Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 19:46

General

  • Target

    Optimizer-16.7.exe

  • Size

    2.5MB

  • MD5

    7f57207f221db2b08e27d64bc9121b28

  • SHA1

    3bfc4b12a533ee1ce62e5d348027d4ac90ab49db

  • SHA256

    03a234060541b686ac4265754aff43df9325c21383f90e17f831e67965d717f8

  • SHA512

    7cc44ff1c3210db2478f4e37fef23669f0425b1b1672fc5f53956890daccb84b32fa25c8da9f7ce0cd1deb9e697e46cdae0762a0af818f98b93544b8e39f8a25

  • SSDEEP

    24576:zv5MZtiOMKNOJMv9EC8oJ8VxHuDBjk38WuBcAbwoA/BkjSHXP36RMG:zxMZtiOMK9EC8oa6CSA/Bkj0

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs
  • Stops running service(s) 4 TTPs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Power Settings 1 TTPs 2 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Disables Windows logging functionality 2 TTPs

    Changes registry settings to disable Windows Event logging.

  • Modifies Control Panel 9 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 4 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Optimizer-16.7.exe
    "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.7.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Modifies visibility of file extensions in Explorer
    • Event Triggered Execution: Image File Execution Options Injection
    • Modifies Control Panel
    • Modifies Internet Explorer Phishing Filter
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2736
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C sc config "RemoteRegistry" start= disabled
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Windows\system32\sc.exe
        sc config "RemoteRegistry" start= disabled
        3⤵
        • Launches sc.exe
        PID:1296
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C powercfg -h off
      2⤵
      • Power Settings
      • Suspicious use of WriteProcessMemory
      PID:784
      • C:\Windows\system32\powercfg.exe
        powercfg -h off
        3⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:3008
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1604
      • C:\Windows\system32\fsutil.exe
        fsutil behavior set disablelastaccess 1
        3⤵
          PID:2332
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2464
        • C:\Windows\system32\icacls.exe
          icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
          3⤵
          • Modifies file permissions
          PID:2432
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\ProgramData\Optimizer\Required\DisableTelemetryTasks.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2188
        • C:\Windows\system32\schtasks.exe
          schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
          3⤵
            PID:1684
          • C:\Windows\system32\schtasks.exe
            schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
            3⤵
              PID:1624
            • C:\Windows\system32\schtasks.exe
              schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
              3⤵
                PID:3024
              • C:\Windows\system32\schtasks.exe
                schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
                3⤵
                  PID:3016
                • C:\Windows\system32\schtasks.exe
                  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
                  3⤵
                    PID:1536
                  • C:\Windows\system32\schtasks.exe
                    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
                    3⤵
                      PID:1648
                    • C:\Windows\system32\schtasks.exe
                      schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
                      3⤵
                        PID:2684
                      • C:\Windows\system32\schtasks.exe
                        schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
                        3⤵
                          PID:2840
                        • C:\Windows\system32\schtasks.exe
                          schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
                          3⤵
                            PID:2656
                          • C:\Windows\system32\schtasks.exe
                            schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
                            3⤵
                              PID:2780
                            • C:\Windows\system32\schtasks.exe
                              schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
                              3⤵
                                PID:2964
                              • C:\Windows\system32\schtasks.exe
                                schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
                                3⤵
                                  PID:2692
                                • C:\Windows\system32\schtasks.exe
                                  schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
                                  3⤵
                                    PID:2564
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
                                    3⤵
                                      PID:2556
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
                                      3⤵
                                        PID:2796
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable"
                                        3⤵
                                          PID:2696
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
                                          3⤵
                                            PID:2584
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
                                            3⤵
                                              PID:2772
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
                                              3⤵
                                                PID:2528
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
                                                3⤵
                                                  PID:2544
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
                                                  3⤵
                                                    PID:2572
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
                                                    3⤵
                                                      PID:2604
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
                                                      3⤵
                                                        PID:2016
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
                                                        3⤵
                                                          PID:1016
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
                                                          3⤵
                                                            PID:604
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
                                                            3⤵
                                                              PID:2588
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
                                                              3⤵
                                                                PID:1928
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
                                                                3⤵
                                                                  PID:2252
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"
                                                                  3⤵
                                                                    PID:2704
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable
                                                                    3⤵
                                                                      PID:880
                                                                    • C:\Windows\system32\schtasks.exe
                                                                      schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
                                                                      3⤵
                                                                        PID:572
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /disable
                                                                        3⤵
                                                                          PID:1432
                                                                        • C:\Windows\system32\schtasks.exe
                                                                          schtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"
                                                                          3⤵
                                                                            PID:584
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable
                                                                            3⤵
                                                                              PID:1796
                                                                            • C:\Windows\system32\schtasks.exe
                                                                              schtasks /end /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"
                                                                              3⤵
                                                                                PID:2084
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable
                                                                                3⤵
                                                                                  PID:2104
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks /end /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"
                                                                                  3⤵
                                                                                    PID:2568
                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                    schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable
                                                                                    3⤵
                                                                                      PID:2628
                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                      schtasks /end /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"
                                                                                      3⤵
                                                                                        PID:2148
                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                        schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable
                                                                                        3⤵
                                                                                          PID:2304
                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                          schtasks /end /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)"
                                                                                          3⤵
                                                                                            PID:1600
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks /change /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)" /disable
                                                                                            3⤵
                                                                                              PID:2888
                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                              schtasks /end /tn "\Microsoft\Windows\PI\Sqm-Tasks"
                                                                                              3⤵
                                                                                                PID:2900
                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                schtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable
                                                                                                3⤵
                                                                                                  PID:1852
                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                  schtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"
                                                                                                  3⤵
                                                                                                    PID:1696
                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                    schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable
                                                                                                    3⤵
                                                                                                      PID:1728
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks /end /tn "\Microsoft\Windows\AppID\SmartScreenSpecific"
                                                                                                      3⤵
                                                                                                        PID:2600
                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                        schtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /disable
                                                                                                        3⤵
                                                                                                          PID:2876
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable
                                                                                                          3⤵
                                                                                                            PID:2912
                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                            schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
                                                                                                            3⤵
                                                                                                              PID:2812
                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                              schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
                                                                                                              3⤵
                                                                                                                PID:2748
                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                schtasks /end /tn "\Microsoft\Windows\HelloFace\FODCleanupTask"
                                                                                                                3⤵
                                                                                                                  PID:2820
                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                  schtasks /change /tn "\Microsoft\Windows\HelloFace\FODCleanupTask" /disable
                                                                                                                  3⤵
                                                                                                                    PID:2880
                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                    schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClient"
                                                                                                                    3⤵
                                                                                                                      PID:2904
                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                      schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClient" /disable
                                                                                                                      3⤵
                                                                                                                        PID:2916
                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                        schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload"
                                                                                                                        3⤵
                                                                                                                          PID:3036
                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                          schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /disable
                                                                                                                          3⤵
                                                                                                                            PID:3044
                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                            schtasks /end /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask"
                                                                                                                            3⤵
                                                                                                                              PID:2936
                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                              schtasks /change /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask" /disable
                                                                                                                              3⤵
                                                                                                                                PID:2308
                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                schtasks /end /tn "\Microsoft\Windows\Device Information\Device"
                                                                                                                                3⤵
                                                                                                                                  PID:1980
                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                  schtasks /change /tn "\Microsoft\Windows\Device Information\Device" /disable
                                                                                                                                  3⤵
                                                                                                                                    PID:1976
                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                    schtasks /end /tn "\Microsoft\Windows\Device Information\Device User"
                                                                                                                                    3⤵
                                                                                                                                      PID:1760
                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                      schtasks /change /tn "\Microsoft\Windows\Device Information\Device User" /disable
                                                                                                                                      3⤵
                                                                                                                                        PID:1452
                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                      "C:\Windows\System32\cmd.exe" /C schtasks.exe /change /tn NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
                                                                                                                                      2⤵
                                                                                                                                        PID:2392
                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                          schtasks.exe /change /tn NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
                                                                                                                                          3⤵
                                                                                                                                            PID:840
                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                          "C:\Windows\System32\cmd.exe" /C schtasks.exe /change /tn NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
                                                                                                                                          2⤵
                                                                                                                                            PID:1176
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /change /tn NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
                                                                                                                                              3⤵
                                                                                                                                                PID:1544
                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                              "C:\Windows\System32\cmd.exe" /C schtasks.exe /change /tn NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
                                                                                                                                              2⤵
                                                                                                                                                PID:1228
                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                  schtasks.exe /change /tn NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
                                                                                                                                                  3⤵
                                                                                                                                                    PID:2400
                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                  "C:\Windows\System32\cmd.exe" /C net.exe stop NvTelemetryContainer
                                                                                                                                                  2⤵
                                                                                                                                                    PID:676
                                                                                                                                                    • C:\Windows\system32\net.exe
                                                                                                                                                      net.exe stop NvTelemetryContainer
                                                                                                                                                      3⤵
                                                                                                                                                        PID:2200
                                                                                                                                                        • C:\Windows\system32\net1.exe
                                                                                                                                                          C:\Windows\system32\net1 stop NvTelemetryContainer
                                                                                                                                                          4⤵
                                                                                                                                                            PID:2356
                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                        "C:\Windows\System32\cmd.exe" /C sc.exe config NvTelemetryContainer start= disabled
                                                                                                                                                        2⤵
                                                                                                                                                          PID:2216
                                                                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                                                                            sc.exe config NvTelemetryContainer start= disabled
                                                                                                                                                            3⤵
                                                                                                                                                            • Launches sc.exe
                                                                                                                                                            PID:2044
                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C sc.exe stop NvTelemetryContainer
                                                                                                                                                          2⤵
                                                                                                                                                            PID:852
                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                              sc.exe stop NvTelemetryContainer
                                                                                                                                                              3⤵
                                                                                                                                                              • Launches sc.exe
                                                                                                                                                              PID:2228
                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                            "C:\Windows\System32\cmd.exe" /C schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB"
                                                                                                                                                            2⤵
                                                                                                                                                              PID:1748
                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB"
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:2288
                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                "C:\Windows\System32\cmd.exe" /C schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD"
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:2952
                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                    schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD"
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:1280
                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                    cmd /c ""C:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.bat""
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:1808
                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                        schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016"
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:1668
                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                          schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016" /disable
                                                                                                                                                                          3⤵
                                                                                                                                                                            PID:1880
                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                            schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016"
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:1092
                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                              schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016" /disable
                                                                                                                                                                              3⤵
                                                                                                                                                                                PID:1108
                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack"
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:2348
                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                  schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack" /disable
                                                                                                                                                                                  3⤵
                                                                                                                                                                                    PID:1056
                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn"
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:2056
                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                      schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn" /disable
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:108
                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                        reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f
                                                                                                                                                                                        3⤵
                                                                                                                                                                                          PID:940
                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                          reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:1712
                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                            reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:2492
                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                              reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f
                                                                                                                                                                                              3⤵
                                                                                                                                                                                                PID:784
                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:2320
                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                  reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                    PID:272
                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                    reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:2440
                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                      reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:1604
                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                        reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:1956
                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                          reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:2328
                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                            reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:2432
                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                              reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:1240
                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                  PID:2036
                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                  reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:1004
                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                    reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:2336
                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                      reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:2008
                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                        reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:908
                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                          reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                            PID:2636
                                                                                                                                                                                                                        • C:\Windows\regedit.exe
                                                                                                                                                                                                                          "C:\Windows\regedit.exe" /s "C:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.reg"
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                          • Runs .reg file with regedit
                                                                                                                                                                                                                          PID:1684
                                                                                                                                                                                                                        • C:\Windows\System32\shutdown.exe
                                                                                                                                                                                                                          "C:\Windows\System32\shutdown.exe" /r /t 0
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                          PID:1532
                                                                                                                                                                                                                      • C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                        C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:1196
                                                                                                                                                                                                                        • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                                                          "LogonUI.exe" /flags:0x0
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                            PID:2848
                                                                                                                                                                                                                          • C:\Windows\system32\AUDIODG.EXE
                                                                                                                                                                                                                            C:\Windows\system32\AUDIODG.EXE 0x474
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                            PID:2740
                                                                                                                                                                                                                          • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                                                            "LogonUI.exe" /flags:0x1
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                              PID:596

                                                                                                                                                                                                                            Network

                                                                                                                                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                            Replay Monitor

                                                                                                                                                                                                                            Loading Replay Monitor...

                                                                                                                                                                                                                            Downloads

                                                                                                                                                                                                                            • C:\ProgramData\Optimizer\Optimizer.json

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              badaa6ac02c7da6752314b8487cb81f9

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              bdbfec2d40a7ef3a95df4ed4c295b2a498125efc

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              d947a75908d8cfa06dc8bd580a80037f20329896646839015ea49bc47e0c9b06

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              0d4adc49fc792526fc882d318598d3ddd86a00a9267a855a017ffb5c9853dc89a07cf904672860b4accecd1f5a4d55822cdf418d885aec51116ca9ef915ac867

                                                                                                                                                                                                                            • C:\ProgramData\Optimizer\Optimizer.log

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              665B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              56055e8bd9ac8f09abdcde0027d22f6e

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              321b08fdab5128328b11e404c2379268774a691f

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              cb8572ae3492d48d14875a8d6f70ea5101a777c028eee2f5b82c45f0bd3e926e

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              7e3954ec4edbacfe0b4bebbd2caa4d426f82119914997d87aceb809962fbbd01c556f99e60fefbb7886bd089dff9709ddd37c259a1b59b3fbbff2fa87fc96398

                                                                                                                                                                                                                            • C:\ProgramData\Optimizer\Optimizer.log

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              269130fa4075bdbab778bbccdc7ceef6

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              ff961ccb075e666cace57ed4f2f06bf7d2c557e8

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              a6d67b08c0481e0fe201a6ae660aa7099e4de514a12fafe5eae67ae52f698b01

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              4a2b47e1a1eb05e0ffc4e5c3a437ae599596d3cb4c0764f2614091b353bdee0e15dd05a2d82648ed70ae7430b887bcbc15fec05c96f40b94b062cf11a4cee480

                                                                                                                                                                                                                            • C:\ProgramData\Optimizer\Optimizer.log

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              12645abb1bfa4aaaa6cd497d724b23a6

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              9e90626292863dfdc58511122afd0759a9393002

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              c7797ad242377b4a2ef2eb3c01e417e845df5840929bf797aab8952d6c2683c8

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              c4e5a2af5164048c7e272ee336d0cd19985bef6a62e784bab5176144e4579b84d8226b30611fb8df50534f775a0a5508533e6147e55dc91785141aee563254e4

                                                                                                                                                                                                                            • C:\ProgramData\Optimizer\Optimizer.log

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              03626d47c0fe05cdd3e97cb73e30ce07

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              a2f62aedc5eb562ba9fac71415574ee10663ad3f

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              c0798b61a3e647f67a50a30d5f4ecf0ec013f6155a9eaeef458bab81d2482ee1

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              0e6c68c399f96411a1e6c28a4a251ce0fd236c886b353c592e94539817f50da052571d4825ed9f9acd5da7ad26266633d53edfd875493fe84108b54988c30601

                                                                                                                                                                                                                            • C:\ProgramData\Optimizer\Optimizer.log

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              475ecefa2567bf298f0916a7c6a56995

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              22b00217f5febc1e7342173f711e3ee3dfbb7079

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              8313e1cb06699835332921a2baf5c1ad7a1f1371c30d60a43db86e6bf05fb553

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              be1352f71bfe2b9053b13494e2213c32cd4a28633d4527c0be105acc5981d1f23662962a2fc130c535bd111421b2feb7950d198e4b083ddc2038823a509495dd

                                                                                                                                                                                                                            • C:\ProgramData\Optimizer\Optimizer.log

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              102B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              a4c6cbdf479234773a1194ee13cd5334

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              2f735f7bde2d52f2dfc73b2b13b34848bef5fbb3

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              425026be8f4413e2c3b22bde846aa094cbe517d2cc5ce4c7a89d1ed029916a77

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              fc07bbcbe6f5e195f69ace4a9371054dadb2d327428e08b1420c8d61224b52e9682bcde17693f36b880d870f02a5ea22913f16cc362bce85cc39d4cb47bd66f6

                                                                                                                                                                                                                            • C:\ProgramData\Optimizer\Optimizer.log

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              297B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              c789a164b02340a363722de0f79b0bb3

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              3b6d4f69f467d817f5ae5818bf399c0cceb6421e

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              0b36c095deb27470d32abb973098eb2836f83f4e21b72d925abda161db709c2d

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              ac6a8ebae1a1478e4b31ccdd0bcaeb63922b712ed52230115377a20d2568df3541a3f2f43c62a6f95f5defb27adf240791d6dd9f225edb2ccc3084dd76d36ccb

                                                                                                                                                                                                                            • C:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.bat

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              fed75b5cb9d9f4ec5ee22b8fd304ccf7

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              1b4bdac9ac71fdee3bae90e52fcec60c88d7fa9d

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              d884c0d04ba09b113d9439d2f8c0b7ed322111ae2e3ed802f6a95278ff8e0ac2

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              36bed8311050f8c79e766678c59bb65177630279af8b4d2302aaf6146157887e1fb744785ac7f3290519778a592fb4d90fb7b7b9420e7346efdfec1085bf34e9

                                                                                                                                                                                                                            • C:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.reg

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              648B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              7f7b192506491e4105e2ae1cf5ea9067

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              5dafd2516bd4a4b3d230624f8ea590f640e2c381

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              41cf9db9e395349b94ec7a1ee99db68062f27bf95c3b364aa6b035dc39ff1dc0

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              5fcfbec12316f24bdbadb3d4a018945de9afb849fcfc026e601728b1dce107eaf1b8ce56d5e646461006a45bb305f16e3160d760649f7716b70a3e2fd195763f

                                                                                                                                                                                                                            • C:\ProgramData\Optimizer\Required\DisableTelemetryTasks.bat

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              5KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              cb03c3144aaff8fb1c3497c403c2b60f

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              ba4380abb20eaaeb638cdb142452def731817212

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              abd9b7c86e9186c4af174c2a630629588ec89a716d3ff04d357d2610e490c8d3

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              d76cf1fa9662bbafc931eb3720213e30a99de34ae0d92ff90a52a761555fc934fc9822c6beeddb882fabf990b30b17e8bf35b8acbc9d9898618d38fc259e9660

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Cab2416.tmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              70KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              1723be06719828dda65ad804298d0431f6aff976

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Tar2438.tmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              181KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              4ea6026cf93ec6338144661bf1202cd1

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                                                                                                                                                                                            • memory/2736-27-0x000007FEF5FF3000-0x000007FEF5FF4000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                            • memory/2736-0-0x000007FEF5FF3000-0x000007FEF5FF4000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                            • memory/2736-178-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              9.9MB

                                                                                                                                                                                                                            • memory/2736-179-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              9.9MB

                                                                                                                                                                                                                            • memory/2736-180-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              9.9MB

                                                                                                                                                                                                                            • memory/2736-181-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              9.9MB

                                                                                                                                                                                                                            • memory/2736-28-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              9.9MB

                                                                                                                                                                                                                            • memory/2736-33-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              9.9MB

                                                                                                                                                                                                                            • memory/2736-26-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              9.9MB

                                                                                                                                                                                                                            • memory/2736-25-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              9.9MB

                                                                                                                                                                                                                            • memory/2736-23-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              9.9MB

                                                                                                                                                                                                                            • memory/2736-2-0x000000001AFE0000-0x000000001B092000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              712KB

                                                                                                                                                                                                                            • memory/2736-1-0x0000000000FB0000-0x000000000122A000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.5MB

                                                                                                                                                                                                                            • memory/2736-222-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              9.9MB