Analysis

  • max time kernel
    77s
  • max time network
    169s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    20/12/2021, 14:04

General

  • Target

    8839771aee479930907060dd563e9f4929285d614ae9b386d22db49a4f142cff.exe

  • Size

    7.1MB

  • MD5

    d0884c4afb0ca9382ea1aef55a9c55ff

  • SHA1

    e1d088efe57c5e9c471faf37690f8292714f9a10

  • SHA256

    8839771aee479930907060dd563e9f4929285d614ae9b386d22db49a4f142cff

  • SHA512

    efa9e586442257f78db008cfb44494e1a636e2c82f93d8794b89e108b5c43ba6eff446d814ea243c70e914fb9706efc2be0e05f6a1e7b3c6b042e502b24789bb

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

vidar

Version

49.1

Botnet

915

C2

https://noc.social/@sergeev46

https://c.im/@sergeev47

Attributes
  • profile_id

    915

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 31 IoCs
  • Loads dropped DLL 15 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 3 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 18 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s WpnService
    1⤵
      PID:2792
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
      1⤵
        PID:2764
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Browser
        1⤵
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2660
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
          • Checks processor information in registry
          • Modifies data under HKEY_USERS
          • Modifies registry class
          PID:992
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
        1⤵
          PID:2488
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
          1⤵
            PID:2448
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
            1⤵
              PID:1900
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s SENS
              1⤵
                PID:1456
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                1⤵
                  PID:1372
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s Themes
                  1⤵
                    PID:1260
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                    1⤵
                      PID:1184
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                      1⤵
                        PID:1092
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                        1⤵
                          PID:428
                        • C:\Users\Admin\AppData\Local\Temp\8839771aee479930907060dd563e9f4929285d614ae9b386d22db49a4f142cff.exe
                          "C:\Users\Admin\AppData\Local\Temp\8839771aee479930907060dd563e9f4929285d614ae9b386d22db49a4f142cff.exe"
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2720
                          • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                            "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:2512
                            • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\setup_install.exe
                              "C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\setup_install.exe"
                              3⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Suspicious use of WriteProcessMemory
                              PID:4040
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                4⤵
                                • Suspicious use of WriteProcessMemory
                                PID:532
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                  5⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:384
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                                4⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2076
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                                  5⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1192
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Sat03ce6beb596be.exe
                                4⤵
                                • Suspicious use of WriteProcessMemory
                                PID:4028
                                • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat03ce6beb596be.exe
                                  Sat03ce6beb596be.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Checks SCSI registry key(s)
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious behavior: MapViewOfSection
                                  PID:3304
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Sat0313c07b4c8569d96.exe /mixtwo
                                4⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2876
                                • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat0313c07b4c8569d96.exe
                                  Sat0313c07b4c8569d96.exe /mixtwo
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  PID:2368
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Sat0367b294b57eaa.exe
                                4⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2916
                                • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat0367b294b57eaa.exe
                                  Sat0367b294b57eaa.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Checks processor information in registry
                                  PID:2092
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c taskkill /im Sat0367b294b57eaa.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat0367b294b57eaa.exe" & del C:\ProgramData\*.dll & exit
                                    6⤵
                                      PID:3012
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /im Sat0367b294b57eaa.exe /f
                                        7⤵
                                        • Kills process with taskkill
                                        PID:4356
                                      • C:\Windows\SysWOW64\timeout.exe
                                        timeout /t 6
                                        7⤵
                                        • Delays execution with timeout.exe
                                        PID:4912
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c Sat0388b884d9a4.exe
                                  4⤵
                                    PID:2724
                                    • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat0388b884d9a4.exe
                                      Sat0388b884d9a4.exe
                                      5⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetThreadContext
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2540
                                      • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat0388b884d9a4.exe
                                        C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat0388b884d9a4.exe
                                        6⤵
                                        • Executes dropped EXE
                                        PID:4252
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Sat0300a004bfdf8.exe
                                    4⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:4044
                                    • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat0300a004bfdf8.exe
                                      Sat0300a004bfdf8.exe
                                      5⤵
                                      • Executes dropped EXE
                                      PID:1344
                                      • C:\Users\Admin\AppData\Local\Temp\is-BE9MQ.tmp\Sat0300a004bfdf8.tmp
                                        "C:\Users\Admin\AppData\Local\Temp\is-BE9MQ.tmp\Sat0300a004bfdf8.tmp" /SL5="$70062,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat0300a004bfdf8.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        PID:1384
                                        • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat0300a004bfdf8.exe
                                          "C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat0300a004bfdf8.exe" /SILENT
                                          7⤵
                                          • Executes dropped EXE
                                          PID:2744
                                          • C:\Users\Admin\AppData\Local\Temp\is-B3537.tmp\Sat0300a004bfdf8.tmp
                                            "C:\Users\Admin\AppData\Local\Temp\is-B3537.tmp\Sat0300a004bfdf8.tmp" /SL5="$40052,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat0300a004bfdf8.exe" /SILENT
                                            8⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            PID:3932
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Sat039c8125fef.exe
                                    4⤵
                                      PID:1232
                                      • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat039c8125fef.exe
                                        Sat039c8125fef.exe
                                        5⤵
                                        • Executes dropped EXE
                                        PID:3808
                                        • C:\Users\Admin\AppData\Local\Temp\is-MBJKB.tmp\Sat039c8125fef.tmp
                                          "C:\Users\Admin\AppData\Local\Temp\is-MBJKB.tmp\Sat039c8125fef.tmp" /SL5="$60054,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat039c8125fef.exe"
                                          6⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          PID:1292
                                          • C:\Users\Admin\AppData\Local\Temp\is-FC2RM.tmp\Tougay.exe
                                            "C:\Users\Admin\AppData\Local\Temp\is-FC2RM.tmp\Tougay.exe" /S /UID=91
                                            7⤵
                                            • Executes dropped EXE
                                            PID:2472
                                            • C:\Users\Admin\AppData\Local\Temp\49-c9435-b58-2acaa-030a35b7c19b4\ZHaqaenivaeje.exe
                                              "C:\Users\Admin\AppData\Local\Temp\49-c9435-b58-2acaa-030a35b7c19b4\ZHaqaenivaeje.exe"
                                              8⤵
                                                PID:2092
                                              • C:\Users\Admin\AppData\Local\Temp\66-ce22d-3e1-2e696-049ba3acdac13\Libaetufaesho.exe
                                                "C:\Users\Admin\AppData\Local\Temp\66-ce22d-3e1-2e696-049ba3acdac13\Libaetufaesho.exe"
                                                8⤵
                                                  PID:4820
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1thmw5qz.e14\installer.exe /qn CAMPAIGN="654" & exit
                                                    9⤵
                                                      PID:1968
                                                      • C:\Users\Admin\AppData\Local\Temp\1thmw5qz.e14\installer.exe
                                                        C:\Users\Admin\AppData\Local\Temp\1thmw5qz.e14\installer.exe /qn CAMPAIGN="654"
                                                        10⤵
                                                          PID:2424
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jvo0cgcz.hdg\any.exe & exit
                                                        9⤵
                                                          PID:4752
                                                          • C:\Users\Admin\AppData\Local\Temp\jvo0cgcz.hdg\any.exe
                                                            C:\Users\Admin\AppData\Local\Temp\jvo0cgcz.hdg\any.exe
                                                            10⤵
                                                              PID:1300
                                                              • C:\Users\Admin\AppData\Local\Temp\jvo0cgcz.hdg\any.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\jvo0cgcz.hdg\any.exe" -u
                                                                11⤵
                                                                  PID:1556
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hq2uhopu.urn\autosubplayer.exe /S & exit
                                                              9⤵
                                                                PID:4280
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c Sat036b680989409c.exe
                                                      4⤵
                                                        PID:1012
                                                        • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat036b680989409c.exe
                                                          Sat036b680989409c.exe
                                                          5⤵
                                                          • Executes dropped EXE
                                                          PID:3880
                                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                            6⤵
                                                            • Executes dropped EXE
                                                            PID:1668
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c Sat03e626f1c5996a0d.exe
                                                        4⤵
                                                          PID:2344
                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat03e626f1c5996a0d.exe
                                                            Sat03e626f1c5996a0d.exe
                                                            5⤵
                                                            • Executes dropped EXE
                                                            PID:3156
                                                            • C:\Windows\SysWOW64\regsvr32.exe
                                                              "C:\Windows\System32\regsvr32.exe" /S bcZ1zM2.g3~
                                                              6⤵
                                                              • Loads dropped DLL
                                                              PID:1864
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c Sat03db72d7d0da.exe
                                                          4⤵
                                                            PID:1756
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c Sat03bed0f443e6c5b57.exe
                                                            4⤵
                                                              PID:1328
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c Sat03568cc34974.exe
                                                              4⤵
                                                                PID:1088
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c Sat0374207c03.exe
                                                                4⤵
                                                                  PID:1000
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c Sat03e80306a5d34d4f.exe
                                                                  4⤵
                                                                    PID:1892
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c Sat03b8e757387c65997.exe
                                                                    4⤵
                                                                      PID:420
                                                              • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat03db72d7d0da.exe
                                                                Sat03db72d7d0da.exe
                                                                1⤵
                                                                • Executes dropped EXE
                                                                PID:2144
                                                                • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat03db72d7d0da.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat03db72d7d0da.exe" -u
                                                                  2⤵
                                                                  • Executes dropped EXE
                                                                  PID:3484
                                                              • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat0374207c03.exe
                                                                Sat0374207c03.exe
                                                                1⤵
                                                                • Executes dropped EXE
                                                                PID:3784
                                                                • C:\Windows\SysWOW64\regsvr32.exe
                                                                  "C:\Windows\System32\regsvr32.exe" /S bcZ1zM2.g3~
                                                                  2⤵
                                                                  • Loads dropped DLL
                                                                  PID:2760
                                                              • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat03568cc34974.exe
                                                                Sat03568cc34974.exe
                                                                1⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:520
                                                                • C:\Users\Admin\AppData\Local\5bf85290-5f0b-490b-b7ff-4fdd40de0f62.exe
                                                                  "C:\Users\Admin\AppData\Local\5bf85290-5f0b-490b-b7ff-4fdd40de0f62.exe"
                                                                  2⤵
                                                                  • Executes dropped EXE
                                                                  PID:4284
                                                                • C:\Users\Admin\AppData\Local\e7374b49-6586-4720-a9d5-f47029887866.exe
                                                                  "C:\Users\Admin\AppData\Local\e7374b49-6586-4720-a9d5-f47029887866.exe"
                                                                  2⤵
                                                                  • Executes dropped EXE
                                                                  PID:4312
                                                                  • C:\Users\Admin\AppData\Roaming\36556614\1703752717037527.exe
                                                                    "C:\Users\Admin\AppData\Roaming\36556614\1703752717037527.exe"
                                                                    3⤵
                                                                      PID:5040
                                                                  • C:\Users\Admin\AppData\Local\7f5723ac-b175-4d25-89ef-07d264ac07d2.exe
                                                                    "C:\Users\Admin\AppData\Local\7f5723ac-b175-4d25-89ef-07d264ac07d2.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                    PID:4380
                                                                  • C:\Users\Admin\AppData\Local\d239baf2-4fce-4043-9299-f8481cf98061.exe
                                                                    "C:\Users\Admin\AppData\Local\d239baf2-4fce-4043-9299-f8481cf98061.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                    PID:4568
                                                                  • C:\Users\Admin\AppData\Local\dfb61ef4-1dd3-4205-9aaa-5798f7ec773e.exe
                                                                    "C:\Users\Admin\AppData\Local\dfb61ef4-1dd3-4205-9aaa-5798f7ec773e.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    PID:4696
                                                                    • C:\Users\Admin\AppData\Roaming\2964006.exe
                                                                      "C:\Users\Admin\AppData\Roaming\2964006.exe"
                                                                      3⤵
                                                                        PID:4184
                                                                        • C:\Windows\SysWOW64\control.exe
                                                                          "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                                                          4⤵
                                                                            PID:3120
                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                              "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                                                              5⤵
                                                                                PID:4264
                                                                                • C:\Windows\system32\RunDll32.exe
                                                                                  C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                                                                  6⤵
                                                                                    PID:3656
                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                      "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                                                                      7⤵
                                                                                        PID:4600
                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat03bed0f443e6c5b57.exe
                                                                            Sat03bed0f443e6c5b57.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3596
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd.exe /c taskkill /f /im chrome.exe
                                                                              2⤵
                                                                                PID:3220
                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                  taskkill /f /im chrome.exe
                                                                                  3⤵
                                                                                  • Kills process with taskkill
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:792
                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat03e80306a5d34d4f.exe
                                                                              Sat03e80306a5d34d4f.exe
                                                                              1⤵
                                                                              • Executes dropped EXE
                                                                              PID:2252
                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat0313c07b4c8569d96.exe
                                                                              Sat0313c07b4c8569d96.exe /mixtwo
                                                                              1⤵
                                                                              • Executes dropped EXE
                                                                              PID:2192
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im "Sat0313c07b4c8569d96.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat0313c07b4c8569d96.exe" & exit
                                                                                2⤵
                                                                                  PID:1048
                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                    taskkill /im "Sat0313c07b4c8569d96.exe" /f
                                                                                    3⤵
                                                                                    • Kills process with taskkill
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1512
                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat03b8e757387c65997.exe
                                                                                Sat03b8e757387c65997.exe
                                                                                1⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetThreadContext
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1636
                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat03b8e757387c65997.exe
                                                                                  C:\Users\Admin\AppData\Local\Temp\7zS0D9C36E6\Sat03b8e757387c65997.exe
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:4244
                                                                              • C:\Windows\system32\rundll32.exe
                                                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                PID:2252
                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                  2⤵
                                                                                  • Loads dropped DLL
                                                                                  • Modifies registry class
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2364
                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                1⤵
                                                                                  PID:4296
                                                                                • C:\Windows\system32\browser_broker.exe
                                                                                  C:\Windows\system32\browser_broker.exe -Embedding
                                                                                  1⤵
                                                                                    PID:536
                                                                                  • C:\Windows\system32\msiexec.exe
                                                                                    C:\Windows\system32\msiexec.exe /V
                                                                                    1⤵
                                                                                      PID:4700
                                                                                      • C:\Windows\syswow64\MsiExec.exe
                                                                                        C:\Windows\syswow64\MsiExec.exe -Embedding FC536018FC9569BC5F64D242AB9634AE C
                                                                                        2⤵
                                                                                          PID:2088
                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                        1⤵
                                                                                          PID:5200
                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                          1⤵
                                                                                            PID:5632
                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            PID:5880
                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                              2⤵
                                                                                                PID:5896

                                                                                            Network

                                                                                                  MITRE ATT&CK Enterprise v6

                                                                                                  Replay Monitor

                                                                                                  Loading Replay Monitor...

                                                                                                  Downloads

                                                                                                  • memory/384-270-0x00000000048F0000-0x00000000048F1000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/384-281-0x0000000007530000-0x0000000007531000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/384-541-0x00000000048F3000-0x00000000048F4000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/384-225-0x0000000000D70000-0x0000000000D71000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/384-503-0x000000007EA30000-0x000000007EA31000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/384-227-0x0000000000D70000-0x0000000000D71000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/384-275-0x00000000048F2000-0x00000000048F3000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/428-295-0x000001E18C6D0000-0x000001E18C6D2000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/428-298-0x000001E18C6D0000-0x000001E18C6D2000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/428-300-0x000001E18C640000-0x000001E18C6B2000-memory.dmp

                                                                                                    Filesize

                                                                                                    456KB

                                                                                                  • memory/520-332-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/520-277-0x0000000000890000-0x0000000000891000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/520-243-0x00000000000E0000-0x00000000000E1000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/992-474-0x0000018ECBF90000-0x0000018ECBFB9000-memory.dmp

                                                                                                    Filesize

                                                                                                    164KB

                                                                                                  • memory/992-303-0x0000018ECA580000-0x0000018ECA582000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/992-472-0x0000018ECA5D0000-0x0000018ECA5EB000-memory.dmp

                                                                                                    Filesize

                                                                                                    108KB

                                                                                                  • memory/992-309-0x0000018ECA770000-0x0000018ECA7E2000-memory.dmp

                                                                                                    Filesize

                                                                                                    456KB

                                                                                                  • memory/992-301-0x0000018ECA580000-0x0000018ECA582000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/992-475-0x0000018ECCF00000-0x0000018ECD005000-memory.dmp

                                                                                                    Filesize

                                                                                                    1.0MB

                                                                                                  • memory/1092-322-0x0000020674A20000-0x0000020674A92000-memory.dmp

                                                                                                    Filesize

                                                                                                    456KB

                                                                                                  • memory/1092-316-0x0000020674290000-0x0000020674292000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/1092-315-0x0000020674290000-0x0000020674292000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/1184-314-0x000001FECF4E0000-0x000001FECF4E2000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/1184-313-0x000001FECF4E0000-0x000001FECF4E2000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/1184-320-0x000001FED0240000-0x000001FED02B2000-memory.dmp

                                                                                                    Filesize

                                                                                                    456KB

                                                                                                  • memory/1192-228-0x0000000000D30000-0x0000000000D31000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/1192-269-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/1192-542-0x0000000000DB3000-0x0000000000DB4000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/1192-273-0x00000000011E0000-0x00000000011E1000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/1192-507-0x000000007F5C0000-0x000000007F5C1000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/1192-276-0x0000000000DB2000-0x0000000000DB3000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/1192-226-0x0000000000D30000-0x0000000000D31000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/1260-335-0x0000021DB7720000-0x0000021DB7792000-memory.dmp

                                                                                                    Filesize

                                                                                                    456KB

                                                                                                  • memory/1260-326-0x0000021DB7340000-0x0000021DB7342000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/1260-327-0x0000021DB7340000-0x0000021DB7342000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/1292-232-0x0000000000540000-0x000000000068A000-memory.dmp

                                                                                                    Filesize

                                                                                                    1.3MB

                                                                                                  • memory/1344-209-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                    Filesize

                                                                                                    816KB

                                                                                                  • memory/1372-331-0x000001D1030C0000-0x000001D103132000-memory.dmp

                                                                                                    Filesize

                                                                                                    456KB

                                                                                                  • memory/1372-329-0x000001D1026E0000-0x000001D1026E2000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/1372-328-0x000001D1026E0000-0x000001D1026E2000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/1384-229-0x00000000006A0000-0x00000000006A1000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/1456-321-0x00000243181F0000-0x00000243181F2000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/1456-323-0x0000024318770000-0x00000243187E2000-memory.dmp

                                                                                                    Filesize

                                                                                                    456KB

                                                                                                  • memory/1456-319-0x00000243181F0000-0x00000243181F2000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/1636-302-0x00000000030A0000-0x00000000030A1000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/1636-245-0x0000000000E60000-0x0000000000E61000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/1636-294-0x0000000005840000-0x0000000005841000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/1668-236-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                                                    Filesize

                                                                                                    340KB

                                                                                                  • memory/1864-450-0x0000000001240000-0x0000000001241000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/1900-324-0x0000011714970000-0x0000011714972000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/1900-330-0x00000117155B0000-0x0000011715622000-memory.dmp

                                                                                                    Filesize

                                                                                                    456KB

                                                                                                  • memory/1900-325-0x0000011714970000-0x0000011714972000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/2092-260-0x0000000000400000-0x0000000000539000-memory.dmp

                                                                                                    Filesize

                                                                                                    1.2MB

                                                                                                  • memory/2092-484-0x0000000002390000-0x0000000002392000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/2092-254-0x00000000021D0000-0x00000000022A9000-memory.dmp

                                                                                                    Filesize

                                                                                                    868KB

                                                                                                  • memory/2092-247-0x00000000007E6000-0x0000000000862000-memory.dmp

                                                                                                    Filesize

                                                                                                    496KB

                                                                                                  • memory/2192-208-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                    Filesize

                                                                                                    320KB

                                                                                                  • memory/2192-188-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                    Filesize

                                                                                                    320KB

                                                                                                  • memory/2364-287-0x000000000498C000-0x0000000004A8D000-memory.dmp

                                                                                                    Filesize

                                                                                                    1.0MB

                                                                                                  • memory/2364-290-0x0000000004810000-0x000000000486D000-memory.dmp

                                                                                                    Filesize

                                                                                                    372KB

                                                                                                  • memory/2448-311-0x00000189E8760000-0x00000189E8762000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/2448-312-0x00000189E8760000-0x00000189E8762000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/2448-317-0x00000189E8F60000-0x00000189E8FD2000-memory.dmp

                                                                                                    Filesize

                                                                                                    456KB

                                                                                                  • memory/2472-318-0x00000000022D0000-0x00000000022D2000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/2488-307-0x0000021B5CB60000-0x0000021B5CB62000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/2488-304-0x0000021B5CB60000-0x0000021B5CB62000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/2488-310-0x0000021B5D410000-0x0000021B5D482000-memory.dmp

                                                                                                    Filesize

                                                                                                    456KB

                                                                                                  • memory/2540-306-0x0000000005720000-0x0000000005721000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/2540-293-0x0000000005840000-0x0000000005841000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/2540-242-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/2540-299-0x0000000005680000-0x0000000005681000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/2540-337-0x0000000005700000-0x0000000005701000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/2660-292-0x00000216842C0000-0x00000216842C2000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/2660-291-0x00000216842C0000-0x00000216842C2000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/2660-296-0x0000021684270000-0x00000216842BD000-memory.dmp

                                                                                                    Filesize

                                                                                                    308KB

                                                                                                  • memory/2660-305-0x0000021684C00000-0x0000021684C72000-memory.dmp

                                                                                                    Filesize

                                                                                                    456KB

                                                                                                  • memory/2744-241-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                    Filesize

                                                                                                    816KB

                                                                                                  • memory/2760-438-0x0000000000D20000-0x0000000000D21000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/2764-336-0x000001CB03260000-0x000001CB032D2000-memory.dmp

                                                                                                    Filesize

                                                                                                    456KB

                                                                                                  • memory/2764-334-0x000001CB029D0000-0x000001CB029D2000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/2764-333-0x000001CB029D0000-0x000001CB029D2000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/2792-342-0x0000013753410000-0x0000013753482000-memory.dmp

                                                                                                    Filesize

                                                                                                    456KB

                                                                                                  • memory/3056-272-0x0000000000E00000-0x0000000000E16000-memory.dmp

                                                                                                    Filesize

                                                                                                    88KB

                                                                                                  • memory/3156-217-0x00000000001D0000-0x00000000001D1000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/3156-218-0x00000000001D0000-0x00000000001D1000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/3304-252-0x0000000000600000-0x000000000074A000-memory.dmp

                                                                                                    Filesize

                                                                                                    1.3MB

                                                                                                  • memory/3304-261-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                    Filesize

                                                                                                    816KB

                                                                                                  • memory/3304-244-0x0000000000766000-0x0000000000776000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                  • memory/3784-206-0x0000000002700000-0x0000000002701000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/3784-207-0x0000000002700000-0x0000000002701000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/3808-210-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                    Filesize

                                                                                                    80KB

                                                                                                  • memory/3932-253-0x00000000009C0000-0x00000000009C1000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/4040-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                    Filesize

                                                                                                    572KB

                                                                                                  • memory/4040-142-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                    Filesize

                                                                                                    100KB

                                                                                                  • memory/4040-144-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                    Filesize

                                                                                                    100KB

                                                                                                  • memory/4040-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                    Filesize

                                                                                                    572KB

                                                                                                  • memory/4040-146-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                    Filesize

                                                                                                    100KB

                                                                                                  • memory/4040-136-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                    Filesize

                                                                                                    572KB

                                                                                                  • memory/4040-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                    Filesize

                                                                                                    1.5MB

                                                                                                  • memory/4040-141-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                    Filesize

                                                                                                    152KB

                                                                                                  • memory/4040-147-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                    Filesize

                                                                                                    100KB

                                                                                                  • memory/4040-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                    Filesize

                                                                                                    1.5MB

                                                                                                  • memory/4040-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                    Filesize

                                                                                                    1.5MB

                                                                                                  • memory/4040-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                    Filesize

                                                                                                    1.5MB

                                                                                                  • memory/4244-427-0x0000000004F50000-0x0000000005556000-memory.dmp

                                                                                                    Filesize

                                                                                                    6.0MB

                                                                                                  • memory/4252-429-0x0000000004D20000-0x0000000005326000-memory.dmp

                                                                                                    Filesize

                                                                                                    6.0MB

                                                                                                  • memory/4284-403-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/4380-368-0x0000000001270000-0x00000000012B5000-memory.dmp

                                                                                                    Filesize

                                                                                                    276KB

                                                                                                  • memory/4380-424-0x0000000003100000-0x0000000003101000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/4568-423-0x0000000005270000-0x0000000005271000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/4568-395-0x0000000000CF0000-0x0000000000D35000-memory.dmp

                                                                                                    Filesize

                                                                                                    276KB

                                                                                                  • memory/4696-437-0x0000000005040000-0x0000000005041000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/4820-486-0x0000000003140000-0x0000000003142000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/4820-522-0x0000000003142000-0x0000000003144000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                  • memory/4820-539-0x0000000003144000-0x0000000003145000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                  • memory/5040-460-0x000000001B5A0000-0x000000001B5A2000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB