Analysis

  • max time kernel
    142s
  • max time network
    187s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    23/12/2021, 13:28

General

  • Target

    95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe

  • Size

    9.9MB

  • MD5

    d96604e6d61e59a0ada37d738dde3dec

  • SHA1

    79e674165810ae7861a8cb1e59230361da2a8f3a

  • SHA256

    95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859

  • SHA512

    8f9660bb9d6066e08e6cba581c4cfae7487536e6bfbbf1f3852145dc1dfe5900f79637812272c9e2117f638b70752f51dad3c80b1574193670b685e8a1124dde

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

vidar

Version

49.2

Botnet

915

C2

https://mstdn.social/@kipriauk9

https://qoto.org/@kipriauk8

Attributes
  • profile_id

    915

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Extracted

Family

raccoon

Botnet

8fc55a7ea41b0c5db2ca3c881e20966100c28a40

Attributes
  • url4cnc

    http://194.180.174.53/jredmankun

    http://91.219.236.18/jredmankun

    http://194.180.174.41/jredmankun

    http://91.219.236.148/jredmankun

    https://t.me/jredmankun

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

media22ns

C2

65.108.69.168:13293

Extracted

Family

redline

Botnet

v3user1

C2

159.69.246.184:13127

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata: ET MALWARE GCleaner Downloader Activity M5

  • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

  • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • NirSoft WebBrowserPassView 5 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 8 IoCs
  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 32 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
  • Modifies registry class 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe
    "C:\Users\Admin\AppData\Local\Temp\95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4164
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Users\Admin\AppData\Local\Temp\7zS06664586\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS06664586\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4324
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:508
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:792
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:612
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3232
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Wed163cde2f33.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:884
          • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed163cde2f33.exe
            Wed163cde2f33.exe
            5⤵
            • Executes dropped EXE
            • Checks BIOS information in registry
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:1836
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Wed16c449cf8eaf38a8.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:400
          • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16c449cf8eaf38a8.exe
            Wed16c449cf8eaf38a8.exe
            5⤵
            • Executes dropped EXE
            PID:1748
            • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16c449cf8eaf38a8.exe
              "C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16c449cf8eaf38a8.exe" -u
              6⤵
              • Executes dropped EXE
              PID:4592
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Wed161aa00221.exe /mixtwo
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1200
          • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed161aa00221.exe
            Wed161aa00221.exe /mixtwo
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            PID:1744
            • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed161aa00221.exe
              Wed161aa00221.exe /mixtwo
              6⤵
              • Executes dropped EXE
              PID:2092
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c taskkill /im "Wed161aa00221.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed161aa00221.exe" & exit
                7⤵
                  PID:3556
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /im "Wed161aa00221.exe" /f
                    8⤵
                    • Kills process with taskkill
                    PID:4892
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Wed16c0128f84198.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1376
            • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16c0128f84198.exe
              Wed16c0128f84198.exe
              5⤵
              • Executes dropped EXE
              • Checks SCSI registry key(s)
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:2188
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Wed168409f03a6ee66.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1428
            • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed168409f03a6ee66.exe
              Wed168409f03a6ee66.exe
              5⤵
              • Executes dropped EXE
              PID:2416
              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                6⤵
                • Executes dropped EXE
                PID:4960
              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                6⤵
                • Executes dropped EXE
                PID:3812
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Wed16430a6d225.exe
            4⤵
              PID:1516
              • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16430a6d225.exe
                Wed16430a6d225.exe
                5⤵
                • Executes dropped EXE
                PID:2724
                • C:\Users\Admin\AppData\Local\Temp\is-J8E4O.tmp\Wed16430a6d225.tmp
                  "C:\Users\Admin\AppData\Local\Temp\is-J8E4O.tmp\Wed16430a6d225.tmp" /SL5="$70030,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16430a6d225.exe"
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:2972
                  • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16430a6d225.exe
                    "C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16430a6d225.exe" /SILENT
                    7⤵
                    • Executes dropped EXE
                    PID:4928
                    • C:\Users\Admin\AppData\Local\Temp\is-QU9A7.tmp\Wed16430a6d225.tmp
                      "C:\Users\Admin\AppData\Local\Temp\is-QU9A7.tmp\Wed16430a6d225.tmp" /SL5="$401CC,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16430a6d225.exe" /SILENT
                      8⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:2832
                      • C:\Users\Admin\AppData\Local\Temp\is-3EUD1.tmp\windllhost.exe
                        "C:\Users\Admin\AppData\Local\Temp\is-3EUD1.tmp\windllhost.exe" 77
                        9⤵
                          PID:3216
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c Wed16b7f58bed.exe
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1064
                • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16b7f58bed.exe
                  Wed16b7f58bed.exe
                  5⤵
                  • Executes dropped EXE
                  PID:1712
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c Wed16814b15e2bbe.exe
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3132
                • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16814b15e2bbe.exe
                  Wed16814b15e2bbe.exe
                  5⤵
                  • Executes dropped EXE
                  PID:1716
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c Wed167ce42a0c123f.exe
                4⤵
                  PID:2052
                  • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed167ce42a0c123f.exe
                    Wed167ce42a0c123f.exe
                    5⤵
                    • Executes dropped EXE
                    • Modifies registry class
                    PID:4884
                    • C:\Windows\SysWOW64\control.exe
                      "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\SL4L.cpL",
                      6⤵
                        PID:1772
                        • C:\Windows\SysWOW64\rundll32.exe
                          "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SL4L.cpL",
                          7⤵
                          • Loads dropped DLL
                          PID:4444
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Wed160ef4d04d0cf6.exe
                    4⤵
                      PID:2780
                      • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed160ef4d04d0cf6.exe
                        Wed160ef4d04d0cf6.exe
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1460
                        • C:\Users\Admin\AppData\Local\53eef956-38a9-4d49-b5ca-1f8c9df70a6e.exe
                          "C:\Users\Admin\AppData\Local\53eef956-38a9-4d49-b5ca-1f8c9df70a6e.exe"
                          6⤵
                          • Executes dropped EXE
                          PID:2388
                        • C:\Users\Admin\AppData\Local\a1026c02-c34c-451e-974b-5af71f08e889.exe
                          "C:\Users\Admin\AppData\Local\a1026c02-c34c-451e-974b-5af71f08e889.exe"
                          6⤵
                          • Executes dropped EXE
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          PID:2408
                        • C:\Users\Admin\AppData\Local\83cc5ae1-ee51-4850-884b-15b54d2dd6a2.exe
                          "C:\Users\Admin\AppData\Local\83cc5ae1-ee51-4850-884b-15b54d2dd6a2.exe"
                          6⤵
                          • Executes dropped EXE
                          PID:4960
                          • C:\Users\Admin\AppData\Roaming\8378962.exe
                            "C:\Users\Admin\AppData\Roaming\8378962.exe"
                            7⤵
                              PID:1532
                              • C:\Windows\SysWOW64\control.exe
                                "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\ZO8YMp.CPL",
                                8⤵
                                  PID:5728
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Wed16a36d1f6f23.exe
                          4⤵
                            PID:4864
                            • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16a36d1f6f23.exe
                              Wed16a36d1f6f23.exe
                              5⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4992
                              • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16a36d1f6f23.exe
                                C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16a36d1f6f23.exe
                                6⤵
                                • Executes dropped EXE
                                PID:4744
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Wed16693e79560dd.exe
                            4⤵
                              PID:4816
                              • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16693e79560dd.exe
                                Wed16693e79560dd.exe
                                5⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2672
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd.exe /c taskkill /f /im chrome.exe
                                  6⤵
                                    PID:2776
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /f /im chrome.exe
                                      7⤵
                                      • Kills process with taskkill
                                      PID:1372
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Wed1645070e75.exe
                                4⤵
                                  PID:3868
                                  • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed1645070e75.exe
                                    Wed1645070e75.exe
                                    5⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5020
                                    • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed1645070e75.exe
                                      C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed1645070e75.exe
                                      6⤵
                                      • Executes dropped EXE
                                      PID:2204
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c Wed163ae772fc.exe
                                  4⤵
                                    PID:2704
                                    • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed163ae772fc.exe
                                      Wed163ae772fc.exe
                                      5⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4600
                                      • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        PID:4896
                                        • C:\Users\Admin\AppData\Local\Temp\myamrnewfile.exe
                                          "C:\Users\Admin\AppData\Local\Temp\myamrnewfile.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          PID:4372
                                        • C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll31827.exe
                                          "C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll31827.exe"
                                          7⤵
                                            PID:660
                                          • C:\Users\Admin\AppData\Local\Temp\DisgruntleMezzanines_2021-12-22_21-08.exe
                                            "C:\Users\Admin\AppData\Local\Temp\DisgruntleMezzanines_2021-12-22_21-08.exe"
                                            7⤵
                                              PID:5048
                                            • C:\Users\Admin\AppData\Local\Temp\inst.exe
                                              "C:\Users\Admin\AppData\Local\Temp\inst.exe"
                                              7⤵
                                                PID:364
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c Wed16d53730fd5435.exe
                                          4⤵
                                            PID:2340
                                            • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16d53730fd5435.exe
                                              Wed16d53730fd5435.exe
                                              5⤵
                                              • Executes dropped EXE
                                              • Checks computer location settings
                                              PID:4996
                                              • C:\Users\Admin\Pictures\Adobe Films\4sebI3D01qcPsCpM9Vgp0hE7.exe
                                                "C:\Users\Admin\Pictures\Adobe Films\4sebI3D01qcPsCpM9Vgp0hE7.exe"
                                                6⤵
                                                  PID:4240
                                                • C:\Users\Admin\Pictures\Adobe Films\Miu54K4SHYGGIe2Qh9NPpElJ.exe
                                                  "C:\Users\Admin\Pictures\Adobe Films\Miu54K4SHYGGIe2Qh9NPpElJ.exe"
                                                  6⤵
                                                    PID:1860
                                                  • C:\Users\Admin\Pictures\Adobe Films\xj205crxMGRWr9WICccMO2DZ.exe
                                                    "C:\Users\Admin\Pictures\Adobe Films\xj205crxMGRWr9WICccMO2DZ.exe"
                                                    6⤵
                                                      PID:4620
                                                    • C:\Users\Admin\Pictures\Adobe Films\mIj_cY7T4_uTb2GbZzvrF2Iq.exe
                                                      "C:\Users\Admin\Pictures\Adobe Films\mIj_cY7T4_uTb2GbZzvrF2Iq.exe"
                                                      6⤵
                                                        PID:2988
                                                      • C:\Users\Admin\Pictures\Adobe Films\Q2Z1JPzxk1o_2H8ZFt_O1ySa.exe
                                                        "C:\Users\Admin\Pictures\Adobe Films\Q2Z1JPzxk1o_2H8ZFt_O1ySa.exe"
                                                        6⤵
                                                          PID:2272
                                                        • C:\Users\Admin\Pictures\Adobe Films\ow8PMn48zXdt_w5DeFPWzxJC.exe
                                                          "C:\Users\Admin\Pictures\Adobe Films\ow8PMn48zXdt_w5DeFPWzxJC.exe"
                                                          6⤵
                                                            PID:3776
                                                          • C:\Users\Admin\Pictures\Adobe Films\Rmwewj05jy62TxXxNF9CRccv.exe
                                                            "C:\Users\Admin\Pictures\Adobe Films\Rmwewj05jy62TxXxNF9CRccv.exe"
                                                            6⤵
                                                              PID:4332
                                                            • C:\Users\Admin\Pictures\Adobe Films\JVYBLRj6xzl843MfgFlqZGOO.exe
                                                              "C:\Users\Admin\Pictures\Adobe Films\JVYBLRj6xzl843MfgFlqZGOO.exe"
                                                              6⤵
                                                                PID:3832
                                                              • C:\Users\Admin\Pictures\Adobe Films\lar5OaE93kc3QiPt6proJfON.exe
                                                                "C:\Users\Admin\Pictures\Adobe Films\lar5OaE93kc3QiPt6proJfON.exe"
                                                                6⤵
                                                                  PID:2448
                                                                • C:\Users\Admin\Pictures\Adobe Films\2DC4zWaKe0c5rqQAISCoAb04.exe
                                                                  "C:\Users\Admin\Pictures\Adobe Films\2DC4zWaKe0c5rqQAISCoAb04.exe"
                                                                  6⤵
                                                                    PID:4656
                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS372F.tmp\Install.exe
                                                                      .\Install.exe
                                                                      7⤵
                                                                        PID:5288
                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS5A28.tmp\Install.exe
                                                                          .\Install.exe /S /site_id "525403"
                                                                          8⤵
                                                                            PID:5664
                                                                      • C:\Users\Admin\Pictures\Adobe Films\yyimQKvpHmn2jpoD5dAnBCpr.exe
                                                                        "C:\Users\Admin\Pictures\Adobe Films\yyimQKvpHmn2jpoD5dAnBCpr.exe"
                                                                        6⤵
                                                                          PID:2044
                                                                        • C:\Users\Admin\Pictures\Adobe Films\mQtNTc4ynfpmopcLeXK0IOCE.exe
                                                                          "C:\Users\Admin\Pictures\Adobe Films\mQtNTc4ynfpmopcLeXK0IOCE.exe"
                                                                          6⤵
                                                                            PID:3192
                                                                          • C:\Users\Admin\Pictures\Adobe Films\JW0zYvb7iowChPhQDmmZnlta.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\JW0zYvb7iowChPhQDmmZnlta.exe"
                                                                            6⤵
                                                                              PID:4928
                                                                            • C:\Users\Admin\Pictures\Adobe Films\Ee0nHoRPX5POR8ADJ9zFwOLx.exe
                                                                              "C:\Users\Admin\Pictures\Adobe Films\Ee0nHoRPX5POR8ADJ9zFwOLx.exe"
                                                                              6⤵
                                                                                PID:2352
                                                                              • C:\Users\Admin\Pictures\Adobe Films\IPDDiwQlaqk9cQRTyL5V1D49.exe
                                                                                "C:\Users\Admin\Pictures\Adobe Films\IPDDiwQlaqk9cQRTyL5V1D49.exe"
                                                                                6⤵
                                                                                  PID:192
                                                                                • C:\Users\Admin\Pictures\Adobe Films\h5NYBiiXEmX32cVjFnbQllov.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\h5NYBiiXEmX32cVjFnbQllov.exe"
                                                                                  6⤵
                                                                                    PID:204
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\M939kRmQhirIPRoWq6YqFBWP.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\M939kRmQhirIPRoWq6YqFBWP.exe"
                                                                                    6⤵
                                                                                    • Drops file in Program Files directory
                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                    PID:2832
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\zG3tHipyQ7LpXbwzPPKGi4C4.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\zG3tHipyQ7LpXbwzPPKGi4C4.exe"
                                                                                    6⤵
                                                                                      PID:2964
                                                                                    • C:\Users\Admin\Pictures\Adobe Films\7XsVzVoc44lFz6Pt3NJTChdV.exe
                                                                                      "C:\Users\Admin\Pictures\Adobe Films\7XsVzVoc44lFz6Pt3NJTChdV.exe"
                                                                                      6⤵
                                                                                        PID:2268
                                                                                      • C:\Users\Admin\Pictures\Adobe Films\4INUL6YhM7FrpgiXnHaDA7qK.exe
                                                                                        "C:\Users\Admin\Pictures\Adobe Films\4INUL6YhM7FrpgiXnHaDA7qK.exe"
                                                                                        6⤵
                                                                                          PID:2968
                                                                                        • C:\Users\Admin\Pictures\Adobe Films\I8nj8crYNWTFJ9eB7p8DiSo2.exe
                                                                                          "C:\Users\Admin\Pictures\Adobe Films\I8nj8crYNWTFJ9eB7p8DiSo2.exe"
                                                                                          6⤵
                                                                                            PID:3236
                                                                                          • C:\Users\Admin\Pictures\Adobe Films\2jE7czQlXjeac6ypxoYa0ZCR.exe
                                                                                            "C:\Users\Admin\Pictures\Adobe Films\2jE7czQlXjeac6ypxoYa0ZCR.exe"
                                                                                            6⤵
                                                                                              PID:1396
                                                                                            • C:\Users\Admin\Pictures\Adobe Films\GgGVdh4X1FiBZsSIRilq8uz6.exe
                                                                                              "C:\Users\Admin\Pictures\Adobe Films\GgGVdh4X1FiBZsSIRilq8uz6.exe"
                                                                                              6⤵
                                                                                                PID:2440
                                                                                              • C:\Users\Admin\Pictures\Adobe Films\uRn9cFqfP5ZywV1K7jcLmcNb.exe
                                                                                                "C:\Users\Admin\Pictures\Adobe Films\uRn9cFqfP5ZywV1K7jcLmcNb.exe"
                                                                                                6⤵
                                                                                                  PID:3176
                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 400
                                                                                                    7⤵
                                                                                                    • Program crash
                                                                                                    PID:5176
                                                                                                • C:\Users\Admin\Pictures\Adobe Films\yaQ0sXyIIFi43VfCVlRdnMYC.exe
                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\yaQ0sXyIIFi43VfCVlRdnMYC.exe"
                                                                                                  6⤵
                                                                                                    PID:4340
                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\eBArWrp_0PF7RvTFFyENe1ck.exe
                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\eBArWrp_0PF7RvTFFyENe1ck.exe"
                                                                                                    6⤵
                                                                                                      PID:2976
                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\frbVMvUMiGVTi6xP49byhLDf.exe
                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\frbVMvUMiGVTi6xP49byhLDf.exe"
                                                                                                      6⤵
                                                                                                        PID:5168
                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\0_zfF1U5YV_AvXCkoOQCY_qM.exe
                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\0_zfF1U5YV_AvXCkoOQCY_qM.exe"
                                                                                                        6⤵
                                                                                                          PID:5320
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c Wed16d7a95b10861.exe
                                                                                                      4⤵
                                                                                                        PID:4832
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16d7a95b10861.exe
                                                                                                          Wed16d7a95b10861.exe
                                                                                                          5⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Modifies registry class
                                                                                                          PID:408
                                                                                                          • C:\Windows\SysWOW64\control.exe
                                                                                                            "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\nQBIF.cPl",
                                                                                                            6⤵
                                                                                                              PID:1016
                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\nQBIF.cPl",
                                                                                                                7⤵
                                                                                                                  PID:3540
                                                                                                    • C:\Windows\system32\rundll32.exe
                                                                                                      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      PID:4192
                                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                        2⤵
                                                                                                          PID:4704
                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                        C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                        1⤵
                                                                                                          PID:3444

                                                                                                        Network

                                                                                                              MITRE ATT&CK Enterprise v6

                                                                                                              Replay Monitor

                                                                                                              Loading Replay Monitor...

                                                                                                              Downloads

                                                                                                              • memory/408-241-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/408-243-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/448-421-0x000002BFA96D0000-0x000002BFA96D2000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                              • memory/448-424-0x000002BFA96D0000-0x000002BFA96D2000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                              • memory/792-197-0x00000000001C0000-0x00000000001C1000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/792-316-0x0000000007B40000-0x0000000007BA6000-memory.dmp

                                                                                                                Filesize

                                                                                                                408KB

                                                                                                              • memory/792-413-0x00000000001C0000-0x00000000001C1000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/792-265-0x00000000041E0000-0x0000000004216000-memory.dmp

                                                                                                                Filesize

                                                                                                                216KB

                                                                                                              • memory/792-320-0x0000000007230000-0x0000000007580000-memory.dmp

                                                                                                                Filesize

                                                                                                                3.3MB

                                                                                                              • memory/792-313-0x0000000006BD0000-0x0000000006BF2000-memory.dmp

                                                                                                                Filesize

                                                                                                                136KB

                                                                                                              • memory/792-269-0x0000000006C00000-0x0000000007228000-memory.dmp

                                                                                                                Filesize

                                                                                                                6.2MB

                                                                                                              • memory/792-317-0x0000000007BB0000-0x0000000007C16000-memory.dmp

                                                                                                                Filesize

                                                                                                                408KB

                                                                                                              • memory/792-192-0x00000000001C0000-0x00000000001C1000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/792-291-0x0000000002A72000-0x0000000002A73000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/792-285-0x0000000002A70000-0x0000000002A71000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/1460-275-0x00000000010F0000-0x00000000010F6000-memory.dmp

                                                                                                                Filesize

                                                                                                                24KB

                                                                                                              • memory/1460-239-0x0000000000980000-0x00000000009CA000-memory.dmp

                                                                                                                Filesize

                                                                                                                296KB

                                                                                                              • memory/1460-266-0x00000000010C0000-0x00000000010F6000-memory.dmp

                                                                                                                Filesize

                                                                                                                216KB

                                                                                                              • memory/1460-242-0x0000000000980000-0x00000000009CA000-memory.dmp

                                                                                                                Filesize

                                                                                                                296KB

                                                                                                              • memory/1460-255-0x00000000010B0000-0x00000000010B6000-memory.dmp

                                                                                                                Filesize

                                                                                                                24KB

                                                                                                              • memory/1460-283-0x000000001B610000-0x000000001B612000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                              • memory/1640-300-0x0000000001150000-0x0000000001166000-memory.dmp

                                                                                                                Filesize

                                                                                                                88KB

                                                                                                              • memory/1712-244-0x0000000000796000-0x0000000000812000-memory.dmp

                                                                                                                Filesize

                                                                                                                496KB

                                                                                                              • memory/1712-246-0x0000000002220000-0x00000000022F5000-memory.dmp

                                                                                                                Filesize

                                                                                                                852KB

                                                                                                              • memory/1712-267-0x0000000000400000-0x000000000053E000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.2MB

                                                                                                              • memory/1836-307-0x0000000000D50000-0x000000000130D000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.7MB

                                                                                                              • memory/1836-301-0x0000000000D50000-0x000000000130D000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.7MB

                                                                                                              • memory/1836-215-0x0000000000D50000-0x000000000130D000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.7MB

                                                                                                              • memory/1836-189-0x0000000000D50000-0x000000000130D000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.7MB

                                                                                                              • memory/1836-258-0x00000000767B0000-0x0000000076972000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.8MB

                                                                                                              • memory/1836-278-0x0000000077C90000-0x0000000077E1E000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.6MB

                                                                                                              • memory/1836-261-0x0000000077550000-0x0000000077641000-memory.dmp

                                                                                                                Filesize

                                                                                                                964KB

                                                                                                              • memory/1836-213-0x0000000000D50000-0x000000000130D000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.7MB

                                                                                                              • memory/1836-293-0x0000000000D50000-0x000000000130D000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.7MB

                                                                                                              • memory/1836-257-0x00000000009D0000-0x00000000009D1000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/1836-198-0x0000000000D50000-0x000000000130D000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.7MB

                                                                                                              • memory/1836-214-0x0000000000D50000-0x000000000130D000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.7MB

                                                                                                              • memory/1836-200-0x00000000028A0000-0x00000000028E5000-memory.dmp

                                                                                                                Filesize

                                                                                                                276KB

                                                                                                              • memory/1836-210-0x0000000000D50000-0x000000000130D000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.7MB

                                                                                                              • memory/1836-296-0x0000000000D50000-0x000000000130D000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.7MB

                                                                                                              • memory/1836-297-0x0000000000D50000-0x000000000130D000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.7MB

                                                                                                              • memory/1836-295-0x0000000000D50000-0x000000000130D000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.7MB

                                                                                                              • memory/1836-212-0x0000000000D50000-0x000000000130D000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.7MB

                                                                                                              • memory/1836-292-0x0000000000D50000-0x000000000130D000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.7MB

                                                                                                              • memory/2092-206-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                Filesize

                                                                                                                320KB

                                                                                                              • memory/2092-190-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                Filesize

                                                                                                                320KB

                                                                                                              • memory/2188-247-0x00000000004E0000-0x000000000058E000-memory.dmp

                                                                                                                Filesize

                                                                                                                696KB

                                                                                                              • memory/2188-256-0x0000000000400000-0x00000000004D2000-memory.dmp

                                                                                                                Filesize

                                                                                                                840KB

                                                                                                              • memory/2204-353-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                Filesize

                                                                                                                128KB

                                                                                                              • memory/2376-435-0x000001746B610000-0x000001746B612000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                              • memory/2376-436-0x000001746B610000-0x000001746B612000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                              • memory/2388-328-0x00000000001F0000-0x000000000023C000-memory.dmp

                                                                                                                Filesize

                                                                                                                304KB

                                                                                                              • memory/2388-329-0x00000000001F0000-0x000000000023C000-memory.dmp

                                                                                                                Filesize

                                                                                                                304KB

                                                                                                              • memory/2408-331-0x0000000000500000-0x000000000064A000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.3MB

                                                                                                              • memory/2408-410-0x000000006E650000-0x000000006E69B000-memory.dmp

                                                                                                                Filesize

                                                                                                                300KB

                                                                                                              • memory/2408-332-0x0000000000EE0000-0x0000000000F59000-memory.dmp

                                                                                                                Filesize

                                                                                                                484KB

                                                                                                              • memory/2408-333-0x00000000001D0000-0x00000000001D1000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/2408-337-0x00000000767B0000-0x0000000076972000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.8MB

                                                                                                              • memory/2408-339-0x0000000077550000-0x0000000077641000-memory.dmp

                                                                                                                Filesize

                                                                                                                964KB

                                                                                                              • memory/2408-347-0x00000000708E0000-0x0000000070960000-memory.dmp

                                                                                                                Filesize

                                                                                                                512KB

                                                                                                              • memory/2408-390-0x0000000076980000-0x0000000076F04000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.5MB

                                                                                                              • memory/2408-394-0x0000000074C00000-0x0000000075F48000-memory.dmp

                                                                                                                Filesize

                                                                                                                19.3MB

                                                                                                              • memory/2420-431-0x000002E3F30C0000-0x000002E3F30C2000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                              • memory/2420-433-0x000002E3F30C0000-0x000002E3F30C2000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                              • memory/2620-417-0x000001A5D4530000-0x000001A5D4532000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                              • memory/2620-416-0x000001A5D4530000-0x000001A5D4532000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                              • memory/2724-209-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                                Filesize

                                                                                                                816KB

                                                                                                              • memory/2832-311-0x00000000007F0000-0x00000000007F1000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/2972-270-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/3232-305-0x00000000083B0000-0x00000000083D2000-memory.dmp

                                                                                                                Filesize

                                                                                                                136KB

                                                                                                              • memory/3232-264-0x0000000006E30000-0x0000000006E66000-memory.dmp

                                                                                                                Filesize

                                                                                                                216KB

                                                                                                              • memory/3232-308-0x0000000008460000-0x00000000084C6000-memory.dmp

                                                                                                                Filesize

                                                                                                                408KB

                                                                                                              • memory/3232-284-0x0000000006E90000-0x0000000006E91000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/3232-412-0x0000000003170000-0x0000000003171000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/3232-323-0x0000000008720000-0x0000000008A70000-memory.dmp

                                                                                                                Filesize

                                                                                                                3.3MB

                                                                                                              • memory/3232-195-0x0000000003170000-0x0000000003171000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/3232-271-0x00000000074D0000-0x0000000007AF8000-memory.dmp

                                                                                                                Filesize

                                                                                                                6.2MB

                                                                                                              • memory/3232-310-0x00000000086B0000-0x0000000008716000-memory.dmp

                                                                                                                Filesize

                                                                                                                408KB

                                                                                                              • memory/3232-290-0x0000000006E92000-0x0000000006E93000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/3232-204-0x0000000003170000-0x0000000003171000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/3444-423-0x0000020137BE0000-0x0000020137BE2000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                              • memory/3444-420-0x0000020137BE0000-0x0000020137BE2000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                              • memory/3812-303-0x0000000000400000-0x000000000047C000-memory.dmp

                                                                                                                Filesize

                                                                                                                496KB

                                                                                                              • memory/4324-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                Filesize

                                                                                                                572KB

                                                                                                              • memory/4324-144-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                Filesize

                                                                                                                100KB

                                                                                                              • memory/4324-146-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                Filesize

                                                                                                                100KB

                                                                                                              • memory/4324-145-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                Filesize

                                                                                                                100KB

                                                                                                              • memory/4324-143-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                Filesize

                                                                                                                100KB

                                                                                                              • memory/4324-137-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                Filesize

                                                                                                                572KB

                                                                                                              • memory/4324-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.5MB

                                                                                                              • memory/4324-136-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                Filesize

                                                                                                                572KB

                                                                                                              • memory/4324-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.5MB

                                                                                                              • memory/4324-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.5MB

                                                                                                              • memory/4324-141-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.5MB

                                                                                                              • memory/4324-142-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                Filesize

                                                                                                                152KB

                                                                                                              • memory/4600-251-0x000000001B700000-0x000000001B702000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                              • memory/4600-237-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

                                                                                                                Filesize

                                                                                                                32KB

                                                                                                              • memory/4600-236-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

                                                                                                                Filesize

                                                                                                                32KB

                                                                                                              • memory/4744-352-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                Filesize

                                                                                                                128KB

                                                                                                              • memory/4884-229-0x0000000000A40000-0x0000000000A41000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/4884-235-0x0000000000A40000-0x0000000000A41000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/4896-330-0x0000000000ED0000-0x0000000001020000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.3MB

                                                                                                              • memory/4928-288-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                                Filesize

                                                                                                                816KB

                                                                                                              • memory/4960-252-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                                                                Filesize

                                                                                                                340KB

                                                                                                              • memory/4992-260-0x0000000000FC0000-0x000000000104C000-memory.dmp

                                                                                                                Filesize

                                                                                                                560KB

                                                                                                              • memory/4992-272-0x0000000005860000-0x0000000005861000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/4992-276-0x0000000005790000-0x0000000005791000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/4992-281-0x0000000005810000-0x000000000582E000-memory.dmp

                                                                                                                Filesize

                                                                                                                120KB

                                                                                                              • memory/4992-263-0x0000000000FC0000-0x000000000104C000-memory.dmp

                                                                                                                Filesize

                                                                                                                560KB

                                                                                                              • memory/4992-327-0x0000000006350000-0x000000000684E000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.0MB

                                                                                                              • memory/4992-273-0x0000000005870000-0x00000000058E6000-memory.dmp

                                                                                                                Filesize

                                                                                                                472KB

                                                                                                              • memory/5020-277-0x00000000059A0000-0x00000000059A1000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/5020-282-0x0000000005740000-0x000000000575E000-memory.dmp

                                                                                                                Filesize

                                                                                                                120KB

                                                                                                              • memory/5020-274-0x0000000005760000-0x00000000057D6000-memory.dmp

                                                                                                                Filesize

                                                                                                                472KB

                                                                                                              • memory/5020-294-0x0000000001760000-0x0000000001761000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/5020-325-0x00000000062B0000-0x00000000067AE000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.0MB

                                                                                                              • memory/5020-262-0x0000000000EF0000-0x0000000000F7C000-memory.dmp

                                                                                                                Filesize

                                                                                                                560KB

                                                                                                              • memory/5020-259-0x0000000000EF0000-0x0000000000F7C000-memory.dmp

                                                                                                                Filesize

                                                                                                                560KB