Resubmissions

01/02/2022, 09:10

220201-k4279scee5 10

15/01/2022, 13:42

220115-qztyzsefhn 10

12/01/2022, 12:30

220112-ppk3nacfbl 10

10/01/2022, 10:49

220110-mwsd7sebe3 10

07/01/2022, 20:35

220107-zc2jzsdaeq 10

07/01/2022, 10:05

220107-l4rxzacba8 10

06/01/2022, 22:46

220106-2qch5abff5 10

06/01/2022, 19:07

220106-xsnxqabhfl 10

06/01/2022, 15:26

220106-svedvabda5 10

06/01/2022, 15:25

220106-st3p2sbgcq 10

Analysis

  • max time kernel
    1800s
  • max time network
    1690s
  • platform
    windows7_x64
  • resource
    win7-ja-20211208
  • submitted
    06/01/2022, 19:07

General

  • Target

    4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe

  • Size

    339KB

  • MD5

    b75726b4b619811b4c50d917822a4083

  • SHA1

    ed8b418d7357609ce03c4f7123c0bb711b9d227d

  • SHA256

    4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf

  • SHA512

    59516fdf6334f4005c7881322eb9a057939804e18ba8f13d0cb48fdc460aab19570c482e87700c6884807e1c885864ed422646f3150d9df731a10ecf5a7e05c9

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

raccoon

Botnet

10da56e7e71e97bdc1f36eb76813bbc3231de7e4

Attributes
  • url4cnc

    http://194.180.174.53/capibar

    http://91.219.236.18/capibar

    http://194.180.174.41/capibar

    http://91.219.236.148/capibar

    https://t.me/capibar

rc4.plain
rc4.plain

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

  • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

  • Arkei Stealer Payload 4 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 22 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 24 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 15 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of UnmapMainImage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe
    "C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:516
    • C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe
      "C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:460
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:672
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7034f50,0x7fef7034f60,0x7fef7034f70
      2⤵
        PID:1116
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1236 /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:428
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1092 /prefetch:2
        2⤵
          PID:1108
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1816 /prefetch:8
          2⤵
            PID:1676
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:1
            2⤵
              PID:956
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2052 /prefetch:1
              2⤵
                PID:1836
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2888 /prefetch:2
                2⤵
                  PID:1868
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1088 /prefetch:8
                  2⤵
                    PID:1636
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2648 /prefetch:1
                    2⤵
                      PID:1784
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3152 /prefetch:8
                      2⤵
                        PID:760
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3296 /prefetch:8
                        2⤵
                          PID:2056
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4036 /prefetch:8
                          2⤵
                            PID:2172
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4144 /prefetch:8
                            2⤵
                              PID:2208
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3736 /prefetch:8
                              2⤵
                                PID:2224
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 /prefetch:8
                                2⤵
                                  PID:2216
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4040 /prefetch:8
                                  2⤵
                                    PID:2320
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3324 /prefetch:8
                                    2⤵
                                      PID:2328
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3540 /prefetch:8
                                      2⤵
                                        PID:2392
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3392 /prefetch:8
                                        2⤵
                                          PID:2428
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3416 /prefetch:8
                                          2⤵
                                            PID:2464
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
                                            2⤵
                                              PID:2500
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
                                              2⤵
                                                PID:2560
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4052 /prefetch:8
                                                2⤵
                                                  PID:2780
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3736 /prefetch:8
                                                  2⤵
                                                    PID:2884
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=536 /prefetch:8
                                                    2⤵
                                                      PID:2432
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4032 /prefetch:8
                                                      2⤵
                                                        PID:2492
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1468 /prefetch:8
                                                        2⤵
                                                          PID:2200
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4000 /prefetch:8
                                                          2⤵
                                                            PID:2380
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=988 /prefetch:8
                                                            2⤵
                                                              PID:2240
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3736 /prefetch:8
                                                              2⤵
                                                                PID:2480
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1004 /prefetch:8
                                                                2⤵
                                                                  PID:2556
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1984 /prefetch:8
                                                                  2⤵
                                                                    PID:2680
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1872 /prefetch:8
                                                                    2⤵
                                                                      PID:2616
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1776 /prefetch:8
                                                                      2⤵
                                                                        PID:924
                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exe
                                                                        "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=kemyoYTqosDNOBf7YVyvVAtBhlmIgQEsQDF+OI5d --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment
                                                                        2⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2784
                                                                        • \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe
                                                                          "c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=94.273.200 --initial-client-data=0x160,0x164,0x168,0x134,0x16c,0x1401ec4b8,0x1401ec4c8,0x1401ec4d8
                                                                          3⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:652
                                                                        • \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe
                                                                          "c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2784_LLEFNTWNSKNZLKUQ" --sandboxed-process-id=2 --init-done-notifier=468 --sandbox-mojo-pipe-token=12642503802866909302 --mojo-platform-channel-handle=440 --engine=2
                                                                          3⤵
                                                                          • Executes dropped EXE
                                                                          • Loads dropped DLL
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2244
                                                                        • \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe
                                                                          "c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2784_LLEFNTWNSKNZLKUQ" --sandboxed-process-id=3 --init-done-notifier=644 --sandbox-mojo-pipe-token=4311856091931439458 --mojo-platform-channel-handle=640
                                                                          3⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1472
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
                                                                        2⤵
                                                                          PID:2064
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1784 /prefetch:8
                                                                          2⤵
                                                                            PID:2376
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 /prefetch:8
                                                                            2⤵
                                                                              PID:1976
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1004 /prefetch:8
                                                                              2⤵
                                                                                PID:2668
                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3452 /prefetch:8
                                                                                2⤵
                                                                                  PID:2860
                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=628 /prefetch:8
                                                                                  2⤵
                                                                                    PID:1588
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4000 /prefetch:8
                                                                                    2⤵
                                                                                      PID:2956
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3452 /prefetch:8
                                                                                      2⤵
                                                                                        PID:1552
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1792 /prefetch:8
                                                                                        2⤵
                                                                                          PID:2828
                                                                                      • C:\Users\Admin\AppData\Local\Temp\7C22.exe
                                                                                        C:\Users\Admin\AppData\Local\Temp\7C22.exe
                                                                                        1⤵
                                                                                        • Executes dropped EXE
                                                                                        • Checks SCSI registry key(s)
                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                        PID:2632
                                                                                      • C:\Users\Admin\AppData\Local\Temp\8F59.exe
                                                                                        C:\Users\Admin\AppData\Local\Temp\8F59.exe
                                                                                        1⤵
                                                                                        • Executes dropped EXE
                                                                                        • Loads dropped DLL
                                                                                        • Suspicious use of SetThreadContext
                                                                                        PID:2676
                                                                                        • C:\Users\Admin\AppData\Local\Temp\8F59.exe
                                                                                          C:\Users\Admin\AppData\Local\Temp\8F59.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:2704
                                                                                      • C:\Users\Admin\AppData\Local\Temp\A625.exe
                                                                                        C:\Users\Admin\AppData\Local\Temp\A625.exe
                                                                                        1⤵
                                                                                        • Executes dropped EXE
                                                                                        • Loads dropped DLL
                                                                                        • Checks processor information in registry
                                                                                        PID:2752
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\A625.exe" & exit
                                                                                          2⤵
                                                                                            PID:2500
                                                                                            • C:\Windows\SysWOW64\timeout.exe
                                                                                              timeout /t 5
                                                                                              3⤵
                                                                                              • Delays execution with timeout.exe
                                                                                              PID:2732
                                                                                        • C:\Users\Admin\AppData\Local\Temp\BAA0.exe
                                                                                          C:\Users\Admin\AppData\Local\Temp\BAA0.exe
                                                                                          1⤵
                                                                                          • Executes dropped EXE
                                                                                          • Loads dropped DLL
                                                                                          • Suspicious use of SetThreadContext
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2824
                                                                                          • C:\Users\Admin\AppData\Local\Temp\BAA0.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\BAA0.exe
                                                                                            2⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:2872
                                                                                          • C:\Users\Admin\AppData\Local\Temp\BAA0.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\BAA0.exe
                                                                                            2⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2980
                                                                                        • C:\Windows\SysWOW64\explorer.exe
                                                                                          C:\Windows\SysWOW64\explorer.exe
                                                                                          1⤵
                                                                                          • Accesses Microsoft Outlook profiles
                                                                                          • outlook_office_path
                                                                                          • outlook_win_path
                                                                                          PID:2236
                                                                                        • C:\Windows\explorer.exe
                                                                                          C:\Windows\explorer.exe
                                                                                          1⤵
                                                                                            PID:2504
                                                                                          • C:\Users\Admin\AppData\Local\Temp\241D.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\241D.exe
                                                                                            1⤵
                                                                                            • Executes dropped EXE
                                                                                            • Loads dropped DLL
                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                            • Checks processor information in registry
                                                                                            PID:2632
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\241D.exe" & exit
                                                                                              2⤵
                                                                                                PID:2816
                                                                                                • C:\Windows\SysWOW64\timeout.exe
                                                                                                  timeout /t 5
                                                                                                  3⤵
                                                                                                  • Delays execution with timeout.exe
                                                                                                  PID:2928
                                                                                            • C:\Users\Admin\AppData\Local\Temp\39DF.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\39DF.exe
                                                                                              1⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:2604
                                                                                            • C:\Users\Admin\AppData\Local\Temp\6CB7.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\6CB7.exe
                                                                                              1⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2888
                                                                                            • C:\Windows\system32\taskeng.exe
                                                                                              taskeng.exe {A2C3A026-2A39-45D7-82DE-8343095E6D9D} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
                                                                                              1⤵
                                                                                                PID:3016
                                                                                                • C:\Users\Admin\AppData\Roaming\rhrjafb
                                                                                                  C:\Users\Admin\AppData\Roaming\rhrjafb
                                                                                                  2⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Checks SCSI registry key(s)
                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                  PID:2040
                                                                                                • C:\Users\Admin\AppData\Roaming\esrjafb
                                                                                                  C:\Users\Admin\AppData\Roaming\esrjafb
                                                                                                  2⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of SetThreadContext
                                                                                                  PID:1740
                                                                                                  • C:\Users\Admin\AppData\Roaming\esrjafb
                                                                                                    C:\Users\Admin\AppData\Roaming\esrjafb
                                                                                                    3⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:2568
                                                                                              • C:\Windows\system32\taskeng.exe
                                                                                                taskeng.exe {9753CD37-DE62-4F70-9D60-1CE1AC78BC5D} S-1-5-18:NT AUTHORITY\System:Service:
                                                                                                1⤵
                                                                                                  PID:2520
                                                                                                • C:\Windows\system32\taskeng.exe
                                                                                                  taskeng.exe {1663C6C7-9945-482E-8BD1-6A39EB0EFD78} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
                                                                                                  1⤵
                                                                                                    PID:2400
                                                                                                    • C:\Program Files\Mozilla Firefox\default-browser-agent.exe
                                                                                                      "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
                                                                                                      2⤵
                                                                                                        PID:940
                                                                                                      • C:\Users\Admin\AppData\Roaming\esrjafb
                                                                                                        C:\Users\Admin\AppData\Roaming\esrjafb
                                                                                                        2⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious use of SetThreadContext
                                                                                                        PID:1916
                                                                                                        • C:\Users\Admin\AppData\Roaming\esrjafb
                                                                                                          C:\Users\Admin\AppData\Roaming\esrjafb
                                                                                                          3⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Checks SCSI registry key(s)
                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                          PID:2572
                                                                                                      • C:\Users\Admin\AppData\Roaming\rhrjafb
                                                                                                        C:\Users\Admin\AppData\Roaming\rhrjafb
                                                                                                        2⤵
                                                                                                        • Executes dropped EXE
                                                                                                        PID:1468
                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 124
                                                                                                          3⤵
                                                                                                          • Loads dropped DLL
                                                                                                          • Program crash
                                                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:2040
                                                                                                      • C:\Users\Admin\AppData\Roaming\esrjafb
                                                                                                        C:\Users\Admin\AppData\Roaming\esrjafb
                                                                                                        2⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious use of SetThreadContext
                                                                                                        PID:2812
                                                                                                        • C:\Users\Admin\AppData\Roaming\esrjafb
                                                                                                          C:\Users\Admin\AppData\Roaming\esrjafb
                                                                                                          3⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Checks SCSI registry key(s)
                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                          PID:2652

                                                                                                    Network

                                                                                                          MITRE ATT&CK Enterprise v6

                                                                                                          Replay Monitor

                                                                                                          Loading Replay Monitor...

                                                                                                          Downloads

                                                                                                          • memory/460-55-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                            Filesize

                                                                                                            36KB

                                                                                                          • memory/460-57-0x0000000076C81000-0x0000000076C83000-memory.dmp

                                                                                                            Filesize

                                                                                                            8KB

                                                                                                          • memory/516-58-0x0000000000020000-0x0000000000029000-memory.dmp

                                                                                                            Filesize

                                                                                                            36KB

                                                                                                          • memory/516-54-0x0000000000878000-0x0000000000889000-memory.dmp

                                                                                                            Filesize

                                                                                                            68KB

                                                                                                          • memory/1276-60-0x0000000002B90000-0x0000000002BA6000-memory.dmp

                                                                                                            Filesize

                                                                                                            88KB

                                                                                                          • memory/1276-244-0x0000000002D00000-0x0000000002D16000-memory.dmp

                                                                                                            Filesize

                                                                                                            88KB

                                                                                                          • memory/1276-194-0x0000000002CD0000-0x0000000002CE6000-memory.dmp

                                                                                                            Filesize

                                                                                                            88KB

                                                                                                          • memory/1276-76-0x0000000003D90000-0x0000000003DA6000-memory.dmp

                                                                                                            Filesize

                                                                                                            88KB

                                                                                                          • memory/1276-238-0x0000000003B20000-0x0000000003B36000-memory.dmp

                                                                                                            Filesize

                                                                                                            88KB

                                                                                                          • memory/1468-234-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                                            Filesize

                                                                                                            436KB

                                                                                                          • memory/1472-210-0x0000000000161000-0x0000000000162000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/1740-189-0x0000000000838000-0x0000000000849000-memory.dmp

                                                                                                            Filesize

                                                                                                            68KB

                                                                                                          • memory/2040-187-0x000000000054A000-0x000000000055A000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/2040-237-0x0000000000550000-0x0000000000551000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2040-193-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                                            Filesize

                                                                                                            436KB

                                                                                                          • memory/2236-114-0x0000000000450000-0x00000000004C4000-memory.dmp

                                                                                                            Filesize

                                                                                                            464KB

                                                                                                          • memory/2236-115-0x0000000000340000-0x00000000003AB000-memory.dmp

                                                                                                            Filesize

                                                                                                            428KB

                                                                                                          • memory/2236-111-0x0000000074F81000-0x0000000074F83000-memory.dmp

                                                                                                            Filesize

                                                                                                            8KB

                                                                                                          • memory/2244-203-0x0000000000066000-0x0000000000067000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2244-200-0x0000000000066000-0x0000000000067000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2244-199-0x0000000000066000-0x0000000000067000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2244-202-0x0000000000066000-0x0000000000067000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2244-224-0x0000000000230000-0x0000000000270000-memory.dmp

                                                                                                            Filesize

                                                                                                            256KB

                                                                                                          • memory/2244-206-0x0000000000066000-0x0000000000067000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2244-201-0x0000000000066000-0x0000000000067000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2244-205-0x0000000000066000-0x0000000000067000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2244-204-0x0000000000066000-0x0000000000067000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2244-223-0x0000000000600000-0x0000000000640000-memory.dmp

                                                                                                            Filesize

                                                                                                            256KB

                                                                                                          • memory/2244-222-0x0000000000230000-0x0000000000270000-memory.dmp

                                                                                                            Filesize

                                                                                                            256KB

                                                                                                          • memory/2244-197-0x0000000000066000-0x0000000000067000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2244-219-0x0000000000230000-0x0000000000270000-memory.dmp

                                                                                                            Filesize

                                                                                                            256KB

                                                                                                          • memory/2244-220-0x0000000000230000-0x0000000000270000-memory.dmp

                                                                                                            Filesize

                                                                                                            256KB

                                                                                                          • memory/2244-221-0x0000000000600000-0x0000000000640000-memory.dmp

                                                                                                            Filesize

                                                                                                            256KB

                                                                                                          • memory/2504-118-0x0000000000060000-0x000000000006C000-memory.dmp

                                                                                                            Filesize

                                                                                                            48KB

                                                                                                          • memory/2504-117-0x0000000000070000-0x0000000000077000-memory.dmp

                                                                                                            Filesize

                                                                                                            28KB

                                                                                                          • memory/2604-175-0x0000000000220000-0x0000000000270000-memory.dmp

                                                                                                            Filesize

                                                                                                            320KB

                                                                                                          • memory/2604-138-0x0000000000400000-0x0000000000885000-memory.dmp

                                                                                                            Filesize

                                                                                                            4.5MB

                                                                                                          • memory/2604-150-0x0000000000890000-0x0000000000925000-memory.dmp

                                                                                                            Filesize

                                                                                                            596KB

                                                                                                          • memory/2604-151-0x0000000000400000-0x0000000000885000-memory.dmp

                                                                                                            Filesize

                                                                                                            4.5MB

                                                                                                          • memory/2604-177-0x0000000002440000-0x00000000024D2000-memory.dmp

                                                                                                            Filesize

                                                                                                            584KB

                                                                                                          • memory/2604-176-0x0000000000400000-0x0000000000885000-memory.dmp

                                                                                                            Filesize

                                                                                                            4.5MB

                                                                                                          • memory/2604-149-0x0000000000400000-0x0000000000885000-memory.dmp

                                                                                                            Filesize

                                                                                                            4.5MB

                                                                                                          • memory/2604-173-0x0000000000400000-0x0000000000885000-memory.dmp

                                                                                                            Filesize

                                                                                                            4.5MB

                                                                                                          • memory/2604-147-0x00000000009FE000-0x0000000000A5B000-memory.dmp

                                                                                                            Filesize

                                                                                                            372KB

                                                                                                          • memory/2604-136-0x000000000098A000-0x00000000009FD000-memory.dmp

                                                                                                            Filesize

                                                                                                            460KB

                                                                                                          • memory/2604-137-0x0000000000310000-0x00000000003A7000-memory.dmp

                                                                                                            Filesize

                                                                                                            604KB

                                                                                                          • memory/2632-129-0x0000000076BD0000-0x0000000076C7C000-memory.dmp

                                                                                                            Filesize

                                                                                                            688KB

                                                                                                          • memory/2632-130-0x00000000001D0000-0x0000000000216000-memory.dmp

                                                                                                            Filesize

                                                                                                            280KB

                                                                                                          • memory/2632-65-0x0000000000020000-0x0000000000029000-memory.dmp

                                                                                                            Filesize

                                                                                                            36KB

                                                                                                          • memory/2632-66-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                                            Filesize

                                                                                                            436KB

                                                                                                          • memory/2632-63-0x000000000057A000-0x000000000058A000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/2632-124-0x0000000000810000-0x0000000000905000-memory.dmp

                                                                                                            Filesize

                                                                                                            980KB

                                                                                                          • memory/2632-126-0x00000000000F0000-0x00000000000F1000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2632-125-0x0000000000810000-0x0000000000905000-memory.dmp

                                                                                                            Filesize

                                                                                                            980KB

                                                                                                          • memory/2632-128-0x0000000076840000-0x0000000076887000-memory.dmp

                                                                                                            Filesize

                                                                                                            284KB

                                                                                                          • memory/2632-127-0x0000000000810000-0x0000000000905000-memory.dmp

                                                                                                            Filesize

                                                                                                            980KB

                                                                                                          • memory/2676-69-0x0000000000568000-0x0000000000578000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/2752-80-0x0000000000020000-0x000000000003C000-memory.dmp

                                                                                                            Filesize

                                                                                                            112KB

                                                                                                          • memory/2752-81-0x0000000000400000-0x0000000000462000-memory.dmp

                                                                                                            Filesize

                                                                                                            392KB

                                                                                                          • memory/2752-79-0x0000000000638000-0x0000000000649000-memory.dmp

                                                                                                            Filesize

                                                                                                            68KB

                                                                                                          • memory/2824-85-0x0000000000A80000-0x0000000000B0A000-memory.dmp

                                                                                                            Filesize

                                                                                                            552KB

                                                                                                          • memory/2824-87-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2824-86-0x0000000000A80000-0x0000000000B0A000-memory.dmp

                                                                                                            Filesize

                                                                                                            552KB

                                                                                                          • memory/2824-88-0x0000000000270000-0x0000000000271000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2888-168-0x00000000002D0000-0x0000000000360000-memory.dmp

                                                                                                            Filesize

                                                                                                            576KB

                                                                                                          • memory/2888-182-0x00000000752D0000-0x00000000752E7000-memory.dmp

                                                                                                            Filesize

                                                                                                            92KB

                                                                                                          • memory/2888-180-0x0000000074620000-0x00000000747B0000-memory.dmp

                                                                                                            Filesize

                                                                                                            1.6MB

                                                                                                          • memory/2888-179-0x0000000075810000-0x0000000075845000-memory.dmp

                                                                                                            Filesize

                                                                                                            212KB

                                                                                                          • memory/2888-178-0x0000000074AB0000-0x0000000074AC7000-memory.dmp

                                                                                                            Filesize

                                                                                                            92KB

                                                                                                          • memory/2888-171-0x0000000076C80000-0x00000000778CA000-memory.dmp

                                                                                                            Filesize

                                                                                                            12.3MB

                                                                                                          • memory/2888-172-0x0000000004D40000-0x0000000004D41000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2888-169-0x0000000076A50000-0x0000000076ADF000-memory.dmp

                                                                                                            Filesize

                                                                                                            572KB

                                                                                                          • memory/2888-167-0x00000000002D0000-0x0000000000360000-memory.dmp

                                                                                                            Filesize

                                                                                                            576KB

                                                                                                          • memory/2888-166-0x0000000075DF0000-0x0000000075F4C000-memory.dmp

                                                                                                            Filesize

                                                                                                            1.4MB

                                                                                                          • memory/2888-164-0x0000000076020000-0x0000000076077000-memory.dmp

                                                                                                            Filesize

                                                                                                            348KB

                                                                                                          • memory/2888-163-0x0000000076840000-0x0000000076887000-memory.dmp

                                                                                                            Filesize

                                                                                                            284KB

                                                                                                          • memory/2888-162-0x0000000076BD0000-0x0000000076C7C000-memory.dmp

                                                                                                            Filesize

                                                                                                            688KB

                                                                                                          • memory/2888-160-0x00000000002D0000-0x0000000000360000-memory.dmp

                                                                                                            Filesize

                                                                                                            576KB

                                                                                                          • memory/2888-159-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2888-158-0x00000000002D0000-0x0000000000360000-memory.dmp

                                                                                                            Filesize

                                                                                                            576KB

                                                                                                          • memory/2888-156-0x00000000755B0000-0x00000000755FA000-memory.dmp

                                                                                                            Filesize

                                                                                                            296KB

                                                                                                          • memory/2888-157-0x0000000000190000-0x00000000001D5000-memory.dmp

                                                                                                            Filesize

                                                                                                            276KB

                                                                                                          • memory/2980-93-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/2980-94-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/2980-95-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/2980-96-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/2980-97-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/2980-100-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/2980-101-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/2980-102-0x00000000004D0000-0x00000000004D1000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB