000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    456KB

                                                                                                                                  • memory/2712-470-0x000001958DF60000-0x000001958DFD2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    456KB

                                                                                                                                  • memory/2840-199-0x0000000000720000-0x0000000000721000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/2840-224-0x00000000011D2000-0x00000000011D3000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/2840-206-0x0000000000720000-0x0000000000721000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/2840-494-0x000000007F4E0000-0x000000007F4E1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/2840-230-0x00000000011D0000-0x00000000011D1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/3020-286-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    128KB

                                                                                                                                  • memory/3020-368-0x00000000054B0000-0x0000000005AB6000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    6.0MB

                                                                                                                                  • memory/3036-340-0x0000000000A20000-0x0000000000A36000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    88KB

                                                                                                                                  • memory/3356-536-0x0000000002E50000-0x0000000002E95000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    276KB

                                                                                                                                  • memory/3692-282-0x00000000021D0000-0x00000000022A9000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    868KB

                                                                                                                                  • memory/3692-303-0x0000000000400000-0x0000000000539000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.2MB

                                                                                                                                  • memory/3852-510-0x0000000002A80000-0x0000000002A81000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/3908-242-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    320KB

                                                                                                                                  • memory/3908-232-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    320KB

                                                                                                                                  • memory/3972-554-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/4028-270-0x0000000002D60000-0x0000000002D61000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/4028-259-0x0000000001490000-0x0000000001491000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/4028-249-0x0000000000B10000-0x0000000000B11000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/4204-374-0x00000000030A0000-0x00000000030A1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/4204-331-0x0000000002710000-0x0000000002755000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    276KB

                                                                                                                                  • memory/4284-551-0x0000000005460000-0x0000000005461000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/4284-544-0x00000000054F0000-0x00000000054F1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/4304-380-0x0000000005570000-0x0000000005571000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/4304-341-0x0000000002990000-0x00000000029D5000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    276KB

                                                                                                                                  • memory/4412-394-0x0000000004F20000-0x0000000004F21000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                  • memory/4772-396-0x0000000004AFF000-0x0000000004C00000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.0MB

                                                                                                                                  • memory/4772-398-0x0000000004A30000-0x0000000004A8D000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    372KB

                                                                                                                                  • memory/4908-451-0x000000001B360000-0x000000001B362000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    8KB

                                                                                                                                  • memory/5008-509-0x000001BE8CDA0000-0x000001BE8CDC9000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    164KB

                                                                                                                                  • memory/5008-508-0x000001BE8B4C0000-0x000001BE8B4DB000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    108KB

                                                                                                                                  • memory/5008-514-0x000001BE8DD00000-0x000001BE8DE05000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.0MB

                                                                                                                                  • memory/5008-427-0x000001BE8B350000-0x000001BE8B3C2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    456KB